Guide · Invoice Fraud

Invoice Fraud Red Flags: How to Spot a Fake Invoice Before You Pay (2026)

June 2026 AP Clerks Office Managers Small Business 9 min read

Fake and altered invoices are the most common entry point for payment fraud at small businesses. Unlike phishing emails, they look exactly like legitimate invoices — because they often are legitimate invoices, with one or two details changed. This guide covers the 12 red flags that reveal a fraudulent invoice, with examples of what each looks like in practice.

$300K
average loss per invoice fraud incident at small businesses
71%
of BEC attacks involve fake or altered invoices
58%
of invoice fraud goes undetected until after payment

The Four Types of Invoice Fraud

Not all invoice fraud works the same way. Understanding which type you're dealing with changes what you look for.

✂️
Altered legitimate invoice

A real invoice from a real vendor is intercepted — via email compromise or man-in-the-middle — and the banking details are changed before it reaches you. Everything looks correct except the routing and account numbers.

👻
Phantom vendor invoice

A completely fabricated invoice from a fake company. Usually arrives unsolicited, for services that are vague or hard to verify. Targets businesses with loose invoice approval processes.

🎭
Vendor impersonation

Fraudsters research your existing vendor relationships and send invoices mimicking those vendors — same company name, similar logo, close-but-not-quite email domain — with changed payment details.

💸
Duplicate or inflated invoice

A real invoice is submitted twice, or amounts are inflated between approval and payment. Often an internal fraud risk, but also used by bad actors who gain access to your billing relationship with a vendor.

What to Check on Every Invoice

Here's a fabricated invoice annotated with the fields that carry the highest fraud risk. Each numbered marker corresponds to a specific check you should perform.

Northgate IT Solutions 1
1420 Harbor Blvd, Suite 300
Portland, OR 97201 2
billing@northgate-it.com 3
INVOICE
Invoice #: INV-0007 4
Date: June 22, 2026
Due: July 7, 2026 5

IT infrastructure consulting services — June 2026$22,400.00
Scope: General IT advisory and support services 6

Total Due$22,400.00 7
Payment Instructions — Please remit via wire transfer only 8
Bank: First Demo Bank
Routing: 000000001 9
Account: 9999000001
⚠ Note: We have updated our banking details. Please use this routing number for all future payments. 10
Have a suspicious invoice in front of you? Paste the details into PaySentinel — routing number, vendor name, amount, and email — and get a risk score in under a minute.
Check it now →

12 Invoice Fraud Red Flags

Each of these signals is a reason to pause and verify. Multiple flags on the same invoice is a serious warning — do not process the payment until each one is resolved.

1
Routing or account number changed from prior invoices
Critical

This is the single most reliable indicator of invoice redirect fraud. A fraudster intercepts a legitimate invoice and changes only the banking details — everything else looks exactly right because it was a real invoice from a real vendor.

Any routing number change requires a phone call to a number from your vendor file — not from the invoice — and a signed bank authorization letter on company letterhead before you update your records.

What it looks like
Invoice shows routing 000000001
Your records show routing 000000002 for this vendor
Do this → Hold the payment. Call the vendor at a number from your existing records — not the invoice. Request a signed bank authorization letter before updating your vendor file.
Email domain doesn't exactly match the vendor's real domain
Critical

Fraudsters register domains that look nearly identical to real vendor domains. The difference is often one character — easy to miss when you're processing dozens of invoices.

Common typosquat patterns
billing@northgate-it.com (hyphen added)
billing@northqate.com (letter transposed)
billing@northgate.net (different TLD)
billing@northgate.com (legitimate)
Do this → Do not reply to the email. Look up the vendor's real domain from a prior invoice or your vendor file. Compare character by character. If the domain doesn't match exactly, treat it as fraudulent and escalate.
Free consumer email address for business invoicing
Critical

Any invoice over $1,000 arriving from a Gmail, Yahoo, Hotmail, or other consumer email account is a serious red flag. Legitimate businesses use company domain email addresses for billing. Free email accounts are trivially easy to create and impersonate.

Examples
northgateit.billing@gmail.com
cascade_equipment@yahoo.com
billing@northgate.com
Do this → Do not pay. Contact the vendor through their official website or a prior invoice to confirm whether this email came from them. A legitimate vendor should have a company domain — if they don't, that itself warrants scrutiny.
Invoice number is suspiciously low
High

A company claiming to have been in business for several years should have invoice numbers in the hundreds or thousands. An invoice numbered INV-003, INV-007, or INV-012 from an "established" business suggests either a very new operation or a freshly created fake.

Example
INV-0007 from "Cascade Equipment Rentals, serving clients since 2019"
INV-4821 from a vendor with years of history
Do this → Ask to see a sample prior invoice from a different client, or check the vendor's registration date on your state's Secretary of State website. A company registered last month claiming years of business is a phantom vendor signal.
Amount is just under $10,000
High

Banks are required to file Currency Transaction Reports (CTRs) for cash transactions over $10,000. Some fraudsters deliberately structure payment requests just below this threshold — $9,800, $9,750, $9,900 — to avoid triggering reporting. This is called structuring, and it's a federal crime. Seeing this pattern on an invoice is a significant red flag regardless of whether the invoice is fraudulent.

Structuring amounts to watch for
$9,900 · $9,800 · $9,750 · $9,500 for a single invoice
Multiple invoices each just under $10,000 in short succession
Do this → Flag this for your manager before processing. If you're seeing multiple invoices just under $10,000 from the same vendor in a short period, document the pattern and consult your bank or legal counsel — structuring is a federal crime regardless of who's doing it.
Vague or unverifiable scope of work
High

Phantom vendor invoices typically describe services that are impossible to verify — "consulting services," "advisory fees," "IT support," or "professional services" with no deliverables, no hours, and no reference to a contract or purchase order. If you can't point to what was delivered, the invoice shouldn't be paid.

Vague vs. verifiable
"General IT advisory and support services — June 2026"
"Network infrastructure upgrade — 40 hours @ $175/hr per SOW-2026-04"
Do this → Hold payment until you can match the invoice to a signed contract or purchase order. Ask the person at your company who engaged the vendor to confirm the work was actually performed before you approve payment.
Wire transfer is the only accepted payment method
High

Fraudsters specify wire transfer exclusively because wires are irreversible. Legitimate vendors typically accept ACH, check, or credit card alongside wire transfers. An invoice that specifically restricts payment to wire only — especially combined with urgency — is a significant warning.

Do this → Ask the vendor directly why wire is the only option accepted. If they can't give a clear reason, or if they push back on your request for an alternative method, treat this as a serious red flag and escalate.
Remittance address differs from company address
High

If the "remit payment to" address on an invoice is in a different city, state, or country from the vendor's listed business address — and this is different from prior invoices — verify before paying. This can indicate the payment is being redirected to a different party.

Example
Company address: Portland, OR — Remit to: P.O. Box 441, Miami, FL
Do this → Compare the remittance address against your vendor file and prior invoices. Call the vendor to confirm before updating your records. A P.O. box in a different state from the business address warrants extra scrutiny.
No purchase order or prior approval on record
Medium

Any invoice that can't be matched to an approved purchase order or a signed contract should be held until the underlying work is verified. This is standard three-way matching (invoice, PO, receipt) — one of the most effective controls against phantom vendor fraud.

Do this → Hold payment and contact the internal person who supposedly authorized the work. Get written confirmation from them that the work was approved and performed before releasing payment.
Invoice PDF metadata shows recent editing
High

PDF files contain embedded metadata including when the document was created and last modified. An invoice PDF that shows a "last modified" date of hours before it was sent — especially if that date is different from the invoice date — may have been altered in transit. You can check PDF metadata by opening the file properties in Adobe Acrobat or a free PDF reader.

How to check
In Adobe Acrobat: File → Properties → Description tab → check "Modified" date
Do this → Document the metadata discrepancy with a screenshot. Contact the vendor to request a freshly generated invoice directly from their billing system. Do not pay from the potentially altered PDF.
Urgency or pressure to pay quickly
High

Language like "payment required within 24 hours to avoid service interruption," "please process today," or follow-up calls pressing for immediate payment are designed to get money out before you complete your normal verification process. Legitimate vendors build payment terms into contracts — they don't create emergencies around individual invoices.

Do this → Slow down — urgency is the signal to verify more carefully, not less. Tell the vendor your normal process takes 5–10 business days. Legitimate vendors accept this. Anyone who won't accept your standard payment timeline is a red flag.
First invoice from a vendor you didn't solicit
Medium

An invoice arriving from a vendor you have no record of engaging — no signed contract, no purchase order, no prior contact — should be treated as a phantom vendor attempt until proven otherwise. Some fraudsters send invoices for small amounts ($200–$500) hoping they'll be processed without scrutiny. Confirm with the person at your company who supposedly engaged the vendor before paying anything.

Do this → Do not pay. Email your team to find out who engaged this vendor, and get written confirmation of the approved scope and amount. If nobody can verify the engagement, discard the invoice and optionally report it to the FBI IC3.
Spotted one of these red flags? Run the invoice through PaySentinel — paste in the vendor name, routing number, amount, and email domain for an instant risk assessment.
Check the invoice →

What to Do When You Spot a Red Flag

A red flag doesn't mean the invoice is definitely fraudulent. It means you need to verify before paying. Here's the process:

  • Hold the payment — do not process until verification is complete. It is always better to delay a legitimate payment than to send a fraudulent one.
  • Do not reply to the invoice email — if the sender is a fraudster, replying tips them off that you're investigating. Contact the vendor independently.
  • Call the vendor using a number from your existing records — look up the number independently, not from the invoice. Confirm whether they sent the invoice and whether the banking details are correct.
  • Check the PDF metadata — open file properties and check the "modified" date. If the document was edited recently before being sent, document this.
  • Run a fraud analysis — submit the invoice details through PaySentinel to check for additional patterns your manual review might have missed.
  • Escalate if you can't verify — if you cannot independently confirm the invoice is legitimate, escalate to your manager before taking any further action.
  • Document everything — regardless of outcome, record what you found, who you spoke with, and what was confirmed. This protects you and creates an audit trail.
If you've already paid a fraudulent invoice

Act within the first hour.

Call your bank immediately and ask them to issue a wire recall. The chances of recovery drop significantly after the first few hours. Then file a report with the FBI Internet Crime Complaint Center at ic3.gov and notify your local FBI field office — they have dedicated financial crime units that handle wire fraud.

Building a Process That Prevents Invoice Fraud

Individual red flag checks are necessary, but the best protection is a consistent process that makes fraud structurally harder to execute.

  • Implement three-way matching — every invoice must match an approved purchase order and a delivery receipt before payment is authorized. This alone eliminates most phantom vendor fraud.
  • Set a dual-authorization threshold — any payment above a set amount (e.g. $5,000) requires a second approver who independently verifies the invoice, not just countersigns.
  • Maintain a vendor master file — a single authoritative record of every vendor's banking details, contacts, and payment history. Changes to this file require a documented approval process, not just an email.
  • Never update banking details based on email alone — any routing or account number change requires a phone call to a verified number and a signed bank authorization letter.
  • Run a fraud check on every new vendor and any changed banking details — takes under a minute with PaySentinel and catches patterns that manual review misses.
  • Train everyone who touches invoices — the person who opens the mail or email is often the first line of defense. Make sure they know these red flags.

Frequently Asked Questions

What do I do if I already paid a fake invoice?

Act immediately — every hour matters. Call your bank's fraud line right away and ask them to issue a wire recall. Banks can sometimes intercept a wire if it hasn't been fully processed yet, but this window closes fast. At the same time, notify your manager and document everything you know about the transaction.

Then file a report with the FBI Internet Crime Complaint Center at ic3.gov. The FBI has dedicated financial crime units that handle wire fraud — a filed IC3 report also creates a paper trail that may be required by your insurance company if you have a cyber or crime policy.

Can invoice fraud happen with vendors I've worked with for years?

Yes — and this is exactly how invoice redirect fraud works. A trusted vendor's email account gets compromised, or an attacker intercepts invoices in transit and alters the banking details before they reach you. Because everything else looks right — the vendor name, the scope, the amount — these are often harder to catch than a completely fake invoice from an unknown vendor.

The #1 defense for existing vendors is comparing routing numbers against your records on every invoice. Any change, no matter how small, requires a phone call to a number you already have on file.

How do fraudsters know which vendors we use?

Several ways. Business email compromise often starts with an attacker gaining access to someone's email account — either yours or your vendor's — and reading correspondence to learn which vendors you pay and how much. Public records, LinkedIn, and company websites also reveal vendor relationships. Some attackers buy data from breaches that include supplier lists.

The implication is that a convincing fake invoice isn't luck — it's often targeted research. Treat any invoice with changed banking details as suspicious regardless of how well the attacker seems to know your relationship with the vendor.

Is it legal to delay payment while verifying an invoice?

Generally yes — and most vendor contracts build in payment terms (Net 30, Net 60) that give you time to process. A brief hold for verification is standard practice and any legitimate vendor will understand. If a vendor threatens legal action or service interruption over a 24–48 hour verification delay, that itself is a red flag worth documenting.

If you have a contract with specific payment terms, check those first — but a good-faith verification hold for fraud prevention is unlikely to create legal exposure, especially if you document what you found and why you paused.

Do these scams only target large payments?

No. While high-value wire fraud gets the most attention, small-amount phantom vendor invoices ($200–$800) are common precisely because they often get processed without scrutiny. Fraudsters sometimes start with small amounts to test whether an AP process will pay without verification, then escalate once they know it works.

Apply the same verification standards regardless of amount. An invoice that can't be matched to a PO or contract shouldn't be paid whether it's $300 or $30,000.

What's the difference between invoice fraud and billing fraud?

Invoice fraud typically refers to external attacks — a fake or altered invoice from someone outside your organization. Billing fraud (or billing scheme fraud) often refers to internal fraud, where an employee submits false invoices for personal gain — either from fake vendors they control or by inflating legitimate invoices.

The detection overlap is significant — low invoice numbers, vague scope, round amounts, and missing PO matches are red flags for both. Three-way matching and dual authorization are the most effective controls for both types.

How PaySentinel Catches These Automatically

Most of the red flags above require manual research — looking up domains, checking vendor files, comparing routing numbers. PaySentinel automates the pattern detection so you catch these faster and more consistently, even on busy days when manual checks get rushed.

Here's which flags the invoice check covers automatically:

Red flag PaySentinel detects? How
Routing number changed ✓ Yes Compares against your vendor history in local memory — flags any change from prior analyses
Typosquat email domain ✓ Yes Checks email domain against known typosquat patterns and flags suspicious lookalike domains
Free consumer email ✓ Yes Flags Gmail, Yahoo, Hotmail, and other consumer email providers for business invoices
Structuring amount (just under $10K) ✓ Yes Flags amounts in the $9,000–$9,999 range as potential CTR structuring
ABA routing number validity ✓ Yes Runs ABA checksum validation on every routing number submitted
Urgency / BEC language signals ✓ Yes Detects urgency, secrecy, and pressure language patterns in email content
Round amount for complex services ✓ Yes Flags suspiciously round invoice amounts relative to the service type
Low invoice number Partial Flags when noted in invoice details — not automatically extracted from PDFs
PDF metadata tampering Manual step Requires checking file properties yourself — PaySentinel analyzes the payment details you paste in, not the PDF file directly
No PO match Manual step Three-way matching requires access to your internal PO system — do this before running the check
✓ How to use PaySentinel for invoice checks

Open the Invoice tab in the app. Paste in the vendor name, their email address, the routing number, the invoice amount, and any notes about how the invoice arrived. PaySentinel runs the check and returns a risk score with specific red flags and recommended next steps — the whole process takes under a minute.

Wondering how a structured tool compares to reviewing invoices manually? See what each approach catches and where each falls short →

Check a suspicious invoice now

Paste in the vendor name, routing number, amount, and email — PaySentinel checks for all 12 red flags and gives you a risk score in under a minute. Free for small businesses.

Check an invoice free →