Stop Invoice and Payment Fraud

Attackers regularly compromise vendor accounts or spoof trusted identities and target unsuspecting employees with fake invoices or payment requests.

Conventional email security solutions are often blind to these types of fraud.

Get Our CISO Guide to Supply Chain Compromise
Invoice Fraud Header V2


of all breaches were financially motivated

Data Breach Investigations Report, 2020


average loss per reported incident

FBI Internet Crime Report, 2020


by conventional email threat intelligence tools


Recognizing Email-Based Invoice and Payment Fraud

These attacks are some of the most costly and vicious forms of phishing. Unlike standard email scams, these attacks are highly-targeted and take a great deal of research and personalization to persuade a victim to wire funds or change banking details. The threat actor:


Conducts research on the target and their responsibilities.


Compromises or spoofs the email address of a victim’s colleague or vendor.


Crafts targeted messages to engage and convey urgency.


Convinces victim to send funds following an email conversation.


Detecting Invoice and Payment Fraud

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It contains language that attempts to steal money from your organization
  • Its tone suggests urgency
  • The sender is a known vendor, but Theresa rarely corresponds with Jason
  • The attachment contains a URL to an external website

Based on these factors, Abnormal can stop it.


Stop Email-Based Invoice and Payment Fraud that Evades Secure Email Gateways

sample email with suspicious request and done

Detect Suspicious Timing, Language, and Tone

This message from Cayman Bank shares new bank details and requests a wire transfer now.

Unlike secure email gateways, Abnormal goes beyond just looking for obvious signs of fraud, such as reply-to pivots, malicious IPs, or impersonated supplier domains. It also reviews every email, including those that are sent between colleagues that bypass usual security controls.

Abnormal flags messages with suspicious tone and language, and invoices that are sent out of the typical payment cycle.

abnormal behavioral analysis of invoice interaction

Informed by Person’s Behavior and Relationships

Michael does not ask Dwight for wire transfers. Plus, his email came from Bucharest, 5 minutes after his last one from Scranton. Also, he never signs off with “Good day!”

Unlike other threat intelligence solutions, Abnormal continuously learns about

  • People: their behavior, tone, language used, content shared, and the context for their email-based relationships with others

  • Organizations: the nature of their business, their locations, and their interactions with other organizations

This intelligence flags suspicious emails with a high degree of confidence.

abnormal inspecting attachment and URL for suspicious content

Inspect Attachments for Suspicious Content

Michael’s email attachment provides details for Cayman bank, a bank that has never been used by Dunder Mifflin.

Abnormal scans attachments and URLs for suspicious content, websites and metadata.

Only Abnormal reviews all previous and similar invoices to baseline what looks acceptable, in order to block invoice and payment fraud.


Trusted by Global Enterprises


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Resources

B Gartner Highlights 1
The Gartner Market Guide for Email Security explains what integrated cloud email security (ICES) solutions are and why they’re essential for modern enterprises. Download a copy now to learn why enterprises are moving away from the SEG.
Read More
Webinar cover 3
While you may be confident in your own email security, the truth is that your security is only as good as the security of your partners and vendors. Discover why vendor email compromise is such an important part of your security strategy.
Watch Now
B 03 25 22 CISCO Guide to VEC
Supply chain compromise attacks can cause substantial financial loss through invoice or payment fraud. Learn how and why attackers leverage compromised accounts from vendors to launch attacks that are specifically designed to bypass traditional email security.
Download Now
Blog yellow tunnel
Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
Read More
Threat report 3
Read the Q1 2021 threat report to learn the latest on vendor email compromise, including which scams are most successful and why the volume of attacks has grown so significantly.
Download Now
Microsoft whitepaper cover
In today’s cloud-first approach to managing corporate infrastructure and running applications, more than 56% of organizations globally now use Microsoft 365. See how Abnormal can help you augment your infrastructure to block the most dangerous attacks.
Download Now