Invoice Fraud UK

Spot the three dominant UK invoice fraud patterns in 2026 — entirely fake supplier invoices, real-supplier-compromised invoice manipulation, and domain-spoofing fake invoices — with the procurement controls that defeat all three.

Last reviewed: 13 May 2026 · ScamSupport research

Invoice fraud in 2026: the UK business cost

UK Finance attributes over £180m of UK business losses to invoice fraud and mandate fraud combined in 2024, with the trend continuing upward in 2025. Invoice fraud (also called “mandate fraud” when supplier bank details are changed) is the highest-volume B2B fraud category after CEO fraud, and the average loss per successful attack is £8,000-£42,000 for SMEs. Many cases involve repeated invoices over weeks before detection.

Three dominant variants account for the majority of UK 2026 cases: entirely fabricated supplier invoices (no real supplier relationship), real-supplier-compromised mandate fraud (the supplier’s email is hacked and bank details swapped on a real invoice), and domain-spoofing fake invoices (lookalike supplier domain sends invoices for fictional services).

Three invoice fraud variants currently in circulation

Variant 1 — Entirely fake supplier invoice

How it presents: An invoice arrives by email from a “supplier” you don’t recognise but who claims to have provided services (software subscription, marketing service, business directory listing, professional development course). The invoice references a vague service date, includes a plausible amount (£200-£2,500), and threatens overdue-payment fees / debt-collection escalation. The strategy banks on busy accounts-payable staff paying low-value invoices without verifying.

Red flags:

  • No prior business relationship with the supplier. Real invoices come from suppliers you onboarded, raised a PO with, or have existing contracts with. An invoice from an unknown entity should never be paid.
  • Service descriptions are vague. “Professional services”, “subscription renewal”, “listing fee” without specific deliverables. Real invoices specify exactly what was supplied.
  • The amount is engineered to be under approval thresholds. Many companies have rapid-payment workflows for invoices under £500-£1,000. Scammers price right under those thresholds.
  • Threat of escalation fees / debt collection. Urgency tactic to suppress verification.
  • Cross-check supplier on Companies House. Real UK suppliers register with verifiable directors and accounts. Recently-formed companies with no trading history are scam-shaped.
  • Procurement control: no purchase order, no payment. Standard B2B control. If there’s no internal PO record matching the invoice, the invoice is suspect.

Variant 2 — Real supplier compromised, bank details swapped (mandate fraud)

How it presents: An email from a real existing supplier (or, more dangerously, from a compromised account at the real supplier) announces “updated bank details”. The new sort code / account number replaces the existing record. The next invoice (or an in-flight invoice) is paid to the criminal’s account instead of the supplier’s.

Red flags:

  • Bank-account-change requests via email alone. Real supplier banking changes follow documented processes: countersigned letter on supplier letterhead, verified by phone, sometimes requiring a signed deed. Email-only requests are the diagnostic feature.
  • Sender domain is the real supplier’s but compromised. Most dangerous variant: the email genuinely comes from the supplier’s email system, but the supplier’s account has been compromised. Domain-check alone won’t catch this. The defence is out-of-band verification (phone call to supplier on known number).
  • Sender domain is a lookalike of the real supplier’s. Less dangerous variant: typo-squat domain (supplier.co instead of supplier.co.uk). Domain-check catches it if you compare carefully.
  • New account is a personal account, fintech, or offshore. Legitimate corporate suppliers use corporate UK banking. Personal-account destinations are scam-shaped.
  • Timing aligns with upcoming invoice. Criminals time bank-change requests to land just before a known payment.
  • Procurement control: two-person verification of any supplier-bank change via phone call to the supplier’s switchboard. Standard in mature procurement. Absence of this control is the organisational vulnerability.

Variant 3 — Domain-spoofing fake invoice from “same-name” supplier

How it presents: An invoice arrives appearing to come from a real existing supplier. The sender address uses a typo-squat domain (name@reallookingsupplier.co instead of name@reallookingsupplier.co.uk) or a near-identical domain (name@suppli3r.co.uk with a 3 instead of an e). Invoice details mirror the real supplier’s template. Banking details differ. The aim is to route payment intended for the real supplier to the criminal’s account.

Red flags:

  • Domain check at message-receipt level. Compare the full sender domain (after “@”) against the saved supplier contact details. Typo-squats are visible to the naked eye if you look carefully.
  • Domain check at payment-process level. Cross-reference the invoice’s sender domain against your standing supplier file before authorising payment. ERP systems that flag domain mismatches are highly effective.
  • Email auth (DMARC / SPF / DKIM) failures. Many spoofed domains fail email-authentication checks. Some email systems (Microsoft 365 Defender, Google Workspace, Mimecast) flag these automatically. Pay attention to “external sender” warnings.
  • The invoice is a near-copy of the real supplier’s template. Criminals harvest real templates from past invoices that have leaked / been forwarded externally. Recognisable template doesn’t mean genuine.
  • Banking details mismatch standing supplier record. Most diagnostic single test: does the bank account on the invoice match the bank account you’ve paid to before? If not, do not pay until verified.

The procurement controls that defeat invoice fraud

  1. No purchase order, no payment. Universal control. Every invoice should match a PO raised internally; un-PO’d invoices are paid only after additional approval.
  2. Two-person verification of supplier bank changes via phone callback. Change request received > second staff member calls supplier on known switchboard number > confirmed in writing on supplier letterhead. No exceptions, regardless of urgency framing.
  3. Cross-check sender domain against standing supplier file. Automated where possible (your ERP can flag mismatches at invoice ingest); manual fallback at payment-approval stage.
  4. Three-way match: PO, goods receipt, invoice. Standard ERP control. Invoices that don’t match a PO + receipt should not auto-pay.
  5. Threshold-based approval workflow without “rapid-pay” loopholes. Scammers price under thresholds. Even small invoices should require basic verification.
  6. Companies House check for new suppliers. Real UK suppliers register with verifiable directors / address / accounts. Onboarding should include this check.
  7. Email security: enable DMARC / SPF / DKIM enforcement. Microsoft 365 and Google Workspace both support this; enforcement reduces domain-spoofing volume substantially.
  8. Anti-fraud awareness for accounts-payable staff. Specific training on invoice fraud patterns. Most successful attacks involve a finance staff member acting under urgency without doing the standard checks.
  9. Cyber-insurance covering invoice fraud. Most policies cover it, but require documented controls. Confirm coverage and that controls match policy requirements.

If you’ve already paid a fraudulent invoice

  1. Call your bank’s corporate fraud team immediately. Faster Payments transfers are sometimes recallable within 24-48 hours by mutual bank agreement. Time matters — clearance can complete within minutes but the recall window stays open briefly.
  2. Use the PSR Claim Wizard — PSR Mandatory Reimbursement covers up to £85,000 within 5 working days for APP fraud against businesses (scope restrictions apply for larger businesses; consult your bank).
  3. Notify your cyber-insurance provider within the policy reporting window. Most policies require 24-72 hour notice; missing the window can void coverage.
  4. Notify the real supplier if they were impersonated. They’ll typically want to issue a customer-wide alert + review their email security. Often useful for civil recovery if the criminal can be identified.
  5. Report to Report Fraud at 0300 123 2040. Get the crime reference for subsequent recovery action or insurance claim.
  6. Engage an SRA-regulated solicitor for significant losses. Civil recovery against the receiving account, freezing orders, Norwich Pharmacal Orders against the receiving bank. Specialist commercial-fraud solicitors are listed at Fraud Lawyers Association.
  7. Review controls and brief the finance team. Almost every successful invoice fraud reveals a control failure. Use the incident to tighten verification processes before the next attempt.

Related scam guides

Use the Scam Message Scanner →