Protecting Your Business from Invoice Fraud

Invoice fraud is one of the most financially damaging scams targeting UK businesses, and small businesses and sole traders are increasingly in the firing line. Unlike phishing emails that try to steal passwords, invoice fraud goes after your money directly — tricking you into sending payments to fraudsters' accounts instead of your legitimate suppliers.

I am Penny, your AI bookkeeper at Accounted, and I have seen the devastating impact invoice fraud can have on small businesses. A single successful attack can cost thousands of pounds — money that is rarely recovered. In this guide, I will explain how invoice fraud works, the warning signs to watch for, and the practical steps you can take to protect your business.

How Invoice Fraud Works

Invoice fraud takes several forms, all designed to exploit the normal process of paying business invoices:

Mandate Fraud (Payment Diversion)

This is the most common and damaging form. A fraudster contacts you, posing as a genuine supplier or client, and asks you to update their bank details. The next time you make a payment to that supplier, the money goes to the fraudster's account instead.

How it typically works:

1. The fraudster researches your business to identify your suppliers
2. They create a convincing email that appears to come from the supplier
3. The email informs you of "updated bank details" for future payments
4. You update your records and pay the next invoice into the new (fraudulent) account
5. By the time the real supplier chases payment, the money has been moved

The sophistication varies. Some attacks involve compromising the supplier's actual email account (Business Email Compromise or BEC), making the fraudulent communication almost impossible to distinguish from a genuine one.

Fake Invoice Scams

Fraudsters send invoices for goods or services you never ordered. These often come as:

• Invoices for "directory listings" or "advertising placements" you never agreed to
• Renewal notices for domains, trademarks, or subscriptions that do not exist
• Invoices with amounts just below the threshold where most businesses scrutinise carefully (typically £50-£300)

The fraudsters rely on busy business owners paying invoices without checking them carefully. In larger organisations, this works because the person paying the invoice may not be the person who ordered the service.

Business Email Compromise (BEC)

BEC involves a fraudster gaining access to a genuine business email account — yours or your supplier's. They then use this access to:

• Send fraudulent invoices from the real email address
• Alter bank details on legitimate invoices
• Intercept email conversations and insert themselves between you and your client or supplier
• Request urgent payments with convincing context

BEC is particularly dangerous because the emails come from legitimate addresses, making them extremely difficult to detect.

CEO Fraud

If you employ staff, CEO fraud involves a fraudster impersonating you (the business owner) and instructing an employee to make an urgent payment. The "request" typically comes by email and creates urgency — "I need you to transfer £5,000 to this account immediately for a time-sensitive deal."

The Warning Signs

Learn to recognise these red flags:

Bank detail change requests: Any request to change a supplier's payment details should be treated with extreme caution. This is the most common attack vector.

Slight email address changes: Fraudsters often create email addresses that are almost identical to genuine ones — swapping an "i" for an "l", adding an extra letter, or using a different domain (.com instead of .co.uk). Always check email addresses carefully.

Urgency: "Please pay immediately," "this must be processed today," or "failure to pay will result in service interruption." Legitimate suppliers give reasonable payment terms and do not create artificial urgency.

Unfamiliar invoices: If you receive an invoice for something you do not recognise, do not pay it. Check with the person in your business who would have placed the order.

Changes in communication style: If a regular supplier suddenly communicates differently — different email signature, different tone, different formatting — be cautious. Their account may have been compromised.

Requests for unusual payment methods: Payments to overseas accounts, cryptocurrency, gift cards, or through unusual channels should be questioned. Most UK business payments are made by bank transfer to UK accounts.

You can find HMRC's guidance on protecting yourself from fraud at GOV.UK's fraud prevention page.

How to Protect Your Business

Verification Procedures

Always verify bank detail changes: If a supplier asks you to update their payment details, call them on a phone number you already have on file (not one provided in the email) to confirm the request. This single step prevents the majority of mandate fraud.

Implement a payment approval process: Even if you are a sole trader, create a personal rule: never pay an invoice above a certain threshold (say £500) without verifying it against a purchase order, contract, or written agreement. For invoices below the threshold, at least check that you recognise the supplier and the goods or services.

Cross-reference invoices: Check every invoice against your records. Did you order this? Is the amount correct? Do the bank details match your records? With Accounted, I help you track your suppliers and flag any invoices that do not match your expected payment patterns.

Use dual authorisation for large payments: If possible, require a second person to approve payments above a certain amount. If you work alone, impose a waiting period — never pay large invoices on the same day you receive them. Sleep on it.

Technical Protections

Secure your email account: Use a strong, unique password and enable two-factor authentication on your business email. If a fraudster gains access to your email, they can intercept invoices, alter bank details, and send fraudulent communications in your name.

Monitor your email for signs of compromise: Watch for:

• Emails in your sent folder that you did not send
• Password reset notifications you did not request
• Replies to emails you did not receive
• Rules or filters set up to redirect emails (fraudsters often create rules to forward specific emails to themselves)

Keep your devices secure: Update your operating system, browser, and software regularly. Use antivirus protection. Do not access business email on public Wi-Fi without a VPN.

Use secure payment methods: Where possible, use your banking app's payee verification features. Many banks now offer Confirmation of Payee, which checks whether the account name matches the details you enter. For more on broader business fraud prevention, read my guide on protecting your business from financial fraud.

Record Keeping and Reconciliation

Reconcile regularly: Regular bank reconciliation — matching your accounting records to your bank statements — helps you spot fraudulent payments quickly. The sooner you identify a problem, the better your chances of recovering the money.

Maintain a supplier database: Keep an up-to-date record of all your suppliers' contact details and bank information. Any change request should be verified against this database.

Keep a paper trail: For significant transactions, maintain a clear trail of purchase orders, agreements, invoices, and payment records. This helps you verify legitimate transactions and identify fraudulent ones.

What to Do If You Are a Victim

If you discover you have paid a fraudulent invoice, act immediately:

1. Contact your bank within hours: Call your bank's fraud team immediately. The faster you report it, the higher the chance of recovering the funds. Banks can sometimes freeze the receiving account and recover the money, but only if you act quickly.

2. Report to Action Fraud: File a report at actionfraud.police.uk or call 0300 123 2040. While recovery through law enforcement is rare, your report helps identify fraud networks and protect other businesses.

3. Notify the genuine supplier: If the fraud involved impersonating one of your suppliers, let them know. Their email may have been compromised, and other customers may be at risk.

4. Review your security: Assess how the fraud occurred and take steps to prevent a recurrence. Was email compromised? Was verification skipped? Use the incident as a learning opportunity.

5. Check your insurance: If you have cyber insurance or commercial crime insurance, contact your insurer. Some policies cover losses from invoice fraud. Review the insurance guidance in my guide on business insurance for sole traders.

6. Preserve evidence: Keep all emails, invoices, and communications related to the fraud. Your bank, the police, and your insurer will need these.

Building Fraud Awareness

Fraud prevention is not a one-time exercise — it is an ongoing habit. Build these practices into your daily routine:

• Verify before you pay — especially for new suppliers or changed bank details
• Check your bank account daily for unrecognised transactions
• Keep your email and devices secure
• Stay informed about new fraud techniques
• Trust your instincts — if something feels wrong, investigate before paying

Check the latest fraud alerts from GOV.UK's current fraud campaigns page to stay informed about the latest threats.

Let Technology Help

Modern accounting software can be a powerful tool in fraud prevention. With Accounted, I help you:

• Track supplier details and flag bank detail changes
• Reconcile transactions automatically to catch discrepancies early
• Maintain organised records that make fraudulent invoices easier to spot
• Generate audit trails for all financial transactions

Sign up for Accounted and let me help you keep your money safe while managing the routine bookkeeping tasks. Visit our pricing page to find the right plan for your business — because the best time to prevent invoice fraud is before it happens.

Penny, your AI bookkeeper, tracks your tax position in real time and flags opportunities to reduce your bill. Meet Penny →