GF 03 720x478 2x

Stop Invoice and Payment Fraud

Attackers regularly compromise vendor accounts or spoof trusted identities and target unsuspecting employees with fake invoices or payment requests.

Conventional email security solutions are often blind to these types of fraud.


of all breaches were financially motivated

Data Breach Investigations Report, 2020


average loss per reported incident

FBI Internet Crime Report, 2020


by conventional email threat intelligence tools

Recognizing Email-Based Invoice and Payment Fraud

These attacks are some of the most costly and vicious forms of phishing. Unlike standard email scams, these attacks are highly-targeted and take a great deal of research and personalization to persuade a victim to wire funds or change banking details. The threat actor:


Conducts research on the target and their responsibilities.


Compromises or spoofs the email address of a victim’s colleague or vendor.


Crafts targeted messages to engage and convey urgency.


Convinces victim to send funds following an email conversation.

sample invoice and payment fraud email detection

Detecting Invoice and Payment Fraud

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It contains language that attempts to steal money from your organization
  • Its tone suggests urgency
  • The sender is a known vendor, but Theresa rarely corresponds with Jason
  • The attachment contains a URL to an external website

Based on these factors, Abnormal can stop it.

Stop Email-Based Invoice and Payment Fraud that Evades Secure Email Gateways

sample email with suspicious request and done

Detect Suspicious Timing, Language, and Tone

This message from Cayman Bank shares new bank details and requests a wire transfer now.

Unlike secure email gateways, Abnormal goes beyond just looking for obvious signs of fraud, such as reply-to pivots, malicious IPs, or impersonated supplier domains. It also reviews every email, including those that are sent between colleagues that bypass usual security controls.

Abnormal flags messages with suspicious tone and language, and invoices that are sent out of the typical payment cycle.

abnormal behavioral analysis of invoice interaction

Informed by Person’s Behavior and Relationships

Michael does not ask Dwight for wire transfers. Plus, his email came from Bucharest, 5 minutes after his last one from Scranton. Also, he never signs off with “Good day!”

Unlike other threat intelligence solutions, Abnormal continuously learns about

  • People: their behavior, tone, language used, content shared, and the context for their email-based relationships with others

  • Organizations: the nature of their business, their locations, and their interactions with other organizations

This intelligence flags suspicious emails with a high degree of confidence.

abnormal inspecting attachment and URL for suspicious content

Inspect Attachments for Suspicious Content

Michael’s email attachment provides details for Cayman bank, a bank that has never been used by Dunder Mifflin.

Abnormal scans attachments and URLs for suspicious content, websites and metadata.

Only Abnormal reviews all previous and similar invoices to baseline what looks acceptable, in order to block invoice and payment fraud.

Trusted by Global Enterprises


Prevent the Attacks That Matter Most

Related Resources