Top 5 Most Common Invoice Fraud Scams
Invoice fraud is a major scam that targets organizations, especially through the email vector. Criminals use phishing and social engineering tactics to manipulate employees, especially in the HR and finance departments, into making fraudulent payments. This type of invoice fraud scheme can result in significant financial losses as well as damage to an organization’s reputation.
Here at Mesa Security, we reviewed all the incoming spam emails in our feeds and found the 5 most common types of invoice fraud, with real-life examples, and broke down the different steps that IT admins can take to protect against them.
1. Business Email Compromise (BEC) Fraud
How It Works:
BEC fraud occurs when attackers impersonate a company executive or trusted vendor via email. They use spoofed or compromised accounts to request urgent invoice payments. According to the FBI, BEC scams have caused more than $55 billion in losses globally over the past few years.
In 2019, a multinational company lost $47 million when fraudsters impersonated their CEO and instructed employees to make wire transfers. The emails appeared legitimate, and employees complied without verifying the authenticity.
Ways to Protect Against BEC:
- Enable DMARC, DKIM, and SPF: These email authentication protocols help detect and reject spoofed emails.
- Use email filtering and anomaly detection: Spam filters can flag suspicious emails based on content and sender reputation.
- Implement AI Detection of BEC: Strong detection capabilities that understand the context and intent of the email can quickly flag BEC scams
2. Vendor Email Compromise (VEC) Fraud
How It Works:
Cybercriminals compromise a vendor’s email account and send invoices from a legitimate address, altering payment details to route funds to their accounts. To protect against Vendor Email Compromise (VEC) fraud, companies should always verify all payment instructions directly with the vendor via phone or in person.
In 2020, a construction firm unknowingly paid $1.2 million to a hacker who had taken control of their vendor’s email account. The fraud was only discovered weeks later.
How to Protect Against VEC:
- Set up domain-based email protections: Require external senders to use verified domains.
- Monitor login locations and behaviors: Detect unusual access patterns with SIEM solutions.
- Verify bank account changes via phone calls: Always confirm requests with the vendor before making payments.
3. Fake Invoice Fraud
How It Works:
Attackers send fake invoices that appear to be from a legitimate company but contain fraudulent payment details. To prevent falling victim to fake invoice fraud, companies should implement thorough verification processes for all incoming invoices.
There were many invoice fraud cases but we found that it spans all verticals and company sizes. For example, last year a well known hospital received an invoice from what looked like a well-known medical equipment supplier. They paid $800,000 to the medical equipment supplier before realizing the invoice was fake.
How to Prevent Invoice Fraud:
- Use attachment or link scanning: Automate invoice checking with AI-powered detection of attachments.
- Train employees on email red flags: Teach staff to verify sender details and watch for grammatical errors.
- Block lookalike domains: Configure email security settings to reject emails from domains mimicking your vendors.
4. Payroll Diversion Fraud
How It Works:
Attackers and scammers will impersonate employees via email often after compromising their legitimate email account through account takeovers. They will then request HR to change their payroll details to a fraudulent account. To prevent payroll diversion fraud, companies should implement strict verification procedures for any changes to payroll information.
In 2023, the University of Louisville’s payroll department were spoofed in a payroll diversion fraud where a email attempted to spoof the payroll department by tricking employees into giving up their credentials. While this is counter to the common example of payroll diversion fraud, it shows that attackers can social engineer both sides of the organization to attempt to steal data and money.
Ways to Protect Against Payroll Fraud:
- Require payroll changes through secure portals: Avoid processing payroll updates via email.
- Implement user verification for HR requests: Use phone verification or internal chat approvals.
- Detect unusual requests sent through email: Use AI detection to understand the sender and the request behavior in emails.
5. Ransomware-Enabled Invoice Fraud
How It Works:
Attackers craft emails that appear to be legitimate invoices but they embed malicious links or attachments that trigger ransomware upon opening. Once an unsuspecting employee downloads the invoice, malicious scripts execute, encrypting files across the network and rendering critical financial and operational data inaccessible. Attackers often then demand a ransom payment in cryptocurrency in exchange for the decryption key.
Some ransomware strains also exfiltrate sensitive financial data before encrypting files, giving attackers leverage to demand additional payments under the threat of public data exposure (double extortion).
Last year, Mesa Security research found that a logistics company received an invoice from a supplier. An employee downloaded the attached Excel file, unknowingly launching ransomware that encrypted their entire network.
How to Prevent Ransomware Invoice Fraud:
- Disable macro execution in email attachments: Prevent automatic malware execution.
- Deploy sandboxing for email attachments: Test unknown attachments in a safe environment before delivery.
- Back up financial data regularly: Ensure resilience against ransomware attacks.
Use AI to Stop Invoice Fraud
Security practitioners need to go beyond basic filtering and analyze the full context of an email, including its body, embedded links, and attachments. Advanced solutions that leverage large language models, vision models, and behavioral analysis can detect malicious intent even in well-crafted phishing attempts. By understanding the relationships between sender details, email content, and external links, organizations can proactively identify fraudulent invoices before they lead to financial loss or ransomware infections. Integrating AI-driven email security can provide early detection and automated remediation, ensuring robust defense mechanisms against evolving invoice fraud threats.
Additional Resources
- How to set up DMARC, DKIM, and SPF in Office 365: Microsoft Documentation
- Advanced email security best practices: Google Workspace Security
- Preventing ransomware attacks via email: CISA Guidelines
