Freight Forwarding Invoice Scam via Business Email Compromise
Scammers compromise or spoof a freight forwarder's email thread to insert a fraudulent invoice with altered payment details into an ongoing shipping transaction.
Part of: Freight Forwarding Invoice Scam
Last reviewed: 5 July 2026
Email is the operating environment for freight forwarding invoice fraud because international shipping relies heavily on long email threads between importers, exporters, and forwarders, giving attackers a realistic conversation to insert themselves into or imitate.
How this scam works on email (business email compromise)
An attacker gains access to, or closely spoofs, a freight forwarder's or shipping agent's email account and monitors an ongoing conversation about an active shipment. At the point an invoice is due, the attacker sends a message — often from a slightly altered domain or a hijacked real account — instructing the buyer to send payment to a 'new' bank account due to a supposed 'banking update' or 'audit.' Because the email thread, invoice format, and shipment details all look authentic and match the real transaction in progress, finance staff processing the payment often have no reason to suspect anything until the real forwarder later follows up asking why payment hasn't arrived. By the time the fraud is discovered, the wire transfer has typically already cleared and moved through several accounts, making recovery difficult.
This scam frequently targets businesses that regularly import goods, since a plausible invoice referencing a real purchase order or shipment number is far more convincing than a generic phishing attempt.
Common red flags
- Sudden email requesting a change of bank account details for an in-progress shipment
- Sender's email domain is subtly altered (an extra letter, a different suffix) from the forwarder's real domain
- Unusual urgency or pressure to process the payment quickly to avoid shipment delays
- Invoice formatting or bank details differ slightly from previous invoices in the same transaction
- Request to communicate exclusively by email and avoid a phone call to 'confirm' the change
How to protect yourself
- Verify any change of bank account details by phone using a previously known, independently verified number
- Compare the sender's email address character-by-character against previous emails in the thread
- Establish an internal policy requiring dual verification for any payment detail changes
- Use email authentication tools (SPF, DKIM, DMARC) to reduce the risk of domain spoofing reaching your inbox
- Train finance staff to treat any bank detail change request as requiring out-of-band verification
How to report it
- Contact your bank immediately to attempt to recall the wire transfer if fraud is discovered quickly
- Report the incident to the FBI's IC3 (ic3.gov) if the transaction crossed international borders
- Report the compromised or spoofed email account to the freight forwarder and to the email provider
- File a police report and notify your business's cyber insurance provider if applicable
Frequently asked questions
How quickly do I need to act if I sent a fraudulent wire payment?
Contact your bank within hours, not days — international wire recalls become far less likely to succeed the longer the funds have had to move through intermediary accounts.
How can a business protect itself from this type of fraud going forward?
Require any change to payment or bank details to be confirmed by phone using a number obtained independently of the email itself, not one provided in the suspicious message.