Invoice Scams: The #1 Way Businesses Lose Money to Email

Ransomware gets the headlines. Phishing gets the awareness training. But invoice fraud quietly steals more money from businesses than either.

The FBI's 2023 Internet Crime Report puts business email compromise losses at $2.9 billion — and invoice fraud is the most common variant. UK Finance reported that invoice and mandate fraud remains one of the costliest categories of authorised push payment fraud in the UK, with businesses losing tens of millions annually. These numbers only reflect reported cases; the real figure is almost certainly higher.

Here's what makes invoice fraud so effective: it doesn't require your employees to click anything malicious, download anything, or make an obvious mistake. It requires them to do exactly what they'd normally do — pay an invoice — except the bank details have been changed.

How Invoice Interception Actually Works

The most sophisticated form of invoice fraud is the man-in-the-middle (MITM) attack on email. Here's the step-by-step:

Step 1: Gain access to one side of the conversation.

The attacker compromises the email account of either the supplier or the customer. This usually happens through a separate phishing attack weeks or months earlier. Importantly, the attacker doesn't lock anyone out or make any visible changes. They just set up a mail forwarding rule that sends copies of all incoming email to an external address. The victim has no idea their account is being monitored.

Step 2: Monitor and wait.

The attacker reads emails silently, learning how the business operates. They identify ongoing projects, regular invoicing patterns, payment schedules, the names of people in finance, and — critically — the exact formatting and language used in real invoices. They might monitor for weeks before acting.

Step 3: Intercept at the right moment.

When the attacker sees a legitimate invoice being sent — especially a large one — they strike. They create a near-identical email from a lookalike domain or from the compromised account itself, containing a modified invoice. Everything is the same: the same project reference, the same amount, the same formatting. The only change is the bank account details.

If the attacker has access to the supplier's email, they can delete the original outgoing invoice and replace it with the modified version. The customer receives what looks like a completely legitimate email from their known supplier contact, attached to an ongoing email thread.

Step 4: Follow up convincingly.

If the customer asks questions, the attacker responds — because they have access to the email account and understand the context of the project. They can answer questions about the work, reference previous conversations, and provide plausible explanations for the changed bank details ("We've switched banks for better international transfer rates").

The customer pays the invoice. The money goes to the attacker. By the time either party realises what happened — usually when the real supplier asks why they haven't been paid — the money has been moved through multiple accounts and is gone.

The Three Main Attack Vectors

While MITM interception is the most sophisticated form, invoice fraud comes in several flavours:

1. Compromised email account (described above). The attacker has access to real email accounts and can intercept or modify real invoices. This is the hardest to detect because the emails come from legitimate addresses within legitimate conversations.

2. Supplier impersonation without account access. The attacker registers a lookalike domain (e.g., acme-services.com instead of acmeservices.com) and sends a plausible invoice based on publicly available information about the business relationship. They might know that Company A uses Company B as a supplier because it's mentioned on a website, in a press release, or on LinkedIn.

3. Internal accounts payable compromise. The attacker compromises someone in the customer's finance team and uses their access to change supplier payment details in the accounting system. Every future payment to that supplier goes to the attacker's account until someone notices. This can run for months.

Real Examples That Show the Scale

Scottish charity loses £340,000: In 2023, a Scottish social enterprise had their email account compromised. The attacker monitored communications with a funder, intercepted a legitimate grant payment, and redirected £340,000 by changing the bank details on a single email.

UK construction firm loses £1.2 million: A mid-size construction company received a modified invoice from what appeared to be their main subcontractor. The invoice was for a real project, referenced the correct purchase order, and came from what looked like the subcontractor's email address (a lookalike domain with one character changed). Two payments were made before the real subcontractor called asking about overdue invoices.

Belgian bank Crelan loses €70 million: In one of the largest known cases, Belgian bank Crelan lost approximately €70 million to a BEC attack that involved fraudulent payment instructions purportedly from senior management. The attack combined CEO fraud with invoice manipulation.

Why Current Processes Fail

Most businesses handle invoices like this:

1. Invoice arrives by email

2. Someone in finance checks it looks reasonable

3. Payment is made

The verification, such as it is, focuses on whether the invoice looks right: correct supplier name, reasonable amount, valid project reference. But none of these checks catch a modified bank account number on an otherwise legitimate invoice.

Think about it: when was the last time your accounts payable team called a supplier to verbally confirm bank details before making a payment? For most businesses, the answer is "never." The bank details on the invoice are taken at face value.

What a Real Verification Process Should Look Like

Here's a practical framework that works for businesses of any size:

For new suppliers:

1. During onboarding, collect bank details through a verified channel — a phone call to a number from the supplier's official website (not from the email), or during an in-person meeting.

2. Store these details as the baseline in your accounting system.

3. Require sign-off from two people for any new supplier setup.

For existing suppliers:

1. Any request to change bank details triggers a verification call. No exceptions. Call the supplier using a number you have on file — never a number provided in the email requesting the change.

2. Have a specific, documented process for payment detail changes that requires written confirmation from a named individual at the supplier, followed by phone verification.

3. Send a small test payment (e.g., £1) to new bank details and ask the supplier to confirm receipt before processing the full amount.

For all invoices:

1. Check bank details against your records before every payment. If the details on the invoice don't match what's in your system, stop and verify.

2. For invoices over a certain threshold (set this based on your business — £5,000 is common), require dual authorisation and a verification step.

3. Never update bank details based on an email alone. Even if it appears to come from a known contact in a legitimate email thread.

For email security:

1. Enable MFA on all email accounts — this is the single most effective defence against account compromise, which is the starting point for most invoice interception attacks.

2. Regularly audit email forwarding rules. Check that no one's mailbox has forwarding rules they didn't create. In Microsoft 365: Exchange admin centre → Mail flow → Rules, and also check individual mailbox settings.

3. Train finance staff specifically on invoice fraud. Generic security awareness training rarely covers the specifics of invoice interception. Your AP team needs targeted training.

The Cost of Verification vs. The Cost of Fraud

Some businesses resist implementing verification processes because they slow things down. A phone call to confirm bank details takes five minutes. Processing a payment without verification is faster.

Here's the maths: if your accounts payable team processes 50 invoices a month and spends 5 minutes verifying each change request (maybe 2-3 per month), that's 15 minutes of extra work. The average invoice fraud loss in the UK is around £30,000-£50,000 per incident. One prevented fraud pays for years of verification phone calls.

And here's what's often overlooked: the money lost to invoice fraud is usually unrecoverable. Unlike credit card fraud, where transactions can be reversed, wire transfers to fraudulent accounts are gone within hours. Your insurance may not cover it — many business insurance policies exclude "voluntary payment" fraud, which is exactly what invoice fraud is classified as.

The Red Flags to Watch For

Train your finance team to pause when they see any of these:

• "We've changed our bank details" — in any form, from any supplier, requires verification
• Urgency around payment — "Please process urgently, the old account is being closed"
• Different email address or domain — even slightly different from the usual contact
• Invoice formatting changes — different template, different fonts, different footer
• A new contact handling an existing account — "Hi, I'm taking over from Sarah for invoicing"
• Email-only communication — the supplier suddenly stops being available by phone and communicates only by email

None of these are definitive proof of fraud on their own. But each one should trigger a simple verification call. Five minutes on the phone can save you tens of thousands of pounds.