How to spot a fake invoice before you wire $50,000 to a scammer
Invoice fraud costs businesses billions annually. Learn how document comparison technology catches the subtle changes that traditional email security misses.
The invoice looked perfect.
Same logo. Same formatting. Same vendor name you've paid dozens of times. The only difference was a single line buried in the payment details: a new bank account number.
That one line cost a nonprofit $127,000. A freelancer lost $8,400. A small marketing agency watched $52,900 disappear in the time it takes to approve a routine payment.
This is invoice fraud, and it's the most financially devastating form of email fraud because it exploits something you can't turn off: trust in your existing business relationships.
Why invoice fraud works so well
Traditional phishing is obvious. Broken english, suspicious links, urgent demands from strangers. Most people spot these.
Invoice fraud is different. Attackers spend weeks or months studying how your vendors communicate. They harvest real invoice numbers, copy exact formatting, and match the timing of your payment cycles. When the fake invoice arrives, it feels routine because it's designed to feel routine.
The attack succeeds because it doesn't trigger suspicion. There's no malware to scan. No malicious link to flag. Just a PDF that looks identical to every other invoice you've received from that vendor, except for the bank details that now route your payment to a criminal's account.
By the time you realize something is wrong, the money has moved through multiple accounts and vanished.
The problem with current email security
Gmail and Outlook are good at catching obvious threats. Known malware, blacklisted domains, mass phishing campaigns. But invoice fraud doesn't look like a threat to these systems.
Consider what happens when an attacker sends a fraudulent invoice:
The email comes from a legitimate domain (either spoofed convincingly or sent from a compromised vendor account). The attachment is a clean PDF with no malicious code. The content matches your normal business communication. There are no suspicious links to scan.
Traditional email security sees a normal business email with a normal attachment. It passes every automated check.
Enterprise security tools add some protection, but they require dedicated IT teams to configure and monitor, cost $12 to $30 per user monthly, and still struggle with the core problem: they can't compare this invoice to the ones you've received before. They can't tell you that the bank account changed from what your vendor has used for years.
Document Comparison: catching what filters miss
The only reliable way to catch invoice fraud is to compare what you're receiving now against what you've received before. That's the approach we built into Ṣọ Email Security.
When you receive an invoice or financial document, you can compare it side-by-side against trusted historical emails from the same sender. The system highlights exactly what changed, so you can spot the differences that matter before you approve a payment.
Here's how it works in practice.
Setting a baseline with trusted documents
Start by selecting an email you trust, one from a verified conversation with your vendor. This becomes your baseline for comparison.
The baseline stays pinned in your workspace. Everything you compare against it will show differences clearly, letting you spot anomalies that would otherwise blend into routine communication.
Searching your email history
Once you have a baseline, search your history for related communications from the same sender. Filter by vendor name, invoice numbers, or tags you've applied.
Each search result shows you the date, subject line, parsed amounts from attachments, and a quick indicator of whether it matches your established vendor profile. You can immediately see if something looks off before you even open the email.
Side-by-side comparison
Select any historical email to view it alongside your baseline. The comparison workspace shows both emails with synchronized navigation, so you can examine the body text, headers, and attachments in parallel.
Three tabs organize the comparison:
The email body tab shows the content of each message with differences highlighted. You can see if the tone changed, if the signature is different, or if new payment instructions appeared.
The Headers tab displays a table comparing technical details: the from-address, reply-to field, SPF and DKIM authentication results, and other metadata that can reveal spoofing attempts. A legitimate vendor email should have consistent authentication. A spoofed one often shows mismatches.
The attachments tab lists every file attached to each email. You can see file names, page counts, extracted totals, and hash values. If an attachment has been modified, even slightly, the hash will be different.
Attachment Comparison: where fraud hides
This is where most invoice fraud actually happens. The email itself might look perfect, but the attached PDF has been altered.
Select an attachment from your baseline (say, an invoice from three months ago) and compare it against the attachment in the suspicious email. The system extracts text and values from both documents, aligns them section by section, and highlights every difference.
You'll see changes in:
Bank account numbers and routing information: This is the most common target. Attackers change the destination account while keeping everything else identical.
Beneficiary names: Watch for subtle alterations like "Acme Corp" becoming "Acme Corp LLC" or "Acme Corpn" with a typo that redirects payment to a different entity.
Payment amounts: Some attackers inflate totals slightly, betting you won't notice a few hundred dollars on a large invoice.
Due dates and payment terms: Fraudulent invoices often create artificial urgency with shortened payment windows.
Addresses and contact information: Changed remittance addresses or phone numbers can indicate fraud, especially if they don't match your vendor's known details.
Line items and descriptions: Additions, removals, or modifications to what you're supposedly paying for.
Risk signals that explain the danger
Raw differences aren't always meaningful. A vendor might legitimately update their address or change their invoice numbering system. What matters is understanding which changes indicate fraud.
The Risk Summary banner surfaces high-impact differences with clear explanations:
"Bank account changed: ****1234 to ****9876" tells you immediately that payment would go somewhere new.
"Beneficiary name altered: 'Johnson & Associates' to 'Johnson & Associatez' (lookalike)" flags the typosquatting technique attackers use to register similar-sounding entities.
"Reply-to differs from From-domain" reveals when an attacker wants responses sent somewhere other than the apparent sender.
"Payment amount increased by $2,340 from historical average" catches invoice inflation.
Each signal links directly to the highlighted region in the document, so you can see exactly where the suspicious change appears.
Making decisions with evidence
After reviewing the comparison, you have three options.
Mark Safe confirms you've verified the email and attachment. Use this when differences are explained (your vendor notified you of a banking change through a verified channel) or when there are no concerning discrepancies.
Needs Verification flags the email for follow-up. This is the right choice when you see changes that could be legitimate but haven't been confirmed. Before processing payment, call your vendor at a known phone number (not one from the suspicious email) to verify.
Export Evidence creates a PDF report with the full comparison, highlighted differences, and risk summary. This gives you documentation for your records, for your finance team's approval process, or for reporting fraud if the email turns out to be malicious.
What this catches that other tools miss
Consider a real scenario. An attacker compromises your vendor's email account. They wait, watching the conversation, learning when invoices get sent and how they're formatted. Then they send an invoice that's identical to legitimate ones, except the bank details route to their account.
Traditional email security sees nothing wrong. The email comes from your vendor's actual domain. There's no malware. No suspicious links. Authentication passes because it really is from that account.
Document comparison catches it. The bank details don't match what your vendor has used for years. The beneficiary name has a subtle spelling change. The payment amount is slightly higher than historical patterns.
These are the signals that indicate fraud, and they only become visible when you compare against trusted history.
Who needs this
If you approve payments, you need this.
Freelancers who work with multiple clients are targets because attackers know smaller operations have fewer verification steps.
Nonprofit finance teams are targeted because mission-driven organizations often trust their partner relationships and may have limited security resources.
Small business owners handling their own accounts payable are vulnerable because they're making payment decisions without a second set of eyes.
Anyone who receives invoices and sends money based on those invoices can be targeted by this type of fraud.
Start protecting your payments
Ṣọ Email Security adds document comparison to your Gmail or Outlook inbox through a browser extension. Setup takes about 60 seconds. There's no IT configuration, no complex onboarding, and no learning curve.
When an invoice arrives, you can compare it against your trusted history before you approve payment. You'll see exactly what changed and understand whether those changes indicate fraud.
The core protection is free. Install the extension and start comparing documents today.
The two-channel rule
Even with document comparison, a layered approach works best. Whenever you see new banking details on an invoice, verify through two channels:
First, verify in email. Use document comparison to check the details against historical records. Look at the domain, the reply-to address, and any writing quirks that seem off.
Second, verify out-of-band. Call your vendor at a known phone number, not one from the email. Confirm they actually sent the invoice and that the banking details are correct.
If both channels don't align, stop. Don't process the payment until you've resolved the discrepancy.
Invoice fraud succeeds because it exploits trust. Document comparison and out-of-band verification restore the safety checks that attackers try to bypass.
Protect your payments. Compare before you send.