💡Key Insights
- Invoice scams are hitting small businesses hard in Australia, with more than $152.6 million lost in 2024 alone, according to the National Anti-Scam Centre.
- Most scams work by pretending to be a trusted supplier, tweaking real invoices, or slipping into email accounts to quietly change payment details.
- Small businesses are frequent targets simply because they’re busy, with fewer people, less time, and more trust placed in everyday email communication.
- Common warning signs include changed bank details, odd formatting, new contact names, urgent payment requests, or invoices that don’t match your usual records.
- The best protection is a mix of simple checks, staff awareness, strong email security, and smart protection tools.
Table of Contents
This post is contributed by our friends at Bitdefender.
Running a small business comes with enough challenges. The last thing you need is money slipping away because of a fake invoice. Yet, invoice scams are among the most common and costly forms of fraud affecting Australian small businesses today.
They’re designed to look real, they’re easy to miss, and they can be costly. Too often, owners only realise after the money has landed in a scammer’s account instead of their supplier’s. And for a small business, even one wrong payment can be devastating.
Once you understand how these scams work and what warning signs to watch for, you can put simple safeguards in place to protect your money, your clients, and your reputation
What Is an Invoice Scam?
An invoice scam happens when a fraudster tricks a business into paying money it doesn’t actually owe. Sometimes scammers create entirely fake invoices, sometimes they impersonate a trusted supplier, and other times they hack into a genuine email account and quietly swap the payment details.
The aim is always the same: to redirect your payment into their bank account before you notice anything is wrong.
Combined losses reported to Scamwatch, ReportCyber, IDCARE, AFCX, and ASIC, all collated by the National Anti-Scam Centre, show that in 2024, payment-redirection scams (including invoice fraud) were among the top scam categories, with losses of approximately $152.6 million.
These scams can affect both sides of a transaction. A supplier’s invoices might be tampered with so payment never reaches them, while a client might unknowingly pay a bill that has nothing to do with their real supplier.
Either way, the scammer walks away with the money, and the business relationship is left in trouble.
Need Financial or Legal Advice for your small business?
Why small businesses are targeted by invoice scams?
Scammers focus on small businesses because teams are busy, roles overlap, and formal payment processes are not always in place. One person may handle admin, emails and payments, making it easier for a fake invoice to slip through during a hectic day.
Small businesses also rely heavily on trust with suppliers, something scammers imitate convincingly. With fewer protections than large organisations, email accounts and invoices are easier to tamper with, making small businesses an appealing target.
6 types of Invoice Scams (and How Each One Works)
1. Fake Invoice Scam
Scammers send fake invoices that look real. If a company is swamped with invoices, the person handling payments might not check each one thoroughly. If there’s poor communication between the work done and the invoicing process, there might be no way to verify if the invoicer actually performed the work. The business pays the invoice without realizing it’s fake.
Scenario:
A small architecture studio receives an invoice for “design consulting hours” from a business name that sounds familiar. The amount is small enough not to raise suspicions, and the accounts person pays it. It’s only during an end-of-month review that they realise the supplier doesn’t exist.
Red flags:
- No purchase order or record of the job
- Generic descriptions like “services provided”
- Missing ABN or contact details
- A business name that’s similar to—but not exactly—the real one
Get a fixed-fee quote from Australia's largest lawyer marketplace.
2. Supplier Impersonation Scam
Scammers pretend to be a known supplier and send an invoice for payment. They might even hack into the supplier’s email account to make the request seem genuine.
Scenario:
A café receives an email from “[email protected]” (instead of “[email protected]”) asking them to use “new banking details due to a recent audit.” The invoice looks identical to previous ones, so the payment is made — straight to the scammer.
Red flags:
- Slight changes to email domains (extra letters, hyphens, missing “.au”)
- Sudden changes in bank details with no prior notice
- Emails sent outside normal business hours
- Urgent or unusual language from a supplier who normally isn’t urgent
3. Business Email Compromise (BEC)
Hackers gain access to a business email account and use it to send fake payment instructions. They may instruct clients to redirect their payments to a different bank account belonging to the scammer.
Scenario:
A construction company emails a legitimate invoice to a client. A hacker intercepts the email, replaces the PDF with a version containing different account details, and forwards it from the same compromised email address. The client paid, and neither side realised anything was wrong until weeks later.
Red flags:
- Bank details on an invoice don’t match the previous ones
- Email replies that “don’t sound like” the person you know
- Missing email history or deleted threads
- Auto-forwarding rules mysteriously turned on in your inbox settings
4. Overpayment Scam
A scammer sends a check for more than the amount owed and then asks for the difference to be refunded. The original check later bounces, leaving the business out of pocket. Sometimes, the scammer sends an invoice for a real service but tweaks it so the client ends up paying more. This might involve charging for services not provided or slightly inflating the costs.
Scenario:
A small online retailer receives a payment for $2,000 when the actual amount owed is $1,200. The “customer” says it was a mistake and asks for an $800 refund via bank transfer. The retailer sends it, and days later, their bank notifies them that the original payment was fraudulent and reversed.
Red flags:
- “Accidental” overpayments
- Pressure to refund immediately
- Payments from unfamiliar or overseas accounts
- Invoices with inflated line items or duplicate charges
Get on demand legal advice for one low monthly fee.
Sign up to our Legal Advice Plan and access professional legal advice whenever you need it.
5. Duplicate Invoices
The scammer has done some work for the client but tries to get paid twice for the same job. For example, they might “accidentally” send the same invoice twice, hoping the client will pay both times.
Scenario:
A digital marketing freelancer sends an invoice for a completed project. A week later, the accounts team receives another email with the same invoice but a different subject line and a slightly different sender address. The accounts assistant, who didn’t pay the first invoice, pays the second one.
Red flags:
- Slight variations in invoice numbers
- Duplicate invoices arriving from multiple email addresses
- An invoice format that looks slightly different from the usual one
- Staff confusion about who paid what
6. Invoice Rewriting
If scammers gain access to the invoice, they can alter the details to benefit themselves. They might do this by changing the invoice on the business’s computer or by tweaking it when it arrives in the client’s inbox. Typically, this involves changing the payment details so the money goes into the scammer’s bank account instead of the business’s. If done well, neither the business nor the client will notice the changes.
Scenario:
An accountant sends a PDF invoice to a client. The client pays, but the accountant never receives the funds. Later, they discover that a hacker got into their email account, altered all outgoing invoices by changing only the BSB and account number, and forwarded them automatically.
Red flags:
- Complaints from clients about “wrong details”
- Missing email records or altered sent messages
- PDF invoices that differ slightly from the original
- Payment delays or unexplained financial gaps
Warning Signs of Invoice Fraud
Fake invoices often slip through because they look believable at first glance — but there are usually small details that don’t quite add up. Here are some broader warning signs to watch for before paying any invoice:
- The invoice asks for a new bank account, a different payment method, or an international transfer without prior discussion.
- The amount doesn’t match what you agreed on, or the breakdown feels vague.
- The invoice is missing standard elements (payment terms, item descriptions, purchase order numbers).
- The document uses a different style, font, logo, or colour scheme from previous invoices.
- The invoice arrives from a new contact person you’ve never dealt with before.
- The sender becomes pushy, insists on communicating only via email, or avoids clarifying basic details.
- The invoice arrives at a strange time, such as late at night, on a weekend, or during periods when scammers know businesses are busy (EOFY, BAS periods, holidays).
Legitimate vs Fake Invoice
| Feature | Legitimate Invoice | Fake Invoice |
| Bank details | Consistent | Unexpected change |
| ABN | Valid, searchable | Missing or invalid |
| Exact domain | Close-match or altered | |
| Tone | Familiar | Urgent or unusual |
| Layout | Consistent | Odd or inconsistent |
| PO number | Matches | Missing |
| Amount | As agreed | Inflated or altered |
What to do if you’ve already paid a fake invoice
If you’ve already paid a fake invoice, act fast.
- Contact your bank immediately and ask them to recall the payment.
- Let your real supplier know what happened so they can check whether their email or invoices were tampered with.
- Secure your accounts by changing passwords, enabling multi-factor authentication, and checking for unusual email forwarding rules.
- Report the scam to Scamwatch and ACSC’s ReportCyber.
Legal Health Check for Small Business
Uncover your small business’ legal gaps in minutes with this award-winning tool.
How to protect your business from Invoice Scams
The safest approach is to build simple, consistent habits into your daily workflow. Here’s a more detailed guide to lowering your risk.
1. Verify invoices before paying
Don’t rely on how familiar an invoice looks. Always confirm the details before paying, especially if the amount is large or the supplier is new.
What to check:
- Supplier name and ABN (use the Australian Business Register to confirm legitimacy).
- BSB and account number – compare against previous invoices, not against the email.
- The purchase order number or job reference.
- Whether the services or goods were actually ordered or delivered.
If payment details have changed:
Always call the supplier using a known phone number from your own records. Never call the number on the suspicious invoice or email—scammers often include fake phone numbers to complete the illusion. This single step prevents many invoice scams.
2. Train your team (and refresh training regularly)
People are your first line of defence. Even a short, friendly training session goes a long way.
What staff should know:
- How scammers mimic suppliers.
- Why urgent or emotional language is a red flag.
- How to verify payment changes.
- When to pause and escalate something that feels “off.”
Encourage staff to slow down and double-check, even if it delays payment by a few minutes. A small delay is better than a costly mistake. You can also develop a quick internal “Before You Pay” checklist, which they can print and keep at their desk.
3. Secure your email and business accounts
Because so many invoice scams begin with hacked or spoofed emails, strong inbox security is essential.
Best practices include:
- Use strong, unique passwords for each account.
- Turn on multi-factor authentication (MFA) everywhere, especially for email and accounting software.
- Update software regularly across all devices.
- Restrict who can approve payments or access financial emails.
- Review your email account for unusual forwarding rules or login attempts.
A compromised inbox is one of the most common entry points for scammers — secure inboxes block many attacks before they even begin.
4. Run regular checks and internal reviews
Make it a routine to look for unusual activity before it becomes a bigger problem.
Useful periodic checks:
- Compare current bank details with historic ones.
- Look for duplicate payments or invoices.
- Review vendor lists for suspicious new entries.
- Ensure no dormant suppliers suddenly appear with fresh invoices.
- Check who has access to payment systems and remove old users.
5. Use the right security tools
Even the most careful businesses benefit from automated security support. That’s where a tool like Bitdefender Ultimate Small Business Security is particularly useful.
It can help you:
- Block phishing emails that often carry fake invoices.
- Flag suspicious attachments or altered PDFs before they are opened.
- Detect attempts to redirect payments or steal financial details.
- Protect your team’s inboxes from Business Email Compromise (BEC).
- Identify strange login attempts or malware on devices.
And if you’re unsure about a specific invoice, message, or link, Scam Copilot, included in the package, lets you check it instantly. You can upload a document, forward an email, or paste a message, and Scam Copilot will tell you whether it’s legitimate or a scam attempt. This is particularly useful during busy billing cycles or when a team member feels pressured to pay quickly.
Beyond invoices, Bitdefender also protects your devices from malware that can be used to rewrite PDFs, alter invoice details, or grant scammers access to your accounting software. It keeps your inboxes secure, protects your login details, and makes it harder for attackers to slip into your systems unnoticed.
For small businesses without an IT department, Bitdefender works quietly in the background, protecting your business, money and reputation.
Want more?
Sign up for our newsletter and be the first to find hand-picked articles on topics that we believe are crucial to successfully scale your unique small business.
