Fake invoice / business email compromise
Fake invoice scams send businesses or individuals fraudulent bills for goods or services never ordered, relying on routine payment processing to slip through without scrutiny, and business email compromise variants targeting companies have caused billions of dollars in reported losses.
What we know
Fake invoice scams rely on the routine, often decentralized nature of bill payment within households and businesses, sending a fraudulent invoice for a product or service that was never ordered, hoping that the recipient will pay without carefully verifying the charge, particularly in a business setting where invoice processing may be handled by an employee unfamiliar with every purchase decision made across a company.
A common consumer-facing version involves fake invoices for domain name renewals, business directory listings, or software subscriptions, often designed to closely resemble legitimate billing communications from real service providers, sometimes using a company name deceptively similar to an actual well known vendor. The Federal Trade Commission has taken enforcement action against several companies over the years for sending business owners invoices resembling legitimate government or utility bills for services that were never requested.
A more financially significant variant, business email compromise, involves a scammer either compromising or spoofing the email account of a company executive, vendor, or supplier, then sending an urgent, seemingly legitimate invoice or payment request to an employee in accounting or finance, often specifying new or changed bank account details for the payment, since the scammer typically cannot access the real vendor's actual bank account. The FBI's Internet Crime Complaint Center 2023 report recorded business email compromise losses exceeding 2.9 billion dollars, among the highest of any fraud category tracked, reflecting how effective this scam is at extracting large sums from businesses in a single transaction, compared to typically smaller individual losses in most consumer-facing scams.
Scammers conducting business email compromise often research a target company in advance, sometimes monitoring email correspondence for weeks after gaining unauthorized access to a mailbox through a prior phishing attack, learning the specific language, invoice formats, and vendor relationships a company uses before sending a convincingly timed fraudulent payment request that mimics an ongoing legitimate transaction.
Smaller-scale fake invoice attempts sometimes simply mail or email a generic-looking bill hoping that a busy accounts payable department pays it without verification, relying on the sheer volume of routine invoices a business processes to let one fraudulent bill slip through unnoticed, a tactic that does not require any account compromise or sophisticated impersonation.
Consumer and business protection guidance from the FTC and the FBI recommends verifying any unexpected invoice against internal purchase records before paying, confirming any request to change vendor payment or bank details through a separate, previously established communication channel such as a phone call to a known contact rather than replying to the email containing the request, training accounting staff specifically to recognize business email compromise red flags such as urgency, last-minute account changes, and requests to bypass normal approval processes, and reporting suspected fraudulent invoices to the FTC and, for cases involving mail, to the U.S. Postal Inspection Service.
Common claims
- If an invoice email looks exactly like our vendor's, it must be realFalse - attackers spend weeks studying legitimate email formatting before striking
- Email security tools prevent BEC attacksPartially true but insufficient - BEC often uses real compromised accounts, not spoofs
- Verifying payment changes by calling the vendor prevents BECTrue if using a known, pre-existing phone number, not one provided in the suspicious email

