If you run a business or freelance, invoices are just part of the day — which is exactly why scammers hide inside them. Here’s how to tell a fake invoice email from a real one, including the quiet, expensive version that most checks miss.
Published 6 July 2026 · ~8 min read · By the Phixo team
Freelancers and small teams handle invoices constantly — sending them, receiving them, paying them. That routine is the whole point of an invoice scam email: a fake bill looks like just another item in a busy day, and busy is when people click and pay without thinking.
But “fake invoice email” actually covers two very different attacks, and they need different defenses. Get the distinction and you’ll catch nearly all of them.
Shape 1 — the fake invoice from a stranger. A bill you weren’t expecting, from a company you don’t recognise, hoping you’ll either open the attachment (malware) or pay in a panic. These are noisy and relatively easy to catch.
Shape 2 — the payment-redirect scam. This is the quiet, costly one. An attacker impersonates a supplier you genuinely work with and asks you to update their bank details, so your next real payment lands in the scammer’s account. There’s often no malware and no dodgy link — just a convincing message. This is the shape that drains five- and six-figure sums from small businesses.
These arrive out of nowhere — an “overdue” invoice, a “renewal” for software you don’t use, a subscription you never signed up for. The goal is either to get you to open a booby-trapped attachment or to pay a bill that was never real.
The tells: a company you have no relationship with, an unfamiliar sender domain, pressure to pay “immediately,” and an attachment you weren’t expecting. Be especially wary of .zip, .html, .iso and Office files that ask you to “enable content” or “enable macros” — those are classic malware delivery methods. If you don’t recognise the supplier and never ordered anything, don’t open the file and don’t pay. Many of these also carry the general warning signs of a phishing email: generic greetings, mismatched links, and urgency.
This is where the real money is lost, and where careful people still get caught — because everything looks right. It usually plays out one of two ways:
Either way, the message is calm and businesslike. There’s a real-looking invoice, and somewhere in it: “Please note our bank details have changed — kindly use the account below for this and future payments.”
This is the honest part most vendors won’t tell you: when the supplier’s own mailbox is compromised, the email passes every technical check. The sender address is real. The authentication passes. The writing style matches. No security tool can reliably tell you that a legitimate account has been hijacked. That’s why the only dependable defense here isn’t a scan — it’s a phone call.
Any change to bank or payment details gets verified out-of-band — every time, no exceptions. “Out-of-band” simply means using a channel other than the email that made the request. Call the supplier on a phone number you already have on file (from a previous contract, their website you navigated to yourself, or an earlier invoice) — never a number printed in the suspicious email, because that just connects you to the scammer. Speak to a person, confirm the change is real, and only then update anything.
It feels like friction. It is the single most effective control against payment-redirect fraud, and it costs you two minutes against a potentially catastrophic loss.
Let’s be straight about the limits. Automated checks are genuinely good at catching lookalike-domain redirect attempts and stranger invoices: a scan can flag that a message claiming to be from a supplier actually came from a freshly-registered lookalike domain, that the reply-to address doesn’t match the sender, that a link points somewhere unexpected, or that the email failed its authentication checks (SPF, DKIM, DMARC). Those are exactly the signals that separate a spoofed sender from a real one.
What no tool can promise is catching a compromised real mailbox, because by definition nothing about it is technically wrong. That’s not a gap unique to any one product — it’s the reason out-of-band verification exists. Use a scanner to knock out the spoofing and stranger-invoice cases automatically, and keep the phone-call rule for anything touching payment details. Together they cover both shapes.
Move fast. Contact your bank immediately — if the transfer is recent, they may be able to recall or freeze it. Report it to your local fraud or cybercrime authority. Warn the real supplier, because if their mailbox was compromised, other customers are being targeted too. And if you clicked a link or opened an attachment along the way, follow our step-by-step guide on what to do if you clicked a phishing link, then change any passwords that may be exposed.
Invoice fraud is really just phishing pointed at your accounts payable. The same instincts protect you elsewhere — see how the same playbook drives the fake PayPal email and the Amazon “account suspended” email, both built to rush you into paying or logging in.
Cross-check it against your own records — the invoice number, amount, and work should match something you expected. Confirm the sender’s domain truly belongs to the supplier, don’t open unexpected attachments, and hover over links before clicking. If the invoice asks you to pay to new or changed bank details, verify by phone on a number you already have before sending anything.
Treat it as a red alert, even if the email looks perfect and comes from the right address, because the supplier’s mailbox may be compromised. Don’t confirm by replying to the email. Call them on a number you already have on file and verify with a person first.
Often not, because these emails frequently contain no malware and no malicious link — just text requesting a bank-detail change. There’s nothing for antivirus to detect. The real protection is process: out-of-band verification of any payment change.
Phixo is a browser extension that checks the email open in your Gmail or Outlook across sender and domain reputation, reply-to and link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language — and explains, in plain English, why it flagged anything. It won’t catch a genuinely compromised mailbox (nothing can), so keep the phone-call rule for bank-detail changes — but it takes the spoofed and lookalike invoices off your plate. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.
Install Phixo free →Your email body is never stored. Analysis happens in real time and is discarded immediately.