Fake Invoice

Fake invoice fraud relies on the reality that large organisations process many invoices, and accounts-payable staff may pay a convincing bill without verifying it against a purchase order or contract. The fraudulent invoice typically uses a real company name and plausible product or service description — office supplies, software licences, directory listings, domain renewals — to appear routine.

A common variant targets small businesses with invoices for advertising or listing services they never signed up for, relying on the possibility that someone in the organisation might have, or that the recipient will simply pay to avoid the hassle. Directory and yellow-pages invoice scams operated at scale for decades in this manner.

In larger fraud campaigns, fake invoices accompany business email compromise attacks: the attacker impersonates a supplier mid-thread and sends a fraudulent invoice with their own bank details. Defences include three-way matching (matching each invoice against a purchase order and delivery receipt), a formal process for verifying new or changed bank details by telephone, and training staff to question invoices that lack a corresponding PO.