Welcome to the third installment of our “Scam Likely” series. In our prior posts, we examined bank impersonation scams and romance scams; here, we turn to a threat that hits even closer to home: invoice fraud.
The Set Up
Your accounting department just received a routine email from your trusty vendor—attached is a monthly invoice for their services. This is a long-time vendor of the bank that in recent months has been helping your team implement the latest and greatest banking software. You are very familiar with this vendor, and you appreciate that they always include a detailed invoice for your review. In this invoice, the vendor is letting you know that they have switched banks, and to please direct your payment via updated payment instructions to their new bank account. The accounting team processes the payment and moves on to the next matter at hand.
The Actors
As you probably guessed by now, the sender is not the vendor at all. It is a fraudster impersonating a legitimate vendor, hoping to blend into normal operations and exploit established payment channels. In fact, the scammer has been spying on your team’s email chains with your real vendors for many months (and taking note of monthly amounts due, names, etc.). The fraudster then takes that information, spoofs an invoice with an expected amount due, and includes payment instructions to the fraudster’s own bank account. Sometimes the invoice is generic, and sometimes it is tailored to a particular business function, such as technology support, website services, or other recurring expenses. In many cases, the scammer is able to spoof an email address nearly identical to that of your vendor. The more closely the scammer can mimic a real vendor’s style, the more likely it is that the invoice will be processed without scrutiny.
The Grift
In some cases, the fraud will play on urgency. The invoice may claim to be past due, threaten service interruption, or include revised payment instructions as described above. Banks should be especially careful when invoices arrive unexpectedly or when payment details change without a clear, verified explanation. That is why invoice fraud is so effective: it does not require a dramatic break-in or fantastical story. It simply takes advantage of routine. The scammer knows your employees are trained to move transactions forward (and that it is unrealistic to examine each and every invoice with a magnifying glass).
The Pain
If the bank pays the fake invoice, the money is long gone before the error is even discovered. In the scam described above, you may not learn of the scam until the vendor calls asking why you are past due. Further, if the invoice was delivered by email, the risk may extend beyond a single mistaken payment to a broader phishing or malware concern – in that case, the bank’s IT department needs to act immediately. Either way, the fallout can include financial loss, internal disruption, and uncomfortable questions about how the request passed through the approval process. For banks, that is more than an accounting problem. It is a control failure, a vendor-verification issue, and potentially a reputational concern all at once.
The Reality
A few best practices include making sure employees know how to: verify invoices, check vendor legitimacy, and follow internal approval procedures before paying anything that seems unusual. A simple callback to the vendor can also stop a scam in its tracks – of course, make sure that you are calling the right telephone number. In some cases, it can also help to implement a search of an unfamiliar vendor’s name with terms like “review,” “scam,” or “complaint” when an unexpected invoice appears. And if a suspicious invoice arrives by email, treat it as a potential phishing attempt and report it through the proper channels.
The takeaway is simple. Strong internal controls matter just as much as customer-facing fraud prevention. A believable invoice can move fast, but a careful review can stop a scam before your money ever leaves the building.
← Previous: Scam Likely: (S)he’s Just Not That Into You
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
