Invoice Fraud Red Flags: How to Spot a Fake Invoice Before You Pay (2026)
Fake and altered invoices are the most common entry point for payment fraud at small businesses. Unlike phishing emails, they look exactly like legitimate invoices — because they often are legitimate invoices, with one or two details changed. This guide covers the 12 red flags that reveal a fraudulent invoice, with examples of what each looks like in practice.
The Four Types of Invoice Fraud
Not all invoice fraud works the same way. Understanding which type you're dealing with changes what you look for.
A real invoice from a real vendor is intercepted — via email compromise or man-in-the-middle — and the banking details are changed before it reaches you. Everything looks correct except the routing and account numbers.
A completely fabricated invoice from a fake company. Usually arrives unsolicited, for services that are vague or hard to verify. Targets businesses with loose invoice approval processes.
Fraudsters research your existing vendor relationships and send invoices mimicking those vendors — same company name, similar logo, close-but-not-quite email domain — with changed payment details.
A real invoice is submitted twice, or amounts are inflated between approval and payment. Often an internal fraud risk, but also used by bad actors who gain access to your billing relationship with a vendor.
What to Check on Every Invoice
Here's a fabricated invoice annotated with the fields that carry the highest fraud risk. Each numbered marker corresponds to a specific check you should perform.
Portland, OR 97201 2
billing@northgate-it.com 3
Bank: First Demo Bank
Routing: 000000001 9
Account: 9999000001
⚠ Note: We have updated our banking details. Please use this routing number for all future payments. 10
- 1Company name — does it exactly match your vendor records? Watch for subtle differences like "Northgate IT" vs "Northgate IT Solutions" vs "Northgate I.T."
- 2Address — verify it matches the address in your vendor file. A different city or state from previous invoices is a red flag.
- 3Email domain — check every character. northgate-it.com vs northgate.com vs northgateit.com are all different domains.
- 4Invoice number — INV-0007 from a company that's supposedly been in business for years is suspicious. Low numbers suggest a very new operation.
- 5Due date pressure — an unusually short payment window (less than 14 days on a first invoice) is sometimes used to create urgency before you complete due diligence.
- 6Vague scope — "general IT advisory" with no deliverables, hours, or specifics makes the invoice hard to verify against a contract or purchase order.
- 7Amount — is it consistent with your contract or prior invoices? Round amounts for complex services warrant scrutiny.
- 8"Wire transfer only" — a restriction to wire-only payment removes your ability to reverse or dispute the transaction. Legitimate vendors usually accept multiple payment methods.
- 9Routing number — compare against your vendor file. Any change requires a phone verification call to a number you found independently.
- 10Banking detail change notice — this is the #1 red flag. Legitimate banking changes come via secure channels, not invoice footnotes.
12 Invoice Fraud Red Flags
Each of these signals is a reason to pause and verify. Multiple flags on the same invoice is a serious warning — do not process the payment until each one is resolved.
This is the single most reliable indicator of invoice redirect fraud. A fraudster intercepts a legitimate invoice and changes only the banking details — everything else looks exactly right because it was a real invoice from a real vendor.
Any routing number change requires a phone call to a number from your vendor file — not from the invoice — and a signed bank authorization letter on company letterhead before you update your records.
Fraudsters register domains that look nearly identical to real vendor domains. The difference is often one character — easy to miss when you're processing dozens of invoices.
Any invoice over $1,000 arriving from a Gmail, Yahoo, Hotmail, or other consumer email account is a serious red flag. Legitimate businesses use company domain email addresses for billing. Free email accounts are trivially easy to create and impersonate.
A company claiming to have been in business for several years should have invoice numbers in the hundreds or thousands. An invoice numbered INV-003, INV-007, or INV-012 from an "established" business suggests either a very new operation or a freshly created fake.
Banks are required to file Currency Transaction Reports (CTRs) for cash transactions over $10,000. Some fraudsters deliberately structure payment requests just below this threshold — $9,800, $9,750, $9,900 — to avoid triggering reporting. This is called structuring, and it's a federal crime. Seeing this pattern on an invoice is a significant red flag regardless of whether the invoice is fraudulent.
Phantom vendor invoices typically describe services that are impossible to verify — "consulting services," "advisory fees," "IT support," or "professional services" with no deliverables, no hours, and no reference to a contract or purchase order. If you can't point to what was delivered, the invoice shouldn't be paid.
Fraudsters specify wire transfer exclusively because wires are irreversible. Legitimate vendors typically accept ACH, check, or credit card alongside wire transfers. An invoice that specifically restricts payment to wire only — especially combined with urgency — is a significant warning.
If the "remit payment to" address on an invoice is in a different city, state, or country from the vendor's listed business address — and this is different from prior invoices — verify before paying. This can indicate the payment is being redirected to a different party.
Any invoice that can't be matched to an approved purchase order or a signed contract should be held until the underlying work is verified. This is standard three-way matching (invoice, PO, receipt) — one of the most effective controls against phantom vendor fraud.
PDF files contain embedded metadata including when the document was created and last modified. An invoice PDF that shows a "last modified" date of hours before it was sent — especially if that date is different from the invoice date — may have been altered in transit. You can check PDF metadata by opening the file properties in Adobe Acrobat or a free PDF reader.
Language like "payment required within 24 hours to avoid service interruption," "please process today," or follow-up calls pressing for immediate payment are designed to get money out before you complete your normal verification process. Legitimate vendors build payment terms into contracts — they don't create emergencies around individual invoices.
An invoice arriving from a vendor you have no record of engaging — no signed contract, no purchase order, no prior contact — should be treated as a phantom vendor attempt until proven otherwise. Some fraudsters send invoices for small amounts ($200–$500) hoping they'll be processed without scrutiny. Confirm with the person at your company who supposedly engaged the vendor before paying anything.
What to Do When You Spot a Red Flag
A red flag doesn't mean the invoice is definitely fraudulent. It means you need to verify before paying. Here's the process:
- Hold the payment — do not process until verification is complete. It is always better to delay a legitimate payment than to send a fraudulent one.
- Do not reply to the invoice email — if the sender is a fraudster, replying tips them off that you're investigating. Contact the vendor independently.
- Call the vendor using a number from your existing records — look up the number independently, not from the invoice. Confirm whether they sent the invoice and whether the banking details are correct.
- Check the PDF metadata — open file properties and check the "modified" date. If the document was edited recently before being sent, document this.
- Run a fraud analysis — submit the invoice details through PaySentinel to check for additional patterns your manual review might have missed.
- Escalate if you can't verify — if you cannot independently confirm the invoice is legitimate, escalate to your manager before taking any further action.
- Document everything — regardless of outcome, record what you found, who you spoke with, and what was confirmed. This protects you and creates an audit trail.
Act within the first hour.
Call your bank immediately and ask them to issue a wire recall. The chances of recovery drop significantly after the first few hours. Then file a report with the FBI Internet Crime Complaint Center at ic3.gov and notify your local FBI field office — they have dedicated financial crime units that handle wire fraud.
Building a Process That Prevents Invoice Fraud
Individual red flag checks are necessary, but the best protection is a consistent process that makes fraud structurally harder to execute.
- Implement three-way matching — every invoice must match an approved purchase order and a delivery receipt before payment is authorized. This alone eliminates most phantom vendor fraud.
- Set a dual-authorization threshold — any payment above a set amount (e.g. $5,000) requires a second approver who independently verifies the invoice, not just countersigns.
- Maintain a vendor master file — a single authoritative record of every vendor's banking details, contacts, and payment history. Changes to this file require a documented approval process, not just an email.
- Never update banking details based on email alone — any routing or account number change requires a phone call to a verified number and a signed bank authorization letter.
- Run a fraud check on every new vendor and any changed banking details — takes under a minute with PaySentinel and catches patterns that manual review misses.
- Train everyone who touches invoices — the person who opens the mail or email is often the first line of defense. Make sure they know these red flags.
Frequently Asked Questions
Act immediately — every hour matters. Call your bank's fraud line right away and ask them to issue a wire recall. Banks can sometimes intercept a wire if it hasn't been fully processed yet, but this window closes fast. At the same time, notify your manager and document everything you know about the transaction.
Then file a report with the FBI Internet Crime Complaint Center at ic3.gov. The FBI has dedicated financial crime units that handle wire fraud — a filed IC3 report also creates a paper trail that may be required by your insurance company if you have a cyber or crime policy.
Yes — and this is exactly how invoice redirect fraud works. A trusted vendor's email account gets compromised, or an attacker intercepts invoices in transit and alters the banking details before they reach you. Because everything else looks right — the vendor name, the scope, the amount — these are often harder to catch than a completely fake invoice from an unknown vendor.
The #1 defense for existing vendors is comparing routing numbers against your records on every invoice. Any change, no matter how small, requires a phone call to a number you already have on file.
Several ways. Business email compromise often starts with an attacker gaining access to someone's email account — either yours or your vendor's — and reading correspondence to learn which vendors you pay and how much. Public records, LinkedIn, and company websites also reveal vendor relationships. Some attackers buy data from breaches that include supplier lists.
The implication is that a convincing fake invoice isn't luck — it's often targeted research. Treat any invoice with changed banking details as suspicious regardless of how well the attacker seems to know your relationship with the vendor.
Generally yes — and most vendor contracts build in payment terms (Net 30, Net 60) that give you time to process. A brief hold for verification is standard practice and any legitimate vendor will understand. If a vendor threatens legal action or service interruption over a 24–48 hour verification delay, that itself is a red flag worth documenting.
If you have a contract with specific payment terms, check those first — but a good-faith verification hold for fraud prevention is unlikely to create legal exposure, especially if you document what you found and why you paused.
No. While high-value wire fraud gets the most attention, small-amount phantom vendor invoices ($200–$800) are common precisely because they often get processed without scrutiny. Fraudsters sometimes start with small amounts to test whether an AP process will pay without verification, then escalate once they know it works.
Apply the same verification standards regardless of amount. An invoice that can't be matched to a PO or contract shouldn't be paid whether it's $300 or $30,000.
Invoice fraud typically refers to external attacks — a fake or altered invoice from someone outside your organization. Billing fraud (or billing scheme fraud) often refers to internal fraud, where an employee submits false invoices for personal gain — either from fake vendors they control or by inflating legitimate invoices.
The detection overlap is significant — low invoice numbers, vague scope, round amounts, and missing PO matches are red flags for both. Three-way matching and dual authorization are the most effective controls for both types.
How PaySentinel Catches These Automatically
Most of the red flags above require manual research — looking up domains, checking vendor files, comparing routing numbers. PaySentinel automates the pattern detection so you catch these faster and more consistently, even on busy days when manual checks get rushed.
Here's which flags the invoice check covers automatically:
| Red flag | PaySentinel detects? | How |
|---|---|---|
| Routing number changed | ✓ Yes | Compares against your vendor history in local memory — flags any change from prior analyses |
| Typosquat email domain | ✓ Yes | Checks email domain against known typosquat patterns and flags suspicious lookalike domains |
| Free consumer email | ✓ Yes | Flags Gmail, Yahoo, Hotmail, and other consumer email providers for business invoices |
| Structuring amount (just under $10K) | ✓ Yes | Flags amounts in the $9,000–$9,999 range as potential CTR structuring |
| ABA routing number validity | ✓ Yes | Runs ABA checksum validation on every routing number submitted |
| Urgency / BEC language signals | ✓ Yes | Detects urgency, secrecy, and pressure language patterns in email content |
| Round amount for complex services | ✓ Yes | Flags suspiciously round invoice amounts relative to the service type |
| Low invoice number | Partial | Flags when noted in invoice details — not automatically extracted from PDFs |
| PDF metadata tampering | Manual step | Requires checking file properties yourself — PaySentinel analyzes the payment details you paste in, not the PDF file directly |
| No PO match | Manual step | Three-way matching requires access to your internal PO system — do this before running the check |
Open the Invoice tab in the app. Paste in the vendor name, their email address, the routing number, the invoice amount, and any notes about how the invoice arrived. PaySentinel runs the check and returns a risk score with specific red flags and recommended next steps — the whole process takes under a minute.
Wondering how a structured tool compares to reviewing invoices manually? See what each approach catches and where each falls short →
Check a suspicious invoice now
Paste in the vendor name, routing number, amount, and email — PaySentinel checks for all 12 red flags and gives you a risk score in under a minute. Free for small businesses.
Check an invoice free →