What Is Invoice Fraud?

Invoice fraud is a type of Business Email Compromise (BEC) in which attackers impersonate legitimate vendors or suppliers and send fraudulent invoices to a target organization's accounts payable department, or intercept and modify legitimate invoices to redirect funds to attacker-controlled accounts. Also called vendor email compromise (VEC) or supplier invoicing fraud, it is one of the costliest BEC variants because supplier invoices typically involve large dollar amounts.

How does invoice fraud work?

Invoice fraud begins with reconnaissance. Attackers identify the target company's key suppliers and vendor relationships through open-source intelligence, social media, public filings, or prior data breaches. The attacker then employs one of two primary methods to compromise or spoof the vendor.

In the first method—Vendor Email Compromise (VEC)—the attacker gains unauthorized access to a vendor's actual email account via credential phishing or stolen credentials from dark web markets, allowing them to send messages that pass SPF, DKIM, and DMARC authentication. The attacker monitors compromised email traffic, identifies an in-progress invoice or payment conversation, then hijacks the thread by inserting themselves into a legitimate discussion the target already trusts. In the second method, the attacker registers a domain visually similar to the vendor's (such as "supp1ier.com" versus "supplier.com") and sends emails from it.

Once positioned, the attacker either creates an entirely fake invoice mimicking the vendor's format or intercepts a real invoice and modifies the bank account or routing details to point to an attacker-controlled mule account. The target accounts payable team pays the "invoice," wiring funds to the attacker's account. By the time the real vendor inquires about missing payment, the money has been moved through multiple accounts or converted to cryptocurrency. Because VEC attacks originate from legitimately compromised accounts, fraudulent emails pass DMARC, SPF, and DKIM—a key reason invoice fraud is harder to detect than other BEC types (Proofpoint, 2019).

How does invoice fraud differ from CEO fraud?

Neither is universally better. Invoice fraud exploits legitimate business processes; CEO fraud exploits authority relationships.

Why has invoice fraud gained traction?

Invoice fraud losses are tracked within the broader BEC category, which totaled $2.77 billion in 2024 across 21,442 complaints—making BEC the second-largest dollar-loss crime category reported to the FBI (FBI IC3, 2025). BEC has caused $55 billion in reported losses from 2013 through 2023 (FBI IC3 PSA, 2024), with nearly $8.5 billion lost between 2022 and 2024 (Nacha, 2025). Vendor email compromise attacks specifically surged 137% year-over-year in 2023, with financial services organizations experiencing a 137% increase in VEC attacks (Abnormal AI, 2024). Nearly 40% of Abnormal Security customers experienced a monthly VEC attack in 2023 (Abnormal AI, 2024). Invoice fraud incidents of attempted or actual fraud increased by 10 percentage points year-over-year, from 14% in 2023 to 24% in 2024 (AFP, cited by Rillion, 2025). American companies lose approximately $300,000 annually per company to fake invoices (Hoxhunt, 2026). Individual VEC incidents have sought to steal amounts as high as $100 million (Google/Facebook case involving Lithuanian national Evaldas Rimasauskas impersonating Quanta Computer in 2013-2015, sentenced in 2019).

The attack has gained traction because it exploits the routine, trusted nature of business invoicing, and when executed through actual vendor account compromise, the fraudulent emails pass email authentication controls that would catch domain spoofing.

What are the limitations of invoice fraud?

Invoice fraud requires high setup costs: VEC-based fraud requires first compromising a vendor's email account, which involves a separate phishing campaign—more complex than simple spoofing. The attack depends critically on correct identification of real vendor relationships; incorrect targeting reveals the fraud immediately and alerts both the target organization and the real vendor.

Thread hijacking from compromised vendor accounts generates forensic evidence: login logs show unexpected access from unusual IP addresses, mailbox audit logs reveal suspicious rule creation or unusual message movement, and email traffic patterns deviate from normal behavior. A simple callback to the vendor using a known phone number (not one provided in the email) to verify banking details defeats the attack entirely—making this the single most effective control.

Organizations using three-way matching (comparing invoice to purchase order and receiving report) are much harder to defraud, as fake invoices often lack corresponding purchase orders. Unlike gift card scams, wire transfers can sometimes be recalled if reported within 24-72 hours, giving organizations a narrow recovery window. Invoice fraud lacks strong seasonality like W-2 phishing, making it harder for attackers to predict optimal timing, though also harder for defenders to anticipate.

How can organizations defend against invoice fraud?

Always verify bank account changes or new payment instructions by calling the vendor at a known, pre-established phone number—never use contact information from the suspicious email. This single control is the most effective defense. Compare every invoice against the original purchase order and goods receipt or delivery confirmation before approving payment, catching invoices for goods never ordered or received. Ensure the same person cannot submit, approve, and issue payment through role-based access controls and dual authorization requirements for payments above a threshold.

Implement rigorous vendor master file controls with change management procedures: any modification to banking details requires documented approval and out-of-band verification, with monitoring for unauthorized changes. Deploy email security solutions that detect VEC, lookalike domains, and thread hijacking. Standard DMARC alone is insufficient because VEC emails originate from legitimate accounts. Implement accounts payable automation tools that flag duplicate invoices, unusual payment amounts, new bank details, or payments to new accounts. Transition to electronic payment methods when possible; checks are 7 times more likely to be involved in fraud than virtual cards. Conduct quarterly training for AP staff covering current invoice fraud tactics, real-world examples, and company-specific verification procedures. Require key vendors to implement MFA on their email accounts and notify you immediately of any account compromise.