Invoice Phishing

Share this

Lately at Consilium we’ve been seeing an increase in phishing attacks. Employees of a company are sent invoices for large sums of money that appear to come from legitimate sources from within the company or from trusted partners and suppliers. This is an old style of attack but it’s very effective as it can be difficult to pre-emptively block and relies on the end user spotting the fraud.

The attacks usually play out as follows

  • Contoso Ltd has a designated employee for handling payment of invoices and who is authorised to make bank transfers
  • The company’s policy states transfers must be authorised by a director within the company
  • Bill at Contoso receives an email containing an invoice from what appears to be his CFO, Deborah
  • The email appears to be from, her legitimate email address
  • The email instructs Bill to pay £10,000 to a company for their services or goods and provides a bank account number
  • Bill knows that Deborah is authorised to make these requests and goes ahead and makes the payment
  • It turns out Deborah made no such request and has sent a large sum of cash to some scammers in a foreign country

A very simple but effective attack. Contoso now has to speak to their bank to recover the money but in many cases they get nothing back at all.

You may think it’s difficult for attackers to get information about your company and it’s hierarchy, but in reality this information is often very easily obtained from public sources or by social engineering.

So what are some of the tricks to watch out for and how can you prevent this happening to your company?

User Education

  • Look at the language used, is it written in proper English with correct spelling? Does the tone and language used in the email match the usual style of the sender?
  • Who is the money being transferred to? Do you normally make payments to them in this way and are those their usual bank details?
  • Look at who the email is from, not just the display name, look at the actual from field of the email. Is the email address and domain name spelt correctly? Often scammers will register similar domain names to their target with a few letters out of place such as or to send their scam emails. Sometimes they simply use the company’s legitimate domain name on the display name of email sender.
  • Employees covering for the normal designated individuals should be thoroughly educated on the processes for paying invoices and bank transfers

Verify all requests in person or by phone

  • Do not reply to the email or engage in dialogue with the sender via email
  • Call the person making the request but DO NOT use any phone numbers in the email. These could be bogus numbers that put you through to the scammer.
  • A better way is to verify the request in person if at all possible.

What to do if you think you’ve been scammed

Contact your bank and the police immediately. You may be able to recover some funds. Next, contact Consilium so we can help analyse the emails and block further emails from the scammer.


There are technical measures you can take but most of these come after an attack. Preventing this type of attack happening in the first place is the course of action and many of these attacks can be stopped by simple non-technical measures.

Get in touch with IT Support at Consilium today to discuss other measures your company can take to mitigate the risk of attacks.


Posted in
Scroll to Top