Invoice Fraud 101: How to Identify Fake Invoices in 9 Quick Steps

Your guide to the kinds of threats out there, what to look out for and the measures you can take to prevent invoice fraud.

Post hero image

Table of contents

Ever received an unexpected invoice?

Invoice phishing is very common, yet unfortunately, it is also quite tricky to spot.

If you mistake the legitimacy of an invoice it can mean that scammers are ready to cash in on not just your cash, but your personal information and potentially infect your computer whilst they're at it.

On average, organizations are receiving an incidence of invoice fraud every month.

And around 44.8% of all fraudulent payments are due to invoice and mandate scams

In the guide below we'll give you an idea of the kinds of threats out there, what to look out for and the measures you can take to prevent invoice fraud.

Understanding invoice fraud - how does it work?

📚 Quick definition: Invoice fraud is a type of financial scam where criminals deceive businesses into paying false invoices or diverting legitimate payments to fraudulent accounts.

Invoice scams usually come in the form of service provider impersonations.

Ever use software for work? That's a service provider.

Attackers often pretend to be service providers because a lot of people use them; the bigger the net, the more (ph)fish you're going to catch.

Fake invoices for physical products are also relatively common, but despite what is allegedly being billed for, the goals are the same: the attackers want your organization's credentials, sensitive information and money.

The malicious actor might hide their domain behind spoofing, and if everything looks as it should, typing out your Office365 credentials might not seem too harmful.

Below you can see an example of a fairly basic invoice fraud attempt. But as we'll cover later on, some attacks can be far more sophisticated and harder to spot.

Invoice fraud example
Source: University of Liverpool

Invoice phishing cannot be avoided by merely not making payments to dubious bank account numbers when told to.

Legitimate seeming messages often lead to legitimate services, such as PayPal and QuickBooks...

But the sum is not directed to whom it should be.

Here's what the process usually looks like...

Target identification

Fraudsters identify potential business targets by researching companies with frequent transactions.

They gather information about the company's vendor relationships, financial processes, and payment cycles through online sources, social media, and even direct reconnaissance.

Impersonation and infiltration

Fraudsters will impersonate legitimate vendors, suppliers, or internal employees.

They may hack into email accounts (business email compromise) or create look-alike email addresses that closely mimic the real ones.

Social engineering tactics are also used to manipulate employees into providing additional information or access.

This might involve phishing emails or phone calls designed to extract sensitive details like vendor account numbers, purchase order histories, or internal payment procedures.

Creating fake invoices

Fraudsters will generate realistic-looking invoices that appear to come from genuine suppliers.

These invoices include accurate details such as company logos, contact information, purchase order numbers, and terms of service to avoid suspicion.

Or, they might intercept legitimate invoices and alter the payment details to divert funds to their accounts.

This can be achieved through email account compromise or by using stolen credentials to gain access to internal systems.

Sending the fake invoice

Once created, the fraudulent invoice is sent to the targeted employee, often within the finance or accounts payable department.

The email may include urgent language or a plausible reason for the change in payment details, such as updating bank account information due to supposed issues with the current account.

Breakdown of a fake invoice

Now, how about dissecting a real company invoice phishing attempt? The email below impersonates an actual law firm and claims an invoice is still unpaid despite reminders.

Real invoice phishing attempt

Seems rather legitimate, doesn’t it?

If you’re reading it in a hurry, it’s hard to spot anything off about this email and this is exactly what the phishers are counting on - spare time is (usually) rare while at work, after all.

But we’re here to implement an inbox surfing best practise: let’s take a closer look.

The most obvious sign of phishing in this case is the email being a flash attack. It was sent from a domain very similar to the impersonated company’s actual domain.

To boot, the domain had even been added to Microsoft 365 and the most common email authentication standards (SPF, DKIM, and DMARC) had been configured.

This allowed the phish to pass inbox filters with flying colours.

Apart from the vagueness, the text itself doesn’t give away much.

There are no distinct spelling mistakes nor commands to act upon the email this very second.

The signature is professional — even though the job title is a bit off (“Head of Debt Recovery” is… hastily written, let’s face it) and the only link leads to the company’s real website.

Thus, the most important question to consider, “Is this a service we use?” is highlighted.

If the attackers have luck on their side or if this were a thoroughly prepared spear phish, the impersonated and the recipient’s companies may well work together.

Assuming the fabricated domain went unnoticed, we are down to just one warning sign: the invoice number.

If the number mirrors standard practises, well, the days of being unphished might be due.

Here’s another example with a smart inconspicuous domain (check out the signature).

Fake Deloitte invoice phishing email

On the contrary, the phishing attempt below has not deployed the domain technique but pretends to be a forwarded email.

The phishers have first typed up an impersonation of a real accounting firm and then pretend to be the recipient’s co-worker forwarding this inquiry to them.

Invoice fraud email with impersonation of real account.

Real-life examples of successful fake invoice scams

Toyota Boshoku Corporation (2019)

Toyota Boshoku Corporation, a subsidiary of Toyota Group fell victim to an invoice fraud attack when fraudsters impersonated a business partner and tricked the company into redirecting a large payment to a fraudulent bank account.

💰 Cost: Losses totalled approximately $37 million.

Scoular Company (2022)

Scoular Company, a leading agricultural marketing company, experienced an attack in which fraudsters used spear phishing emails to compromise an employee’s email account.

They then sent fake invoices to the accounts payable department, requesting payment to fraudulent bank accounts.

💰 Cost: The company lost approximately $17 million before the scam was detected. This incident demonstrates the necessity of multi-factor authentication and rigorous email security measures

Pathé Netherlands (2021)

Pathé Netherlands, a subsidiary of the French cinema chain, was successfully scammed by fraudsters impersonating senior executives from the parent company.

Using email spoofing, the fraudsters sent fake invoices and urgent payment requests to the finance department.

💰 Cost: The scheme resulted in a loss of €19 million (around $22 million).

Common types of invoice fraud to look out for

Business email compromise (BEC)

A BEC is a form of financially motivated phishing attack where attackers exploit existing relationships between a victim and an entity by posing as a trusted source to request unauthorized transactions. 

In order to facilitate this scam, BEC attacks can also involve attackers engaging in further fraudulent activities such as invoice manipulation. 

Email account compromises are sometimes used to execute these attacks.

Modification of real invoices

In this type of fraud, cybercriminals intercept legitimate invoices, usually via email.

They'll then modify the payment details, such as bank account numbers, before forwarding the altered invoices to the target company.

Overpayment scams

Attackers might send an invoice that appears to overcharge for goods or services.

When the target business pays the inflated invoice, the fraudster contacts the business claiming that there was a mistake and requests a refund for the overpaid amount.

The refund is then directed to a fraudulent account, while the original payment has already been processed.

Service renewal scams

These scams involve sending fake invoices for service renewals, such as subscriptions, maintenance contracts, or software licenses.

The fraudsters rely on the fact that businesses often have multiple subscriptions and might not scrutinize every renewal invoice closely.

They hope that the company will pay the invoice without verifying its authenticity.

Refund and rebate scams

Some fake invoices come with a refund or rebate offer, enticing the target to provide bank details for the supposed refund.

Once the fraudsters have the bank details, they can use them for unauthorized withdrawals or further scams.

Advanced attacks to be wary of: document sharing and service impersonation

Making use of real document sharing and e-signing services, such as Adobe or PandaDoc here, is very popular in phishing, regardless of scam type.

The email once again comes from a legitimate service and link clicking is required to see what the invoice is about.

This makes discerning its relevance more difficult and it takes the recipient further down the rabbit hole. 

Document sharing invoice phishing
Invoice phishing using document sharing (on the left) and service impersonation (on the right)

The payload of the above Standard Notes impersonation (on the right) is actually vishing — meaning, they want you to call them.

This means you'll interact with them more, which means you'll trust them more, which means you're more likely to pay up.

It includes similar signs of phishing as the Norton impersonation topped with some more detail, but also some bad English.

The scammers claim payment details were already received to give incentive to call the (very emphasized) phone number so that you, the unsuspecting person, will start the scam call yourself.

Additionally, invoice phishes frequently lead to a credential harvesting.

Making sure the site asking for login information is legitimate is essential, as is not typing credentials into opened attachments.

🚨 A few warning signs of invoice fraud

Incorrect vendor nformation

  • Discrepancies in vendor name, address, or contact details.
  • Slight variations in spelling or format.

Unfamiliar vendors

  • Invoices from unknown vendors.
  • Vendors with no record of business transactions.

Duplicate invoices

  • Multiple invoices for the same goods or services.
  • Duplicate invoice numbers, amounts, or dates.

Urgent or high-pressure language

  • Demanding immediate payment.
  • Creating a sense of urgency to bypass verification.

Unusual invoice amounts

  • Significantly higher or lower than expected amounts.
  • Deviations from previous invoices from the same vendor.

Poor quality or unprofessional appearance

  • Poor formatting and low-quality logos.
  • Inconsistent fonts and misaligned text.

Unusual billing patterns

  • Sudden increases in invoice frequency or amount.
  • Unexpected changes in billing behavior.

Lack of detailed descriptions

  • Vague or overly general item descriptions.
  • Missing clear, itemized breakdowns of goods or services.

How to identify fake invoices: 9 simple steps

1. Stop and think before taking action

Do not throw your precious pennies into a phish pond...

The first thing to do when receiving an invoice is to stop and think.

Hey, I'm a pretty smart person. Do I use this service? 

As with any email, ask yourself whether or not you actually expected the email?

As simple as it sounds, this is an important self-protection tool against cybercrime.

You'd be amazed at how many people just pay an invoice when they see it in their inbox.

2. Verify the the invoice with the vendor

So, you've deduced that you do not use a service you've received an invoice from.

It is therefore quite probable you are dealing with a phishing attempt.

Something funky is going on.

One thing you can do in this situation is let the (real, genuine) service provider's customer support team know that a scam is being sent out and they're using their name.

Never forward the actual email to them, though, as forwarding spreads both the danger and the damage even if you've successfully detected a scam.

When you send out a scammer's email to another person, regardless of intent, you're literally doing their work for them and making their job easier.

But what if you do use the service?

Well, the same rules apply...

Use contact information from your existing records to confirm the invoice details with the vendor.

Avoid using the contact information provided on the invoice, as it could be fraudulent.

3. Examine invoice formatting and quality

To give you an idea of what a phishing invoice looks like in the wild, let’s dive into a real invoice to get a better idea.

Below is one from Norton. We see variations on this particular one all the time (it's actually one of the most common ones out there).

Norton invoice fraud example

There's a reason these are so popular and have been prevalent for a good while: Norton software is widely used, making the company a convenient impersonation target.

If the scammers got lucky or did their homework right, the recipient of the above email is indeed a Norton customer.

Taking a quick glance in a hurry, the invoice seems rather real, and seeing the nearing due date, one might just go and pay in fear of overdue payments.

Looking closer though, phishing indicators can be found; one of them being the short notice as electronic invoices tend to be sent well in advance of the due dates.

Also, the recipient is addressed as “Customer”, not by their actual name, even though not having a name connected to a subscription is unlikely.

Furthermore, chances of having such a simple invoice number (here it's "1001") are low, and the product name and pricing do not quite match what can be found on the company website.

Quickbooks invoice fraud example

The “Print or save” buttons lead to a QuickBooks page, where the invoice can be paid.

The site itself is legitimate, and as the invoice was sent through their service, it also comes from their email address.

This leads to more probability of these types of emails passing through spam filters.

The landing page, however, also contains the most glaring anomaly: merchant details.

The merchant email - to whom payment will be sent - has nothing to do with Norton.

Even if Norton did use QuickBooks for billing, they would not use a completely unrelated domain (a few days old one at that) to do so.

We've doctored the above screenshot here so that we don't give the scammer any undue credit.

4. Cross-check invoice details against purchases

If you receive an invoice you think may be fake, try matching the invoice details with the corresponding purchase orders.

Each invoice should clearly reference a purchase order number, and the items listed on the invoice should match those ordered.

Check that the quantities, descriptions, and prices on the invoice are identical to those on the purchase order.

You can also confirm that the goods or services listed on the invoice have been delivered.

Compare the invoice against delivery receipts or service completion records.

Ensure that the delivery dates, quantities, and item descriptions match the records.

5. Review payment information

A common tactic in invoice fraud is changing bank account details to redirect payments to a fraudulent account.

So, always verify that the bank account details on the invoice match those previously used for the vendor.

Look for subtle differences, such as changes in account numbers or bank names.

If there are any changes in payment instructions, such as a new bank account number or payment method, confirm these changes directly with the vendor through a trusted communication channel, such as a known phone number or a verified email address.

Fraudsters often request urgent payments to new accounts to bypass standard verification processes.

Reviewing payment information thoroughly can help prevent funds from being diverted to fraudulent accounts.

Always be cautious of any changes and ensure they are legitimate before processing payments.

6. Identifying duplicates

Duplicate invoices can be a sign of fraud...

Which is why you need to implement a system to search for and identify duplicate invoices.

This can involve manually checking or using automated software to scan for duplicate invoice numbers, dates, amounts, and vendor names.

Ensure that the invoice number is unique and follows the vendor's usual numbering pattern.

Fraudsters might send duplicate or altered invoices hoping that one will slip through the cracks and get paid twice.

By keeping a record of all received invoices and payments, you can quickly spot duplicates.

7. Keep an eye out for urgent and unusual requests

Be cautious of invoices that demand immediate payment or use urgent language.

Legitimate organizations are very unlikely to send you unsolicited, urgent requests for payment.

Attackers often rely on urgency to get around standard verification processes.

If an invoice is marked as urgent, take extra steps to verify its authenticity before processing the payment.

You should also look out for requests for payment to a different account or for payment methods that your company does not typically use.

Scrutinizing urgent and unusual payment requests helps ensure that invoices are legitimate and that your company is not falling victim to fraud.

Always verify and never rush payments without proper checks.

8. Analyze billing patterns

If you're suspicious of an invoice, compare it to previous invoices from the same vendor to identify any unusual patterns, such as a sudden increase in invoice frequency or amount.

Reviewing historical billing data can help detect anomalies that may indicate fraudulent activity.

You can also double check the invoiced amounts and items against past transactions.

If there is a significant deviation from the norm, such as unusually high charges or unfamiliar items, it warrants further investigation.

9. Conduct internal reviews

When it comes to implementing a process for detecting fake invoices, ensure that invoices, especially high-value ones, go through multiple levels of approval before payment (more on this later below👇 ).

You may also want to consider conducting regular audits of the accounts payable process to identify and address any vulnerabilities.

Staying off the hook: a few quick tips for spotting invoice fraud

  • Did you expect this? Thinking about whether you do use the service (or did buy those badass whale slippers) blocks many invoice phishing attempts. If your answer is no, you should also not open the invoice. If you think the invoice was meant for your co-worker, for example, ask directly, do not forward the email.
  • Does it seem too urgent? No one wants marks on their credit reports for late payments nor have their credit rating downgraded. Malicious actors know this too and make use of it by making you feel you must rush with the payment. Hurry makes people careless, so pay extra attention.
  • Look out for weird numbers: Unusually high payment requests should raise suspicion, but so should unusually low (as often seen with parcel phishes).
  • Check from who and to where: Does the email come from someone real, and do the links lead to where they should? If you decide on clicking the links, check again. Were you directed where you should, are the biller’s details what they should?
  • Be careful with attachments: Invoice emails often contain attachments and attachments often contain malware and credential harvesters. Check the file format for telltale signs, and never open them if you're unsure.

Are there any preventive measures for avoiding invoice fraud?

Strong internal controls

To prevent invoice fraud, you may need to establish internal controls if you haven't already.

This just means setting up procedures for invoice approval and payment.

Separating duties among employees ensures that no single person has control over all aspects of a financial transaction.

This segregation of duties might mean one person responsible for approving invoices and another for making payments.

Implementing dual authorization for high-value transactions may also be a measure worth considering if you want an extra layer of security.

As we touched on briefly above, maintaining detailed records of all financial transactions, will allow you to regularly review and identify any anomalies or irregularities.

Regular reconciliation of accounts payable records with bank statements can also ensure that all payments are legitimate and correctly accounted for.

Use invoice verification software

If your organization pays for lots of services, invoice verification software can help automate the process of verifying and cross-checking invoice details with purchase orders and delivery receipts.

These tools use AI and machine learning to detect anomalies and patterns indicative of fraud.

You can also integrate invoice verification software with your existing accounting systems to make sure all invoices are automatically checked against relevant data before approval.

Establish clear reporting channels

Creating a clear and straightforward process for reporting suspicious invoices is essential in preventing fraud.

Employees should know exactly how and where to report any concerns promptly.

Clear reporting channels ensure that any potential fraud is investigated quickly.

Once you have a reporting channels in place, the next step is to set up protocols for responding to reports of suspicious invoices - how do you intend to verify and escalate reports?

Use secure payment methods

Avoid making payments based on email instructions without verification.

Instead, use secure payment portals that require multi-factor authentication (MFA) to confirm transactions.

Regularly updating and securing these systems can prevent unauthorized access and ensure that only legitimate payments are processed.

It may also be worth having strict protocols for changing payment details to prevent fraudsters from diverting funds.

Invest in quality training

No matter what tools and tech you may have in place, your employees represent the biggest security risk.

According to a study by IBM, human error was a major contributing factor in 95% of all data breaches.

Unfortunately, your typical security training will mostly focus on raising awareness and compliance box-ticking.

But to measurably reduce human risk, you'll need to make sure you're using a security training solution that actually changes behavior.

Here are some of the key factors to consider when it comes to evaluating vendors:

  • Is training frequent enough?
  • Is the content digestible and engaging?

Reduce human risk with Hoxhunt

Here at Hoxhunt, our security awareness and phishing training is purpose-built to tangibly impact behavior.

We believe that effective security awareness programs do more than just meet compliance...

They build a foundation of security-first practices and motivate employees to report real attacks.

Hoxhunt delivers personalized, rewarding micro-trainings that not only educate but also incentivize proactive security behaviors.

Personalize training at scale: personalize the training paths for every employee based on their job roles, locations, tools used, and language.

Gamify end user interaction: engage your employees with gamified micro-training experiences that they'll genuinely enjoy.

Drive results with realistic phishing simulations: stay at the cutting edge of the constantly evolving threat landscape as our global threat intel team turns real phish into powerful phishing simulations

Easily measure progress: follow how your employees improve in reporting, missing, and clicking on the simulated phishing attacks.

Hoxhunt human risk platform
Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this