Preventing Invoice Fraud

woman typing on laptop computer

Invoice fraud is a menace to finance professionals at companies of every size and in every industry. Asylas has seen an uptick in these cases recently, with construction companies being especially valuable targets. Having an airtight process for both general cybersecurity and payment processes is critical to avoiding large losses and embarrassing breaches. 

What is Invoice Fraud?

Generally speaking, invoice fraud occurs when an attacker inserts themselves in the normal process of sending invoices and receiving payment. The bad actor likely finds a weak point in a company’s cybersecurity and searches the email server for communications between vendors and the finance or payroll departments. Once a high-dollar-value invoice or vendor is identified, the attacker finds a way to direct payment to their own account. 

The bad actor may hijack an existing email thread and join in the conversation–impersonating the vendor. From inside the email server, they can easily spoof the vendor’s email address; borrow their signature and writing style; and adjust the “reply to” address for future communications. In order to funnel the money to their personal account, they will announce a change in payment info that looks and sounds legitimate since it’s coming from a vendor you know and trust. 

Often the company sending payment will have no idea that they’ve paid a hacker until they get an overdue notice from their vendor a month or more later. 

Recognizing Invoice Fraud

Highly sophisticated attackers make invoice fraud nearly undetectable. However, there are some red flags that may be visible to a watchful eye. 

A sudden change in writing style, grammar, or email signature may indicate that a new individual has joined the conversation. In messages regarding payment, carefully check that the sender email address remains consistent and that the “reply to” address is the same. In some cases of invoice fraud, the “reply to” address has been diverted to a hacker’s inbox. 

Email addresses in the thread may also be slightly modified to make changes harder to detect. Watch for extra characters or changes in spelling. 

Changing banks, account numbers, states, or countries is a red flag that a bad actor has hijacked a transaction. This should be especially alarming if the change is accompanied by a new sense of urgency or an authoritative tone that is not typically present in conversations with your vendor. 

Payment Processing Best Practices

Attackers hack to make money. They are constantly thinking of creative ways to exploit human error. As a result, finance departments need to develop and adhere to strict best practices to keep company money in the right hands. 

First, establish at least two points of contact with each of your regular vendors. Anytime a vendor changes their payment information, get verbal confirmation from more than one contact. Never wire money based on emailed or texted information alone. 

When invoices are reviewed, take time to carefully scrutinize the details. Watch for blurred logos, colors that seem off, misspellings, or new signatories–anything that seems out of the ordinary. 

Maintain a payment schedule and don’t deviate from it due to sudden urgency on the part of the vendor. A bad actor doesn’t care if you get annoyed, they just want quick payment. A real vendor will understand your need for diligence. 

Consider setting a threshold for payments that require a meeting or designated point of contact before fulfilling. Large sums are often targeted, and, obviously, do the most damage to your ability to stay in business. 

Cybersecurity Best Practices

Many cases of invoice fraud can be avoided by preventing security breaches in the first place. You are responsible for making sure your company takes the appropriate precautions. And it may be a good idea to establish agreements with vendors that they will undertake the same measures. Fraud is just as easily injected on their side of the transaction. 

Whenever it’s available, enable two-factor or multi-factor authentication for all the systems your company uses. This is especially important for email and for any applications that store financial or payments data. 

Implement strong password policies and require a regular cadence of password changes for all systems. No one in your organization should be using an easily cracked password. Also consider utilizing a password manager service for all employees. Password managers encrypt the data they store and encourage the use of more complex passwords or passphrases. 

Determine the right window for maintaining your server logs. Frequently a breach that involves invoice fraud will not be detected for several weeks or even longer. Your IT or cybersecurity team will not be able to identify the source of your breach if your logs have been deleted. Follow all regulatory requirements related to logs. If you are not under a regulatory body, consider keeping logs for 60 days or longer. 


Remember that finance professionals are frequently the targets in invoice fraud attacks. They need to be made aware of the risks and remain especially vigilant. 

Insurance does exist for instances of invoice fraud, but providers are within their rights to deny claims if companies do not have a process for preventing errors. Or if the processes they have in place are not followed perfectly. 

If you are experiencing a case of invoice fraud or if you need help perfecting your best practices, please reach out to Asylas. Call us at 615-622-4591 or Or complete our contact form.

Leave a Reply