Linkedin Facebook Youtube Instagram
OPEN ACCOUNT
OPEN ACCOUNT

How to Spot Invoice Fraud and Vendor Impersonation

Key Takeaways:

  • Fraud and impersonation have become highly sophisticated, often involving hijacked email threads and legitimate-looking PDFs. To protect your business, follow these essential security practices:
  • #1 Red Flag: Any sudden request to change payment instructions or ACH/wire details, especially via email, is the most common sign of fraud.
  • Verify Before You Pay: Never use contact information provided in a suspicious email. Always call the vendor using a verified phone number already on file to confirm bank account changes.
  • Identify Hijacked Emails: Look for subtle domain name changes, unusual urgency, or shifts in the sender’s tone and formatting.
  • Deploy Technical Safeguards: Use tools like Positive Pay and ACH Monitoring to catch mismatched checks and unauthorized electronic drafts before funds leave your account.
  • Act Fast: If you suspect fraud, contact your bank immediately. Fraudsters move stolen funds within hours, making the speed of reporting the most critical factor in recovery.

Invoice fraud and vendor impersonation scams are two of the most common forms of accounts payable fraud affecting businesses in North Carolina and Virginia. The most frequent warning sign is a sudden change in payment instructions — especially when it arrives by email.

In 2026, invoice fraud prevention for businesses is less about spotting obvious fake invoices and more about verifying subtle changes before funds are released. Fraudsters now intercept legitimate email threads, alter payment details, and move money within hours.

Insights shared at Southern Bank’s Fraud Prevention Symposium in Raleigh reinforced a simple truth: Verification must become routine, not reactive.

What Is Invoice Fraud?

Invoice fraud happens when a business pays a fake or altered invoice, believing it came from a trusted vendor.

In many cases, the invoice itself looks completely legitimate. That’s because criminals often use business email compromise (BEC) tactics to manipulate real vendor communications.

Sheila Ewers, Vice President, Fraud Analyst III – Risk Management at Southern Bank, explained that emails are often intercepted and altered, and “the invoices look just like the regular ones you’ve seen for years.” That familiarity creates blind spots inside otherwise well-run accounting departments.

How Do Scammers Impersonate Legitimate Vendors?

Vendor impersonation scams typically follow a predictable pattern:

  • A fraudster gains access to a vendor’s email account — or spoofs a nearly identical address.
  • They monitor communication quietly.
  • At the right time, they request updated ACH or wire instructions.
  • Funds are rerouted before anyone realizes the change was fraudulent.

The most common red flag is new banking information buried inside what appears to be a routine email thread.

Heather Stroud, Special Investigator with the North Carolina State Bureau of Investigation, explained that fraud often succeeds when businesses rely on trust without verification. As she noted, “We live in a society today that now we have to verify to trust.” That mindset shift has shaped many of the fraud investigations across the state.

What Is the Most Common Sign of Invoice Fraud?

The most common sign of invoice fraud is a sudden request to change payment instructions. If a vendor emails new wire details mid-project or asks you to update ACH information without prior discussion, pause immediately. Fraudsters rely on urgency and familiarity.

Ewers warned businesses not to rush payment decisions, even when money is legitimately owed. As she put it, “Don’t rush to send money, even when you know you owe it. Stop and verify first.”

Slowing down a payment process by even a few minutes can prevent significant losses.

Warning Signs of a Hijacked Email Thread

Business email compromise protection begins with recognizing subtle behavioral changes.

Watch for:

  • Slight differences in email domains
  • Changes in tone or formatting
  • New urgency around payment deadlines
  • Requests to bypass established approval processes
  • Payment instructions that differ from historical records

Stroud reinforced that no request should override internal controls, reminding businesses that “nothing is urgent enough that you can’t stop and verify.”

How to Verify Vendor Bank Account Changes

If a vendor sends updated payment instructions, follow a structured verification process:

  1. Do not reply directly to the email.
  2. Call the vendor using a phone number already on file — not one included in the message.
  3. Confirm the change verbally.
  4. Document the verification.
  5. Require secondary approval before releasing funds.

This approach protects against social engineering in accounts payable and supports stronger dual authorization for wire transfers.

Stroud emphasized the human element behind every safeguard, noting that “people protect people. That’s the end result — we have to protect each other.”

How Can You Tell if a PDF Invoice Has Been Tampered With?

Many fraudulent invoices contain no obvious visual errors. Logos, formatting, and language often appear identical to previous invoices.

That’s why visual inspection alone is not enough.

As Ewers explained, emails are frequently altered mid-thread, and the invoices appear indistinguishable from legitimate ones. Without a defined verification process, even experienced teams can miss fraudulent changes.

Instead of relying solely on appearance, businesses should combine:

  • Vendor verification procedures
  • Dual control for payment approvals
  • Automated invoice verification software
  • Treasury management monitoring tools

Process protects where perception can fail.

How Positive Pay and ACH Monitoring Support Fraud Prevention

Technology plays a critical role in modern accounts payable fraud detection.

Lauren Schlafer, Assistant Vice President and Treasury Services Specialist at Southern Bank, explained that Positive Pay gives businesses the opportunity to catch suspicious or altered checks before funds are withdrawn. As she described it, “Positive Pay lets you see mismatched checks before they ever hit your account.”

For electronic payments, ACH Positive Pay provides another layer of defense. Schlafer noted that “ACH Positive Pay helps protect against electronic drafts — you’re alerted before anything posts.”

These treasury management tools strengthen Southern Bank treasury management security and provide businesses with proactive visibility — not just reactive reporting.

What Should You Do if You Suspect Invoice Fraud?

If your business believes funds were sent to a fraudulent account:

  • Contact Southern immediately.
  • Notify the vendor using verified contact information.
  • Preserve all communications.
  • File a report with the appropriate authorities.

Speed matters. Ewers shared that in one recent case, “We’ve had a customer lose nearly a million dollars to business email compromise. That money moves fast.” The faster the response, the better the chance of recovery.

Strengthening Fraud Prevention for North Carolina and Virginia Businesses

Fraud prevention is not a one-time policy update. It is an ongoing discipline that blends human vigilance with practical controls.

Southern Bank works with businesses across North Carolina and Virginia to strengthen internal controls, implement Positive Pay and ACH monitoring, and build verification processes that reduce exposure to payment fraud.

Because in today’s environment, trust must be paired with verification — and process must move as deliberately as protection requires.

Online Banking




Don’t have Online Banking? Sign Up
Linkedin Facebook Youtube Instagram Twitter