Invoice fraud and supplier-redirect fraud

Invoice fraud is the B2B-focused cousin of CEO fraud. An attacker compromises a vendor's mailbox (or convincingly spoofs one) and emails the vendor's customer a "bank-detail change." The next routine payment — sometimes $50K, sometimes $5M — goes to the attacker's mule account instead of the vendor.

The customer doesn't realize anything is wrong until the vendor calls weeks later asking where the payment is. By then the funds have moved through layered accounts and recovery is hard.

This pattern accounts for a major share of the FBI's reported BEC losses. Construction, real estate, professional services, and manufacturing are particularly targeted.

From the vendor's compromised account or a lookalike:

"Hi Jenny — we've moved our banking to a new institution for better foreign-exchange rates. Please update our routing and account number for the next invoice. Attached is the updated W-9 and bank confirmation letter."

The PDF is professionally branded with the vendor's logo. Sometimes there's a written "letter from the bank" on letterhead. All forged.

• Vendor bank-detail change communicated only by email.
• Email comes from a slightly different domain (.co instead of .com, an extra letter).
• The request includes urgency or a reason you can't easily verify ("our old account is closing this Friday").
• Reply-to address differs from the from address.
• The bank receiving the funds is in a different region than the vendor's known operations.
• The new account is at an institution your vendor has never mentioned before.
• The email signature shows a new "AP contact" or "treasury manager" you haven't worked with.

• Vendor banking change — most common.
• New "vendor" registration — attacker registers as a vendor with similar name to a real one ("ABC Supplies LLC" vs. "ABC Supply Co.") and submits invoices for nonexistent goods.
• Wire-transfer redirect in M&A or real-estate closings.
• Payroll redirect — employee impersonation requesting HR change their direct-deposit account.
• Subscription / SaaS auto-pay redirect. Attacker as your SaaS vendor asks you to update the autopay account.
• Fake invoice for office supplies (toner, water cooler) often targets administrative assistants in small offices.

1. Phone callback to a known number. Any bank-detail change is verified by calling the vendor on a number you already have (not one in the email). Voice-to-voice confirmation, never reply-to-email.
2. Lock down the vendor-master process. Bank changes require dual authorization and a callback to a previously known contact.
3. Verify the email's true sender. Check headers and the actual sending domain, not just the displayed name.
4. Be wary of timing. Bank-detail change requests right before a large invoice is due are statistically more likely to be fraud.
5. Train AP teams to expect this and respond skeptically. Treat the email thread as the channel the attacker controls.
6. Implement out-of-band confirmation for all wire transfers above a defined threshold.

• Call your bank immediately — request a SWIFT recall or hold-harmless letter. Time is critical.
• File an IC3 report immediately. IC3's Recovery Asset Team (RAT) can place a hold on the receiving account if reported within 72 hours.
• Notify the FBI field office in your region.
• Notify your vendor. Their mailbox was likely compromised — they may have other victims.
• Engage your cyber-insurance carrier. Most policies cover BEC under "social engineering" or "funds transfer fraud."
• Trigger an incident-response process for the affected mailbox. Reset credentials, review forwarding rules, check for outlook rules that hide replies.

• Do not confirm bank-detail changes by replying to the email. The attacker reads the reply.
• Do not rely on PDF attachments as verification — even a bank-letterhead PDF is trivial to forge.
• Do not wait to report. The 24–72 hour window is where most recovered funds get caught.
• Do not assume the vendor's mailbox compromise is their problem alone. Document and notify the vendor; the breach has likely affected others.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

Why does the email come from the vendor's real mailbox? Because their account is compromised. The attacker may have been in the mailbox for weeks, learning your relationship and vocabulary, before sending the fraudulent message. The compromise is often via phished credentials or token-replay attacks.

Should we just verify everything by phone? For bank-detail changes, yes. The CFO of a Fortune 500 calling to confirm a wire is no more expensive than the loss it prevents. Build callback verification into the AP workflow.

Are there technical controls that help? DMARC / DKIM / SPF email authentication catches some impersonation. Microsoft 365's anti-spoofing helps. Vendor-master change-management controls help most. None replace phone verification.

How is this different from CEO fraud? Same family. CEO fraud targets an internal executive impersonation; invoice fraud targets vendor impersonation. They share the same prevention controls.