GF 03 720x478 2x

Stop Invoice and Payment Fraud

Attackers regularly compromise vendor accounts or spoof trusted identities and target unsuspecting employees with fake invoices or payment requests.

Conventional email security solutions are often blind to these types of fraud.


of all breaches were financially motivated

Data Breach Investigations Report, 2020


average loss per reported incident

FBI Internet Crime Report, 2020


by conventional email threat intelligence tools

Recognizing Email-Based Invoice and Payment Fraud

These attacks are some of the most costly and vicious forms of phishing. Unlike standard email scams, these attacks are highly-targeted and take a great deal of research and personalization to persuade a victim to wire funds or change banking details. The threat actor:


Conducts research on the target and their responsibilities.


Compromises or spoofs the email address of a victim’s colleague or vendor.


Crafts targeted messages to engage and convey urgency.


Convinces victim to send funds following an email conversation.

04 IPF 01 Invoice Payment Fraud Emailsvg

Detecting Invoice and Payment Fraud

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It contains language that attempts to steal money from your organization
  • Its tone suggests urgency
  • The sender is a known vendor, but Theresa rarely corresponds with Jason
  • The attachment contains a URL to an external website

Based on these factors, Abnormal can stop it.

Stop Email-Based Invoice and Payment Fraud that Evades Secure Email Gateways

Detect Suspicious Language and Tone v3

Detect Suspicious Timing, Language, and Tone

This message from Cayman Bank shares new bank details and requests a wire transfer now.

Unlike secure email gateways, Abnormal goes beyond just looking for obvious signs of fraud, such as reply-to pivots, malicious IPs, or impersonated supplier domains. It also reviews every email, including those that are sent between colleagues that bypass usual security controls.

Abnormal flags messages with suspicious tone and language, and invoices that are sent out of the typical payment cycle.

Informed by Behavior Relationship v3

Informed by Person’s Behavior and Relationships

Michael does not ask Dwight for wire transfers. Plus, his email came from Bucharest, 5 minutes after his last one from Scranton. Also, he never signs off with “Good day!”

Unlike other threat intelligence solutions, Abnormal continuously learns about

  • People: their behavior, tone, language used, content shared, and the context for their email-based relationships with others

  • Organizations: the nature of their business, their locations, and their interactions with other organizations

This intelligence flags suspicious emails with a high degree of confidence.

Inspect Attachment v3

Inspect Attachments for Suspicious Content

Michael’s email attachment provides details for Cayman bank, a bank that has never been used by Dunder Mifflin.

Abnormal scans attachments and URLs for suspicious content, websites and metadata.

Only Abnormal reviews all previous and similar invoices to baseline what looks acceptable, in order to block invoice and payment fraud.

Trusted by Global Enterprises


See an Abnormal Product Demo

Related Resources

B Gartner Highlights 1
The Gartner Market Guide for Email Security explains what integrated cloud email security (ICES) solutions are and why they’re essential for modern enterprises. Download a copy now to learn why enterprises are moving away from the SEG.
Read More
Webinar cover 3
While you may be confident in your own email security, the truth is that your security is only as good as the security of your partners and vendors. Discover why vendor email compromise is such an important part of your security strategy.
Read More
Whitepaper cover 2
Vendor email compromise attacks can cause substantial financial loss through invoice or payment fraud. Learn how and why attackers leverage compromised accounts from vendors to launch attacks that are specifically designed to bypass traditional email security.
Read More
Blog yellow tunnel
Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
Read More
Threat report 3
Read the Q1 2021 threat report to learn the latest on vendor email compromise, including which scams are most successful and why the volume of attacks has grown so significantly.
Read More
Microsoft whitepaper cover
In today’s cloud-first approach to managing corporate infrastructure and running applications, more than 56% of organizations globally now use Microsoft 365. See how Abnormal can help you augment your infrastructure to block the most dangerous attacks.
Read More