Invoice fraud: The targeted phishing tactic of cybercriminals

invoice fraud

Over the last few years, the methods used by cybercriminals to gain access to and defraud businesses and customers have become ever more sophisticated. One such tactic is invoice fraud. According to the trade association, UK Finance, £81.9m was lost to this type of fraud in 2020 with the majority of losses (£52.5m) from businesses.

How invoice fraud is affecting the tourism, trade and professional service sectors

The Observer recently reported on the continuing increase of this type of cybercrime, which is not only challenging to detect but almost impossible to recover. Their investigation revealed that cyber criminals are targeting firms who require large one-off invoices to be paid. This includes trade and tourism companies that require single payments and professional services, such as conveyancing solicitors, dealing in large bank transfers. Invoice fraud is also a major issue for business regularly paying sizable sums to suppliers.

How invoice fraud takes place

An invoice (or mandate) scam occurs when a request for payment is intercepted by a criminal, who convinces the payee to redirect the payment to an account they control.

Invoice fraud is normally in the form of an email scam. But, unlike the more rudimentary phishing scams that are often found building up in spam folders, invoice fraud emails are sophisticated, individually targeted and realistic, making them very difficult to detect.

The cybercriminals will gain access to a business’s email account and sit in the background monitoring communications. Then, when an individual or business is expecting to pay a large sum over, they will take over the email threat with an almost identical email address and provide their own banking details – either through excuse or an amended invoice.

Once the invoice is paid over, all communication will be deleted and the money disbursed offshore, making it practically impossible to trace or recover.

You may also be interested in: Are you doing everything within your budget to ensure your IT security?

Read More

How you can protect your firm from invoice fraud?

There are some essential checks that can be carried out before paying an invoice, including:

  • Confirming bank details directly with the company, over the phone or in person
  • Cross checking the details on an attached invoice with the company’s website
  • Making a small payment to any account for the first time
  • Thoroughly checking the email address used for a payment request for any discrepancies, for example a zero being used in place of an O.

If a payment is made and you suspect fraud has taken place, you should contact your bank and the authorities immediately.

How can your cyber security technology and processes help?

There are a number of robust security measures you can implement to help protect your business from invoice fraud.

  • Training: Regular staff training and department specific training can help with detecting invoice fraud before it happens. Scenario based online training is also available, which can help staff on identifying suspicious emails and requests
  • Keeping systems updated: Your IT systems need to be regularly updated to improve security. An annual IT audit can detect and correct any specific weaknesses in your infrastructure
  • Monitoring: As part of our managed IT service provision, your systems can be continually monitored externally, meaning suspicious activity and unusual email access are flagged and secured quickly.

Find out more

If you would like to know more about effective cyber security measures for your business, please contact Andrew Wayman at or call our office on +44 (0)1344 870062.