Invoice fraud occurs when criminals intercept payment invoices, alter the bank account details, and divert funds to fraudulent accounts. It targets businesses of all sizes and can result in significant financial losses that are extremely difficult to recover. Implementing verification controls at every stage of the payment process is the most effective defence.
What Is Invoice Fraud?
Invoice fraud (also called mandate fraud or payment diversion fraud) is a form of business fraud where attackers convince your accounts team that supplier payment details have changed. They may impersonate a supplier, intercept email correspondence containing invoices, or compromise the email account used to send invoices, then substitute their own bank account details before the invoice reaches your finance department.
How Does Invoice Fraud Happen?
Step 1: Interception or Account Compromise
Criminals either intercept the invoice in transit or compromise the email account used to send it. They then modify the bank details on the document. Furthermore, the altered invoice looks identical to the original.
Step 2: Payment to a Fraudulent Account
Your finance team processes the payment to the new (fraudulent) account. They do this because the rest of the invoice looks legitimate. Therefore, the fraud is often not discovered until the real supplier chases payment.
Step 3: Subsequent Invoices Also Diverted
Once a fraudulent account enters your payment system, future invoices to that supplier are also diverted. This can continue for months before discovery.
Who Is Most Vulnerable to Invoice Fraud?
Small and medium enterprises are most frequently targeted because they often lack formal payment verification procedures. However, large organisations are also at risk. Legal firms, IT service providers, and HR management companies are among the most frequently targeted sectors. Implementing robust controls at the accounts payable level is essential for protecting businesses from cybercrime.
How to Prevent Invoice Fraud?
- Verify payment detail changes verbally — Any request to change supplier bank details must be confirmed by phone using a number already on record — not a number provided in the change request email.
- Never rely solely on email instructions — Fraudsters can spoof email addresses to appear to come from a legitimate supplier or even someone within your own organisation.
- Establish a single point of contact per supplier — Consistency reduces the chance of unauthorised changes slipping through.
- Furthermore, audit invoices against prior records — Compare each invoice against previous ones from the same supplier, paying close attention to bank account numbers, logos, and language.
- Implement dual-authorisation for payments — Require two separate people to approve any change to supplier banking details or any payment above a set threshold.
- Remove supplier endorsements from public websites — Public supplier lists make it easier for fraudsters to identify your vendors and impersonate them.
What Are the GST Penalties for Invoice Fraud in India?
Under the GST Act, false invoice penalties are severe. Both supplier and recipient face a penalty of 100% of the input tax credit claimed or the GST amount evaded. Facilitators such as brokers and practitioners who assist in such fraud face the same 100% penalty. The GST Act also provides for imprisonment of up to five years for serious invoice fraud offences.
How to Report Invoice Fraud in India?
- Call the National Cyber Crime Helpline: 1930
- File a complaint at cybercrime.gov.in
- Lodge an FIR at your nearest cyber crime police station
- Notify your bank’s fraud team immediately to attempt a transaction reversal
If your organisation has been a victim of invoice fraud, contact cyber expert Anuraag Singh for urgent digital forensics support and legal guidance.
