This is when a business receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The criminal will use the supplier’s real invoice, and simply change the bank account details to their own. Because the invoice looks legitimate, often the business doesn’t question the change in the bank details, and sends the payment to the criminal’s account.

A variation of this scam is when a business gets an email from a criminal pretending to be a supplier, asking to cancel a recent payment, and make the payment to a new account.

How to protect your business from invoice scams

  1. Create a safe payment process. Create a process where the person who pays invoices has to carefully check the payee’s banking details. If there has been a change, call the payee to confirm the change is legitimate, using the contact details you have on file.
  2. Raise awareness. Help your employees understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or a fake invoice, share it around so your employees know what to look out for in the future.


A supplier sends you an email which asks you to change their banking details. What should you do to check that this request is legitimate?

Reply to the email to verify the change.

Incorrect. You should never check the request is real by emailing or calling using contact details listed on the email. If the request is fraudulent you will be contacting the criminal directly.

Update the payment details for this supplier.

Incorrect. You should always check a change to payment details by phoning the person using a number you have already on file, not what may be listed on the email.

Contact the sender to verify the change using a phone number that you already have on file.

Correct. You should always verify a change to a supplier's payment details by phoning them on a number you already have on file.