5 signs an invoice email is fake
A founder wired $28,700 to a scammer posing as his vendor. The email looked perfect. Here's the 5-point invoice scan framework to protect yourself from invoice fraud.
Last Tuesday, a founder I know wired $28,700 to a scammer posing as one of his vendors.
The email looked normal. The invoice number matched a real one. The tone was perfect.
There was one problem: the real vendor never sent it.
And he's not alone.
Business Email Compromise caused $2.77 billion in losses in 2024, says the FBI's latest IC3 report. Invoice fraud is one of the most common tactics used. Attackers aren't hacking systems anymore. They're hacking patterns.
They study how you communicate, how invoices flow, and who approves what. Then they slip into the rhythm and strike when it feels routine.
Here's the framework I give to every operator:
The "5-point invoice scan"
Run every invoice email through these five checks:
1. The sender
Is the domain letter-for-letter identical? Hover over the display name to reveal the actual email address. Attackers often spoof the name while hiding a different domain underneath.
2. The bank details
Any change, no matter how small, is a red flag.
3. The tone shift
More urgent? More casual? Slightly off?
4. The attachment type
Unexpected file formats = trouble. If your vendor always sends PDFs but this one's a .html file, .zip archive, or .exe, stop immediately.
5. The reply-to address
Attackers often reroute replies to a different address to dodge suspicion. Check that it matches the sender.
If even one point feels wrong, stop and verify through another channel.
A 15-second phone call can save you five figures and a week of cleanup.
Your takeaway today: When money is involved, don't make any assumptions. Verify everything.