Invoice Takeover Fraud
A fraud in which criminals intercept legitimate invoice communications and alter payment details so money is sent to a fraudster's account instead of the real supplier.
Also known as: payment diversion fraud, supplier impersonation fraud, mandate fraud
Last reviewed: 1 June 2026
Invoice takeover fraud — closely related to business email compromise but focused specifically on payment diversion — occurs when a fraudster gains access to either the supplier's or buyer's email account and monitors pending invoices. When a large payment is due, the attacker sends a message (from the compromised account, or a convincing lookalike address) informing the payer that the supplier's bank details have changed.
Because the message appears to come from a trusted address and references real invoice numbers and amounts, finance teams may comply without additional verification. The funds land in a criminal account and are rapidly dispersed.
This attack is distinct from simple invoice fraud (sending fake invoices) in that it hijacks a genuine, pre-existing business relationship. Defences include strict callback verification of any bank-detail changes, using payment portals with built-in confirmation-of-payee checks, and ensuring email accounts have strong authentication including multi-factor login.
Examples
- A law firm receives an email from what appears to be its regular IT supplier saying bank details have changed; a six-figure payment is redirected to a fraudster.
- A compromised accounts-payable email account is used to send revised payment instructions to all pending creditors.