Fake Unpaid Invoice Scams
Invoices for goods or services never ordered, or duplicate 'overdue' demands, hoping you'll just pay.
Last reviewed: 1 June 2026
What this scam is
Fake unpaid invoice scams send invoices — by email, post, or PDF attachment — for goods or services that were never ordered, never delivered, or have already been paid. A variant sends duplicate invoices for a real transaction with subtly altered bank details. The core mechanism is the same in both cases: the invoice looks legitimate enough that a busy accounts payable team processes it without checking whether the underlying transaction was real.
This fraud exploits a fundamental reality of modern accounts payable: the volume of invoices processed by most businesses is high, the per-invoice review time is low, and the pressure to maintain good supplier relationships creates a bias toward payment rather than investigation. Scammers exploit this with invoices set at amounts that feel routine — low enough to avoid senior sign-off thresholds, high enough to be worth pursuing at scale.
Some fake invoice operations are highly systematic. Scammers purchase or scrape data on businesses and their suppliers, create invoices that reference plausible service names or product descriptions, and send mass campaigns knowing that a small percentage of recipients will pay without investigation. The cumulative financial impact across many targets can be substantial.
How it works
In the most basic form, an invoice arrives from a company the recipient has never done business with. The invoice may reference a plausible service — 'IT support', 'office cleaning', 'subscription renewal', 'delivery services' — at an amount low enough to avoid triggering unusual scrutiny. 'Overdue' or 'final notice' language is used from the first contact to create urgency and imply an existing relationship.
In more targeted versions, the scammer has researched the victim company's suppliers. The invoice mimics the formatting and branding of a real supplier, uses a plausible invoice number sequence, and references a service the company actually receives. The bank account details are different from the real supplier's.
In the duplicate invoice variant, the scammer intercepts a genuine invoice (often following a business email compromise) and resends it with altered payment details, relying on the recipient not to notice that the bank details have changed.
In some cases, the invoice arrives as a PDF attachment that contains malware rather than — or in addition to — the invoice document itself.
Why this scam works
Fake invoice scams succeed because they target routine process rather than exploiting exceptional circumstances. An accounts payable team that processes hundreds of invoices weekly will inevitably face pressure to maintain throughput. Any invoice that passes a casual visual check — familiar format, plausible supplier name, reasonable amount — is likely to move toward payment.
The 'overdue' framing adds a secondary pressure point: if the invoice is already late, staff may feel that questioning it would cause a further delay and damage a supplier relationship. The implication of an existing obligation is very effective at suppressing the instinct to investigate.
Small amounts are deliberately chosen to stay below the thresholds that require management approval. Fraudsters understand that a £150 invoice for 'office consumables' is unlikely to receive the same scrutiny as a £15,000 invoice for specialist services.
A typical pattern
An accounts payable team receives an email with a PDF attachment labelled 'Invoice [number] — overdue'. The amount is modest and the formatting looks professional. There is no existing purchase order record, but the 'overdue' framing and 'final notice' language create a sense that this is a legitimate obligation that has been missed. The payment is processed. The supplier cannot be identified and the bank account leads nowhere.
Common red flags
- Invoice for goods or services you cannot match to any purchase order
- 'Overdue', 'final notice', or 'debt collection' language on what appears to be a first-contact invoice
- Invoice amount set just below your internal approval threshold
- Supplier name is unfamiliar or cannot be found in your supplier records
- Bank details that do not match any previously used account for this supplier
- Invoice arrives as a PDF attachment from a new or unrecognised email address
- No supporting documentation such as delivery note, timesheet, or service agreement referenced
- Service description is vague or generic (e.g. 'consultancy services', 'project work')
- Threat of escalation to a debt collection agency if not paid within a very short deadline
- Invoice number sequence that does not match any of the real supplier's previous invoices
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
FINAL NOTICE: invoice [invoice number] for [amount] is overdue. Please pay immediately to avoid referral to our debt collection team.
Please find attached invoice [invoice number] for services rendered in [month]. Payment of [amount] is now due. Please process at your earliest convenience.
This is your third reminder for invoice [invoice number] ([amount]). Failure to pay within 48 hours will result in additional late payment charges.
OVERDUE: invoice [invoice number] for [amount] remains unpaid. Our records show payment was due [date]. Please settle by return to avoid further action.
Invoice attached for [service description] — [amount]. Please process payment to the account below. Do not hesitate to contact us if you have any queries.
As discussed, please find invoice [invoice number] for [amount] covering [vague service description]. Payment within 14 days would be greatly appreciated.
Common variations
- Unsolicited invoices for plausible services (cleaning, IT, subscriptions) never ordered
- Duplicate invoices with altered bank details following a business email compromise
- Invoices impersonating a real supplier with slightly different bank details
- PDF invoices containing malware disguised as legitimate billing documents
- 'Final demand' invoices implying an existing contractual obligation
- Recurring low-value invoices designed to go undetected in high-volume AP environments
How to verify before you act
The most effective single control is purchase-order matching: every invoice should correspond to an approved purchase order before payment is authorised. Where this is not possible, a secondary verification step is essential:
- PO matching: maintain a purchase order register. No invoice should be paid that does not reference an approved PO number that exists in your system. - Supplier verification: for any invoice from a supplier not on your approved list, verify the company's registration and bank details independently before adding them to your payments system. - Bank detail cross-check: compare the bank details on any invoice against your existing records for that supplier. Any change should trigger the same callback process as for invoice redirection fraud. - Dual authorisation: apply a two-person approval rule for payments above a defined threshold, particularly for invoices from new or unfamiliar suppliers. - Attachment caution: treat PDF invoices from unknown senders as potential malware delivery. Open in a sandboxed environment or verify before opening if there is any doubt.
Payment methods used
- Bank transfer
- Card
- Invoice payment
Who is usually targeted
- Accounts payable teams
- SMEs
What to do immediately
- Do not pay the invoice — check your purchase order records for any corresponding order
- Contact the supplier using independently sourced contact details to verify the invoice is genuine
- If the invoice is from an unknown supplier, report it to your manager and investigate before taking any further action
- If a payment has already been made, contact your bank to report fraud and request a recall
- Report misleading invoices to your national trading standards or consumer protection authority
- Review recent payments to identify any similar invoices that may have been processed without a PO
- If a PDF attachment was opened, have the device checked for malware by your IT team
How to prevent it
- Implement strict purchase-order matching: no invoice proceeds to payment without a corresponding approved PO
- Maintain an approved supplier register and apply heightened scrutiny to any invoice from an unlisted vendor
- Verify bank details for all new suppliers independently before adding them to the payments system
- Apply dual authorisation for payments above a defined threshold
- Audit accounts payable periodically for invoices that match no PO and have been paid
- Train accounts payable staff to treat 'overdue' language on a first-contact invoice as a red flag rather than an obligation
- Scan PDF attachments from unknown senders for malware before opening
Evidence to preserve
- The invoice itself and any PDF attachments (do not open attachments if malware is suspected)
- The original email with full headers
- Your purchase order records confirming no corresponding order was made
- Any payment records if the invoice was processed
- Bank details and company details provided on the fraudulent invoice
- Any follow-up correspondence from the same sender
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we stop paying fake invoices?
Require every invoice to match an approved purchase order before payment proceeds. Verify new suppliers and bank details independently. Apply dual authorisation for payments above a threshold. Treat unsolicited 'overdue' invoices on first contact with suspicion rather than urgency.
What is purchase-order matching and how does it work?
PO matching is the process of verifying that every invoice corresponds to a purchase order that was approved in advance of the goods or services being received. Three-way matching extends this to also verify against a delivery receipt. It is the most effective single control for preventing fake and erroneous invoice payments.
Could the invoice be from a real supplier we've used before?
Possibly, which is why matching against your own PO records is the reliable check rather than relying on visual recognition of the supplier name. If a supplier sends an invoice for work you don't recall ordering, contact them directly using your own contact records before paying.
Are we legally obligated to pay an invoice we receive?
No. An invoice is a request for payment, not a legal obligation. You are only obligated to pay for goods or services you ordered and received under a valid contract. An unsolicited invoice for goods or services never ordered creates no payment obligation.
What should we do if a PDF invoice attachment is suspicious?
Do not open it from your primary device. Forward it to your IT team or open it in a sandboxed environment. If you have opened it and something unexpected occurred, disconnect the device from your network and contact IT support immediately.
How do we handle a supplier who claims they sent a real invoice we missed?
Ask them to resend the invoice and verify the bank details match your records for that supplier exactly. Check your purchase order records to confirm the underlying transaction was genuine. If bank details differ from what you have on file, verify the change by calling the supplier on a number you already hold.
Can recurring small fake invoices go undetected for a long time?
Yes. Systematic fake-invoice schemes sometimes target the same victim with low-value recurring invoices that fall below review thresholds. Periodic audits of accounts payable — checking all payments against purchase orders — are the most reliable way to detect recurring unauthorised payments.