The face of invoice fraud — a longtime threat to companies’ bank accounts — is changing. Today, it involves increasingly sophisticated scams, more often perpetrated by bad actors outside the company rather than employees, and very often supported by some form of email trickery.

With traditional invoice fraud, a dishonest employee might alter paper invoices, or external fraudsters might steal them out of the mail and either edit the amounts and payment instructions or use them to create counterfeit bills. Such manipulation still occurs, but the biggest invoice fraud threat now comes from external phishing scams, says Randy Wilborn, senior vice president and manager of the Treasury Payments Product Group at Cadence Bank.

Many current invoice-related schemes involve business email compromise (BEC), notes Wilborn, a certified fraud examiner who has been educating clients about fraud prevention for two decades.

The evolving threat

BEC is the number one avenue for attempted and actual payment fraud, according to the Association for Financial Professionals (AFP). BEC was reported by 63% of the financial pros and organizations responding to the 2025 AFP Payments Fraud and Control Survey.

Wilborn has seen BEC evolve over the past half dozen years and provide a new path for fraudsters to alter invoice instructions and redirect payments.

Initially, BEC usually took the form of a fraudster sending a senior company executive a phishing email as a first step to hijacking the executive’s email application.

“By luring the executive into clicking on the email, the fraudster downloaded malware onto their computer and stole their login credentials,” Wilborn explains. “The fraudster then sent a convincing email under the executive’s name to someone in accounts payable and directed them to send a payment — usually a wire transfer or ACH — to an account controlled by the fraudster.”

Later, bad actors started sending emails to accounts payable (AP) staffers at targeted companies that claimed to be from known vendors. “The emails would say the vendor has a new banking relationship and ask the AP staffer to send future invoice payments to a new account. Of course, that account was controlled by the fraudster,” Wilborn says.

More recently, the industry is seeing a third and even more complex BEC scheme, he says. In this one, the fraudster sends an AP employee an email purporting to be from a current company vendor, sometimes with a fake invoice attached. Clicking on the invoice downloads malware onto the AP employee’s computer, allowing the fraudster to steal the staffer’s login credentials and later invade the employee’s computer to alter invoice payment instructions.

“We’ve also seen fraudsters monitor email conversations between employees and legitimate vendors, and then right before it’s time to make a payment, send an email to the employee providing new, fraudulent payment instructions,” Wilborn says. “The fraudster might reference something from the most recent legitimate email exchange to convince the employee they are still conversing with the real vendor.”

Controls and best practices to adopt

All these fraudulent schemes are still in use and can be effective. However, they can be thwarted and funds protected, Wilborn says, if companies use these best practices and controls:

1. Deliver invoices electronically.

   To eliminate the risks of traditional paper-based invoice fraud, deliver invoices electronically via secure email or through an application controlled by secure credentials, which many banks offer businesses. For instance, Cadence Bank Treasury Management offers an electronic AP solution, Invoice-to-Pay, which automates and streamlines the receiving, reviewing and paying of invoices between an organization and its vendors. Invoice-to-Pay matches invoices to purchase orders and routes them for approval before payment is made.

2. Know your vendors.

   It’s important to ensure your vendors are reputable, so there is less chance one of their people is instigating invoice fraud. To accomplish this, charge someone at your company with managing vendor relationships and executing a reputational scorecard, at least annually, for each one. A vendor should be potentially flagged if there’s regular leadership turnover at the company or it is the subject of negative press about data breaches or mismanagement.

3. Establish a process for managing payment instruction change requests.

   Much invoice fraud involves payment misdirection that starts with a bad actor successfully impersonating a trusted individual. To avoid being fooled, establish a procedure for handling all requests to change payment instructions.
   
   All such requests to revise instructions should be submitted in a specified manner to a designated individual. The process should require staff to verify any such requests that originate via email by contacting the individual making the request — whether it’s your own senior executive or someone at the vendor — through a different channel than it was received, typically by telephone using a known, trusted phone number.

4. Institute dual control.

   Someone in AP can submit a request for a change to invoice payment instructions, but a supervisor or manager should approve all such changes.

5. Be aware of the dangers of social media.

   Wilborn notes three scenarios to avoid:

   • Having a senior executive posting that they are on vacation, making it a perfect time for a bad actor to send a fake email to an AP employee that’s supposedly from that executive.
   • Having a financial manager with payment duties publicize their role online. For instance, if your AP manager attends an industry conference, is the sponsoring organization listing the manager’s name and title somewhere online where fraudsters can see it and potentially target them?
   • Highlighting your vendors on the company’s website or in social media postings, providing critical information fraudsters can use for vendor email compromise.

6. Use bank fraud-prevention solutions.

   In addition to invoicing electronically, work with your treasury management bank to adopt fraud-curbing tools like dual-factor authentication, ACH and wire transfer alerts, and positive pay. Cadence offers both check positive pay and ACH positive pay. These solutions help to identify altered or counterfeit checks and unauthorized ACH transactions, respectively.

The critical role of education and training

Beyond these best practices to safeguard your company from all sorts of payments fraud, education is paramount.

"The No. 1 antidote that can help prevent an organization from becoming a victim to these fraudulent schemes is educating your employees."

Randy Wilborn, senior vice president and manager of the Treasury Payments Product Group at Cadence Bank

He suggests using your banks as resources for information about fraud prevention and attending in-person or online informational programs about fraud prevention offered by local treasury management or other professional organizations.

A mistake for executive leadership to avoid, Wilborn cautions, is accumulating helpful information about fraud but not conveying it to employees, who are the critical first line of defense. What’s more, he advises testing employees by sending them fake phishing emails on a regular basis and monitoring how they react. Employees who continue to click on suspicious emails can be assigned additional training.

To learn more about payments fraud scams and prevention tools and solutions, visit our website and consult with your Cadence Bank treasury management specialist.

This article is provided as a free service to you and is for general informational purposes only. Cadence Bank makes no representations or warranties as to the accuracy, completeness or timeliness of the content in the article. The article is not intended to provide legal, accounting or tax advice and should not be relied upon for such purposes.