What is invoice fraud?

Updated 12 Mar 2026Content was accurate at the time of publication

Invoice fraud is a form of financial deception where criminals submit or alter invoices to trick a business into paying money to an attacker-controlled account. It covers a range of schemes—false billing, vendor impersonation, account-change scams and business email compromise (BEC)—all designed to exploit weaknesses in accounts payable, procurement and email security. For finance teams and bookkeepers, invoice fraud is not theoretical: it's a pragmatic risk that can cost tens of thousands in a single incident and erode supplier relationships, cash flow and trust. Businesses of all sizes are targeted; small teams are often the most vulnerable because they typically have fewer controls.

This guide explains how invoice fraud typically works, the concrete red flags you can spot in minutes, a prioritized list of prevention controls across people, process and technology, and a step-by-step response plan you can follow if you suspect a fake invoice. It includes ready-to-use templates and practical examples to illustrate the most common attack flows.

How invoice fraud typically works

Invoice fraud attacks often follow a similar sequence: reconnaissance → insertion → escalation → payment. Understanding that flow helps you interrupt it.

Reconnaissance — Scammers research your business, your suppliers and employees. Public sources and social media can reveal supplier names, invoice formats and contact names. Threat actors may probe your finance inboxes to find typical messaging patterns and approval workflows.

Insertion — The attacker sends a fake invoice or a supplier-change notice. Common vectors include spoofed email addresses that look like a supplier (e.g., payables@suppl1er.com), compromised supplier email accounts (vendor impersonation), and intercepted invoices (man-in-the-middle email compromise).

Escalation — The fake invoice often requests urgency (e.g., "pay now or risk service disruption") or a change to bank details. It may use slightly altered invoice numbers or mimic branding. Attackers may follow up with phone calls impersonating procurement or the supplier to confirm the change—social engineering to bypass controls.

Payment redirection — Funds are sent to attacker-controlled accounts (often fast-clearing payment rails or mule accounts). Once funds clear and are withdrawn or moved offshore, recovery becomes difficult.

Many scams combine technical vulnerabilities (weak email authentication) with human factors (lack of independent verification). Understanding the typical flow—from reconnaissance to payment redirection—lets you place controls where they matter most.

Common warning signs and red flags

Spotting invoice fraud early saves money. Train your AP team to treat the following items as immediate red flags:

Changes to bank details — New bank account for a longstanding supplier without independent verification.
Urgent or threatening language — "Pay immediately," "final notice," or threats to stop supply if not paid today.
Slight email anomalies — One-letter substitution in the sender domain (e.g., suppl1er.com vs supplier.com), missing display-name alignment, or unexpected personal email addresses (e.g., Gmail).
Invoice anomalies — Inconsistent invoice numbers, duplicate invoices, or amounts that don't match purchase orders (POs) or contracts.
New or unexpected suppliers — Invoices from vendors not in your supplier masterfile, or sudden activity from dormant suppliers.
Formatting and grammar issues — Different fonts, bad logos, odd date formats, or poor grammar—especially for high-value invoices.
Payment method changes — Requests to change to new payment rails (e.g., bank transfer instead of BPAY/Osko) or offshore accounts.
Unusual follow-up behavior — Multiple urgent phone calls to pressure payment or insisting payment via a specific staff member.

When you see any of these signs, pause payment and follow verification steps. Treat a single red flag as cause for independent confirmation rather than an assumption of fraud.

Preventing invoice fraud—controls and best practices

Prevention must be layered across people, process and technology. Prioritize controls that are low-cost and high-impact first.

People & process

Supplier onboarding and masterfile hygiene — Use a formal supplier onboarding checklist and require ABN verification (use the Australian Business Register: https://abr.business.gov.au/) and verified bank details. Audit the supplier masterfile quarterly and restrict who can add or edit suppliers.

Dual approval and segregation of duties — Implement a payment authorisation policy that requires at least two sign-offs for payments above a threshold (e.g., $1,000).

Verified change requests — Require a supplier-change request form with mandatory fields and executive sign-off. Verify bank-detail changes by calling the supplier using a phone number from your masterfile—not the one on the change request.

Training and simulations — Run regular fraud prevention training and phishing simulations for finance and procurement teams.

Clear escalation paths — Document an incident response plan and ensure finance, IT and legal know their roles.

Technology & controls

Email authentication — Enforce DMARC, SPF and DKIM on your corporate domain to reduce spoofed emails arriving in AP inboxes.

Secure supplier portals — Move invoicing and bank details updates into a secure supplier portal rather than email.

Accounting system access controls — Apply least-privilege access to AP systems and enable multi-factor authentication (MFA).

Automated anomaly detection — Use rules in your ERP to flag invoices with bank-detail changes, new suppliers, or duplicate invoice numbers.

Payment controls — Use payment rails with traceability (e.g., BPAY vs direct NPP), and set daily/transactional limits on outgoing transfers.

Vendor validation tools — Consider third-party vendor verification and continuous monitoring services.

Small-business adaptations

If you're a small team, institute a two-person rule: one person prepares payment; a different person approves it after independent supplier confirmation. Keep a "trusted supplier" list with stored, verified contact details (not only email). Audit it monthly.

When relevant, review financing and accounts policies that intersect with AP risk. If you use invoice-related lending like invoice finance, ensure lenders and platforms are included in your verification processes.

Step-by-step response if you suspect or receive a fake invoice

When fraud is suspected, act quickly and follow a structured checklist. Time-sensitivity matters.

Immediate actions (first 1–24 hours)

Stop the payment — If payment is pending, contact your bank immediately and request a stop or recall. Provide transaction ID, amount, and beneficiary details.

Preserve evidence — Save the email (native format), attachments and headers. Do not delete. Export the invoice as a PDF and note the time you discovered it.

Independent verification — Call the supplier using a number in your masterfile (not the number on the suspicious email) to confirm.

Notify internal stakeholders — Alert finance leadership, IT/security, legal and the ledger owner. Document who was notified and times.

Forensic and escalation (24–72 hours)

Capture email headers and metadata — Gmail: Open the message → click the three dots → Show original → save the headers. Outlook (desktop): Open message → File → Properties → Internet headers → copy/save. Provide headers to your bank and to cyber-incident responders.

Report to banks and payment systems — Provide the bank with payment details and proof of fraud. Banks can attempt recall or freeze beneficiary accounts, but success varies.

Report to authorities and aggregators — Lodge reports with Scamwatch, your local police and the Australian Cyber Security Centre (ACSC) via their reporting portal. Provide timelines, email headers and transaction receipts.

Internal incident report — Complete an incident report form and start a timeline log.

Follow-up (3–30 days)

Audit and remediate — Review affected processes, run a supplier masterfile audit, and enact immediate controls (e.g., temporary payment threshold reductions).

Communicate to stakeholders — Inform suppliers if their accounts were spoofed and advise them to secure their email.

Insurance and recovery — Notify insurers (crime/cyber insurance) and follow their claims process. Provide all supporting evidence.

Remember: speed is critical but careful evidence preservation is equally important. Do not publicly disclose sensitive details that could hinder recovery.

Reporting and recovery options

Where to report

Scamwatch — fake business invoice scams alert: https://www.scamwatch.gov.au/about-us/news-and-alerts/scam-alert-fake-business-invoice-scams
Australian Cyber Security Centre (ACSC) — reporting and BEC guidance: https://www.cyber.gov.au
ASIC — guidance on company scams and corporate governance obligations: https://asic.gov.au
Australian Business Register (ABR) — ABN lookup and business identity: https://abr.business.gov.au
Your bank — use the bank's dedicated fraud line and provide transaction reference, time, recipient account and evidence.
Police — file a report with your local police and get an event number (often required for bank/insurer follow-up).

What to expect

Banks may attempt a recall, freeze or trace; success depends on timing and whether funds are still in an account under the bank's control. Recovery is more likely when reported within hours; once funds are withdrawn or sent offshore, recovery becomes difficult. Insurers may require detailed logs, proof of controls and evidence of loss. Cyber and crime insurance policies differ—check coverage.

What to include when reporting

Transaction details (amount, date, transaction ID)
Full email headers and attachments
Supplier identity and masterfile record
Screenshots and timeline of communications
Any internal approvals or deviations from policy

Practical templates and tools

Ready-to-use templates help speed response and standardise your processes.

Bank-details verification email (quick script) — Subject: Bank details verification — invoice [Invoice No.]. Body: "We have received a request to change bank details for [Supplier Name]. For security, please confirm by phone on the number we have on file or reply with a signed supplier-change request form. We cannot process changes via email alone."

Supplier-change request form (fields to require) — Supplier name, ABN, old BSB/account, new BSB/account, effective date, reason for change, uploaded bank statement (front page), authorised signatory name, signatory email, signatory phone and vendor stamp/signature.

Payment authorisation checklist — PO matched? Y/N. Goods/services received? Y/N. Bank details verified via known phone? Y/N. Dual signatory approval obtained? Y/N. Comment/exception reason if any.

Incident report template (key fields) — Date/time discovered, discoverer, summary, evidence list (emails/headers/screenshots), transaction details, internal notifications, bank notified (time & person), police/report refs, remediation actions.

Offer these as downloadable files on your internal portal. For immediate use, copy-paste the short scripts above into your team chat or ticketing system.

Real examples and short case studies

Vendor impersonation — successful recovery — A mid-sized company received an email changing bank details to a new account. The AP clerk processed payment without calling the supplier. Within 12 hours the supplier notified the client that payment hadn't arrived. The company contacted its bank within 3 hours of being notified; funds were traced to a domestic account and partially recovered before withdrawal. Root cause: missing phone verification step. Fix: mandatory phone verification for all bank changes.

Business email compromise — blocked by controls — An attacker used a compromised vendor mailbox to request an urgent payment. DMARC and MFA on the buyer's side flagged the message; the AP team called the supplier using the masterfile, revealing the compromise. No funds were lost. Fix: enforced DMARC and supplier portal adoption.

Small business targeted — no insurance, partial loss — A bookkeeping practice paid a fake invoice issued by a fraudster who had created a convincing invoice template. The client had limited controls and no cyber insurance. Police could not recover funds. The business instituted dual-approval and subscribed to vendor-validation services. Lesson: small teams must adopt simple, enforceable controls.

FAQ

What is the first thing I should do if we've paid a fake invoice?

Contact your bank immediately to request a recall, preserve evidence (email headers, transaction receipts), and notify finance leadership and police.

Can banks reverse a fraudulent transfer?

Banks may attempt recalls or freezes, but success depends on timing and whether the recipient account still holds the funds.

How do I verify a supplier's bank details safely?

Call a phone number from your supplier masterfile (not the one on the change request), request a bank-statement extract showing the account name and BSB, and require a signed supplier-change form.

What should I include when reporting an invoice scam?

Transaction details, email headers, copies of the invoice and attachments, and your supplier masterfile entry for the vendor.

How often should we audit the supplier masterfile?

Quarterly audits are a good baseline; high-volume organisations should audit monthly.

Does cyber insurance cover invoice fraud?

Policies vary. Some cyber/crime policies cover BEC losses; check your policy and speak to your insurer.

Key takeaways

Invoice fraud affects businesses of all sizes and is often successful because it exploits both technical vulnerabilities (spoofed emails, weak authentication) and human factors (lack of independent verification). The most effective defence combines low-cost controls: supplier masterfile discipline, dual approval for payments above threshold, mandatory phone verification of bank changes, and staff training on red flags. If fraud is suspected, act immediately to stop payment and preserve evidence before reporting to your bank, police and the Australian Cyber Security Centre.