← Back to BlogBusiness Security

The Fake Invoice Scam: How to Protect Your Accounts Team

The Fake Invoice Scam: How to Protect Your Accounts Team

Your accounts payable team processes dozens, maybe hundreds, of invoices every month. Most of them are legitimate. Some of them are not. And with fake invoice scams becoming increasingly sophisticated, the gap between the real and the fake is getting harder to spot.

Here's what the scam looks like — and how to shut it down.

How the fake invoice scam works:

There are several variations, but they all follow a similar pattern.

Version 1: The impersonator A scammer researches your business (LinkedIn, your website, public procurement records) and finds out who your regular suppliers are. They create an email address very similar to your supplier's (think `invoicing@blueskycleaning.com.au` versus the real `accounts@blue-sky-cleaning.com.au`) and send a realistic invoice for a plausible amount.

Version 2: The bank detail swap The scammer intercepts or spoofs an email from an existing supplier and adds a note: "Please update our bank details for future payments to: [criminal's account]." The invoice looks identical to real ones. The bank details are the only thing that's changed.

Version 3: The completely fake invoice The scammer sends an invoice for a service that your business could plausibly have used — IT support, advertising, maintenance, software licensing. The invoice looks professional. There's no obvious red flag. Someone approves it and pays.

Why accounts teams are vulnerable:

Busy. Processing volume. Trust built with regular suppliers. Social pressure not to delay supplier payments. All of these factors work against careful scrutiny.

The controls that stop fake invoices:

  1. Call to verify any new payee or bank detail change. This is the golden rule. Every single time a supplier changes their bank details, call them on a number you already have (from your records, not from the email) to confirm. It takes two minutes. It saves thousands.
  1. Implement a two-person approval process for payments above a threshold. One person to process, a second to approve. Especially for new payees.
  1. Check all invoices against purchase orders. If there's no corresponding PO or prior approval for the service, investigate before paying.
  1. Train your accounts team specifically on invoice fraud. They need to know the variations, the red flags, and the verification process.
  1. Configure email security tools to flag emails from external senders impersonating internal addresses. Your IT provider can help with this.

A quick check before every payment:

  • Is this supplier in our records?
  • Do the bank details match what we have on file?
  • Was this service actually ordered/approved?
  • Has the sender's email address changed recently?

If any of these give you pause — verify before paying. Always.

Train your team on scam awareness at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →