Back to Blog

That Invoice From Your Vendor May Not Be From Your Vendor

Fake invoice fraud costs businesses an average of $1.2 million a year. AI now generates convincing invoices, matching letterhead, and spoofed vendor emails that accounting teams cannot distinguish from the real thing. Here is how it works and how to stop it.

RiskScope Team
invoice fraud, BEC, business email compromise, accounts payable fraud, vendor fraud, AI fraud, small business scam
Flowchart showing how fake invoice fraud works across two attack paths — domain spoofing and vendor email compromise — and the one defence that stops both

The Most Expensive Mistake Your Business Will Make This Year

The FBI tracked $2.9 billion in losses to fake invoice fraud in 2023 in the US alone. Europol puts the annual European figure at over €1.7 billion.* The UAE's eCrime centre logged a 73% increase in BEC complaints in 2024.* Australia's ACSC identified invoice fraud as the highest-value cybercrime affecting small and medium businesses for the third consecutive year.

That is reported losses. The actual number is higher in every region, because most businesses that get hit do not report it.

Nearly half of mid-market companies were hit last year. The average loss per company was $1.2 million. These are not careless operations run by people who do not know what they are doing. They are businesses with accounting teams, approval processes, and vendor relationships going back years.

None of that stopped it.


What Actually Happens

A scammer sends your accounts payable team an invoice. It looks identical to the ones you have been paying for two years. Same logo, same formatting, same vendor name, same project reference. The only difference is a bank account number buried in the payment details.

Your team pays it. The money is gone within 24 hours, moved through a chain of accounts that leads nowhere recoverable.

This is Business Email Compromise, the FBI's term for it, and it is the single most financially damaging cybercrime category in the world. Not ransomware. Not data breaches. Fake invoices.

It works in two ways.

Domain spoofing. The scammer registers a domain one character removed from your vendor's real address. acme-invoicing.com instead of acmeinvoicing.com. payrol1.com instead of payroll.com. The invoice comes from that address. Your team sees the display name, which reads as the real vendor, and processes it.

Vendor email compromise. The scammer gets into your actual vendor's email account through phishing or a credential breach. They sit in that inbox for days or weeks, reading correspondence, learning billing patterns, waiting. Then they send an invoice from the real address with updated payment details. There is nothing to catch. The email is genuine. The context is accurate. The only thing that changed is where the money goes.


AI Killed the Last Line of Defence

For years, fake invoices were catchable by eye. The logo was wrong. The formatting was off. The tone did not match. A sharp accounts payable person could feel it before they could articulate why.

That is over.

Generative AI can replicate a vendor's letterhead from a single sample. It can match invoice numbering sequences, reproduce VAT registration formats, mirror the exact language of prior correspondence, and generate a covering email that reads like the vendor wrote it. The whole package takes twenty minutes and costs nothing beyond a subscription.

The tell is gone. You cannot eyeball your way out of this anymore.


The Red Flags That Still Work

The visual checks are dead. The process checks are not.

Payment details changed. Legitimate vendors rarely change their banking information. When they do, they do it through multiple channels, not a single invoice. Any invoice where the bank account differs from your records needs a phone verification before payment. No exceptions.

The sender domain is one character off. Check the actual email address, not the display name. billing@acme-corp.net is not the same company as billing@acmecorp.com. This catches a large share of spoofed-domain attacks because scammers cannot use the real domain.

Invoice for work you did not order. No purchase order, no internal record, no approval trail. Some scammers skip the vendor impersonation entirely and just send invoices for services that were never requested, counting on someone to pay without tracing it back. If your team cannot match an invoice to an approved purchase, it does not get paid.

The amount sits just below your approval threshold. If your organisation requires dual sign-off above $10,000, expect to see invoices for $9,700. Scammers research this. An invoice amount that is suspiciously round and suspiciously close to your threshold is a signal.

Urgency on a routine payment. Real vendors invoice on standard 30-day terms. An invoice demanding payment in 24 hours to avoid service suspension on a routine transaction is applying pressure because pressure bypasses process. That is the point.


One Rule That Stops Most of This

Call the vendor before paying any invoice where the bank account has changed.

Use a number from your own records, not from the invoice and not from the email signature. Talk to a billing contact you already know. Ask them to confirm the payment details match what they have on file. Ninety seconds.

This single check stops the spoofed domain variant entirely and catches the vendor email compromise variant the moment the real vendor says their details have not changed.

The reason most businesses do not do this consistently is that it feels excessive for a routine payment. That is exactly what makes the scam work. Make it a written policy. Remove the individual judgement call. When the rule is always call to confirm a changed account, no individual staff member can be pressured or manipulated into skipping it.


If the Money Has Already Gone

Call your bank immediately. Wire transfers and ACH payments have a short window, sometimes less than 24 hours, where a recall is possible if the receiving bank has not yet moved the funds. Speed is the only variable you can control.

Then report to the relevant authority for your region:

  • USA: FBI at ic3.gov. The IC3 runs a Financial Fraud Kill Chain process built specifically for BEC losses. It has returned hundreds of millions of dollars to victims. Report fast.
  • UK: Action Fraud
  • EU: your national cybercrime unit. In Finland, NCSC-FI at Traficom
  • UAE: eCrime — the UAE Cybercrime Combating Centre
  • Saudi Arabia: Saudi CERT
  • South Africa: SABRIC (South African Banking Risk Information Centre) and the SAPS Commercial Crime Unit
  • Australia: ReportCyber at the Australian Cyber Security Centre
  • New Zealand: CERT NZ

The Domain Is the Weak Spot

In the spoofed domain variant, the scammer had to register a new domain. That domain is days or weeks old. It has no web presence, no business history, no matches in threat databases. It looks nothing like a company that has been sending you invoices for two years.

If an invoice arrives from a sender domain you do not immediately recognise, run it through RiskScope before anyone processes the payment. A newly registered lookalike domain with no reputation history is a concrete signal, not a gut feeling. It takes thirty seconds and it is free.

The compromised vendor email variant does not leave that footprint, which is why the phone call matters. But spoofed domains are a large share of BEC attacks and they are catchable before a single dollar moves.


Check any suspicious sender domain or invoice URL at RiskScope. Lookalike domains registered within the last few weeks, no established web presence, and phishing database matches are all detectable before you pay.


Related Reading


* These figures are sourced from secondary reports and have not been independently verified against primary publications from Europol and the UAE eCrime centre. Verify before citing externally.

Sources: FBI IC3 2023 Internet Crime Report, FBI: Business Email Compromise, Association of Certified Fraud Examiners: Report to the Nations 2024, Klippa: Invoice Fraud in 2026, Flagright: The Rise of Invoice Fraud in Modern Business

Check Any Website Yourself

RiskScope is free. No signup required. Enter any domain and get an instant risk assessment.

Related Articles