Scam script · Email

Fake Invoice Email (Business) Script

Fraudulent invoice emails targeting businesses impersonate suppliers or internal finance teams to redirect payments to scammer-controlled accounts.

Last reviewed: 1 June 2026

Sanitized example messages

Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].

Please find attached invoice [number] for [amount]. Our banking details have changed — please update your records and process to: [new account details].

Urgent: the payment for PO [number] is overdue. Kindly process [amount] to the updated account below by end of day.

Finance: our CFO has approved a confidential transfer of [amount] for a pending acquisition. Process today and do not discuss with colleagues.

I'm travelling and can't take calls. Please action invoice [number] for [amount] by wire today: [account details]

What the scammer wants

To intercept or redirect legitimate business payments by impersonating a trusted supplier or internal authority. The 'bank detail change' and 'urgent confidential transfer' are the two most common variants.

Red flags in the message

Supplier 'bank detail change' notification by email alone
Unusual urgency or a request to act before end of day
Request for confidentiality — do not tell colleagues
Email address that is close to but not exactly the real domain
No phone call or second channel used to confirm the change
Request comes while the supposed sender is unavailable to verify
Invoice amount slightly different from expected
PDF attachment that links to a credential-harvesting page

A safe response

Never action a bank-detail change or large transfer based solely on an email. Call the supplier or colleague on a known number — not one in the email — to verify before processing any payment.

What not to send

Payments to new or unverified bank details
Login credentials via any attachment link
Confidential financial or corporate information

What to do if you already replied

Contact your bank immediately to attempt to recall the payment
Alert your finance and IT teams so they can check for a broader email compromise
Notify the real supplier if their identity was used
Report to your national fraud authority and consider legal advice
Review email security settings and enforce two-person authorisation for bank-detail changes

Evidence to preserve

Screenshot the full message or call details
Note the sender number, email, or profile
Save any links (without clicking) and payment details
Record dates and times

Sanitized example messages

Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].

Please find attached invoice [number] for [amount]. Our banking details have changed — please update your records and process to: [new account details].

Urgent: the payment for PO [number] is overdue. Kindly process [amount] to the updated account below by end of day.

Finance: our CFO has approved a confidential transfer of [amount] for a pending acquisition. Process today and do not discuss with colleagues.

I'm travelling and can't take calls. Please action invoice [number] for [amount] by wire today: [account details]

Red flags in the message

Supplier 'bank detail change' notification by email alone

Unusual urgency or a request to act before end of day

Request for confidentiality — do not tell colleagues

Email address that is close to but not exactly the real domain

No phone call or second channel used to confirm the change

Request comes while the supposed sender is unavailable to verify

Invoice amount slightly different from expected

PDF attachment that links to a credential-harvesting page

What to do if you already replied

Contact your bank immediately to attempt to recall the payment

Alert your finance and IT teams so they can check for a broader email compromise

Notify the real supplier if their identity was used

Report to your national fraud authority and consider legal advice

Review email security settings and enforce two-person authorisation for bank-detail changes