Fake Invoice Email (Business) Script
This email targets a business, impersonating a known supplier or an internal executive, and either requests urgent payment of an "invoice" to a new bank account or instructs finance staff to make a confidential wire transfer immediately, often citing time pressure like a closing deal. The scammer's goal is to redirect a legitimate-looking business payment into an account they control, exploiting trust in existing supplier relationships or workplace hierarchy to bypass normal verification. The most important step is to verify any bank detail change or unusual payment request by phone, using a number you already have on file — never one provided in the email itself.
Last reviewed: 1 June 2026
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Please find attached invoice [number] for [amount]. Our banking details have changed — please update your records and process to: [new account details].
Urgent: the payment for PO [number] is overdue. Kindly process [amount] to the updated account below by end of day.
Finance: our CFO has approved a confidential transfer of [amount] for a pending acquisition. Process today and do not discuss with colleagues.
I'm travelling and can't take calls. Please action invoice [number] for [amount] by wire today: [account details]
What the scammer wants
To intercept or redirect legitimate business payments by impersonating a trusted supplier or internal authority. The 'bank detail change' and 'urgent confidential transfer' are the two most common variants.
Red flags in the message
- Supplier 'bank detail change' notification by email alone
- Unusual urgency or a request to act before end of day
- Request for confidentiality — do not tell colleagues
- Email address that is close to but not exactly the real domain
- No phone call or second channel used to confirm the change
- Request comes while the supposed sender is unavailable to verify
- Invoice amount slightly different from expected
- PDF attachment that links to a credential-harvesting page
A safe response
Never action a bank-detail change or large transfer based solely on an email. Call the supplier or colleague on a known number — not one in the email — to verify before processing any payment.
What not to send
- Payments to new or unverified bank details
- Login credentials via any attachment link
- Confidential financial or corporate information
What to do if you already replied
- Contact your bank immediately to attempt to recall the payment
- Alert your finance and IT teams so they can check for a broader email compromise
- Notify the real supplier if their identity was used
- Report to your national fraud authority and consider legal advice
- Review email security settings and enforce two-person authorisation for bank-detail changes
Evidence to preserve
- Screenshot the full message or call details
- Note the sender number, email, or profile
- Save any links (without clicking) and payment details
- Record dates and times
Frequently asked questions
The email came from what looks like our supplier's exact email address — how is that possible?
The supplier's account may have actually been compromised and used to send the email directly, or the display name and a near-identical domain (with a subtle misspelling) may be spoofed — check the full email address carefully, not just the name shown. Either way, verify by phone before acting.
We already sent a payment to the 'updated' bank account — what should we do?
Contact your bank immediately to request a recall or freeze on the transfer, since speed matters significantly for wire transfers, and report the incident to your local cybercrime reporting authority. Also notify the real supplier, since their systems may be compromised too.
How can we prevent this happening again internally?
Put a policy in place requiring any change to payment or bank details to be confirmed by phone through a previously verified number before any payment is processed, and require a second person's sign-off on transfers above a set amount.
Should we notify the supplier or executive whose name was used?
Yes — let them know their name or account was impersonated so they can check whether their own email account has actually been compromised, and so they can warn other clients or colleagues who may be targeted with the same message.