A fake invoice lands in your inbox. It looks like it's from a vendor you know. The amount is plausible. Someone on your team pays it. By the time anyone realizes what happened, the money is gone and unrecoverable. Here's how this scam actually works — and how to stop it before it costs you.
Invoice scams are not new. But the version hitting small businesses right now is significantly more sophisticated than what most people picture when they think about email fraud. And the numbers are catching up with that sophistication. Businesses lost $6.7 billion to these attacks last year. The average fraudulent wire transfer request sits around $24,000. And unlike most financial fraud, the money is almost never recovered.
If you run a small business, manage a team, or sign off on invoices, this is worth understanding in detail.
How invoice scams actually work
The most important thing to understand about modern invoice fraud is that it is rarely just about getting a fake invoice paid. More often, a fake invoice is the vehicle for something else — getting someone to click a link that harvests their credentials, call a fake support number, or approve a payment change through a compromised account.
The attacks come in a few distinct forms, and knowing which one you're looking at matters.
The simplest version is straightforward impersonation. An attacker registers a domain that looks almost identical to one of your real vendors — a single letter changed, a hyphen added — and sends an invoice from that address (try our quiz to see how sophisticated copy cat domains can me). The email has the vendor's real logo, real formatting, and references a real type of service your business uses. Someone on your team sees a plausible invoice from what looks like a known vendor and processes it without a second thought.
The more sophisticated version is harder to catch because it doesn't involve a fake domain at all. Attackers gain access to a real vendor's email account — often through a separate phishing attack — and then sit quietly, sometimes for weeks, monitoring real email threads and learning how your business handles payments. They find out who approves invoices, which vendors are active, and when large payments are due. Then they insert themselves directly into an existing email thread with updated banking instructions or a modified invoice. The email comes from the vendor's real address, references real conversations, and arrives at exactly the right moment. There is nothing technically suspicious about it.
A third variant skips the invoice entirely. An attacker impersonates your CEO or a senior executive and sends an urgent message to whoever handles payments, asking them to process a wire transfer quickly and quietly. These emails reference real projects, use the executive's actual writing style scraped from LinkedIn and company communications, and almost always create a sense of urgency and confidentiality. "Don't loop in anyone else on this one."
It's not just email anymore
Invoice scams and payment fraud are moving beyond email into the collaboration tools small businesses rely on every day. Slack, Microsoft Teams, and similar platforms carry an implicit sense of trust — messages feel more like internal communication than external email, which lowers people's guard. Attackers are exploiting exactly that. A message in what appears to be an internal Slack channel requesting urgent payment approval feels very different from a suspicious email, even when the risk is identical.
If your team handles any financial approvals or vendor communications through Slack or Teams, the same skepticism you'd apply to a suspicious email should apply there too.
Why small businesses are the primary target
Small businesses experience 350% more social engineering attacks than larger enterprises. The reason is structural. Large companies have finance teams with formal approval processes, dual authorization requirements, and dedicated security staff. Small businesses move faster, trust each other more, and often have one person handling everything from vendor relationships to payment approvals. That informality is an efficiency advantage and a security liability at the same time.
Attackers know this. They know that at a ten person company, the person who receives an invoice is often also the person who pays it, and that a plausible looking request from a known vendor name will probably get processed without a secondary verification step.
The red flags that actually matter
Most of the traditional advice about spotting fake invoices — look for bad grammar, check for spelling mistakes — is increasingly outdated. AI eliminates every traditional warning sign: perfect grammar, correct brand formatting, a sender domain that is one character off from the real one, a message that references a real project your team is working on. The old checklist needs replacing.
Here's what actually matters in 2026:
Any request to change banking details or payment instructions should stop you cold. This is the single biggest red flag in invoice fraud. A real vendor will not be offended if you call them on a number you already have to confirm a banking change before processing it. A scammer will try to talk you out of making that call.
Urgency is a manipulation tactic, not a business reality. "This needs to be paid today or we'll pause your service." "The discount only applies if you process this before end of day." Real vendors work on normal payment terms. Artificial urgency in an invoice context is almost always manufactured to short-circuit your verification instincts.
Check the actual email domain, not just the display name. As we covered in our guide on how to tell if an email is real, the display name can say anything. Read the actual domain character by character. If it's one letter off from the vendor you know, it's fake.
Unexpected invoices from real vendors deserve a phone call. If you receive an invoice for a service you don't remember ordering, or an amount that doesn't match what you agreed, call the vendor directly using a number from their website or your existing records. Not a number provided in the email.
The one process change that prevents most of this
Dual authorization on any payment above a certain threshold. No single person should be able to approve and execute a significant payment without a second set of eyes. This is the most effective procedural defense against invoice fraud and it costs nothing to implement. Set a threshold that makes sense for your business — even $500 — and require two people to sign off on anything above it.
Pair that with a standing rule: any change to banking details or payment instructions for an existing vendor requires a phone confirmation to a known number before processing. That single step would prevent the majority of the sophisticated invoice scams described in this post.
What to do if something looks off
If an invoice or payment request feels wrong, the right move is always to slow down and verify independently, not to respond to the email or call the number provided in it. Go directly to the vendor's website to find their contact information. Call someone you've spoken to before. A legitimate vendor will understand the caution. A scammer will push back.
And if your team uses Haven, suspicious invoice emails and links are flagged before anyone clicks anything — catching the credential harvesting attempts that sit behind so many of these attacks at the browser level.
We showed exactly how this works with a real example.
And how to tell if an email is real before you act on it
Haven protects your browser and flags suspicious emails before your team clicks anything. For small businesses without a dedicated IT team, it's the layer that catches what no one else is watching for. Download Haven free from the Chrome Web Store.