📞 1800 526 269

Invoice Fraud Prevention Policy: How to Stop Payment Redirection Scams

Invoice fraud is one of the most financially damaging cyber crimes affecting Australian businesses today. Unlike ransomware, it does not lock systems or announce itself loudly. Instead, it quietly diverts money straight into a criminal’s bank account.

An invoice fraud prevention policy, backed by clear and enforced procedures, is one of the most effective ways to stop this threat. It is also a required policy for organisations working toward SMB1001 certification from Silver level and above. However, its real value is in preventing catastrophic financial loss.

This article explains how invoice fraud really happens, what we see in real-world incidents, what your policy must include, and how to perform proper due diligence when engaging new vendors, suppliers, or online services.

What Is Invoice Fraud?

Invoice fraud occurs when an attacker tricks a business into paying a legitimate invoice to the wrong bank account. The invoice often looks completely normal. The sender appears trusted. The request does not feel urgent or suspicious.

That is exactly why it works.

Most invoice fraud today results from Business Email Compromise rather than fake suppliers or random scam emails.

What We See in Real Incidents

In the vast majority of incidents we respond to, the attack follows a predictable pattern.

Step 1: A Convincing Phishing Email

An employee receives an email that appears legitimate. Common examples include:

  • A document has been shared with you
  • You have a secure message
  • Please review the attached file

The link leads to a website that looks identical to a Google Workspace or Microsoft 365 login page.

Step 2: Credentials Are Handed Over

The employee enters their email address and password. Nothing obvious happens. No alert appears.

Because there is no immediate impact, the incident is forgotten.

Step 3: The Attacker Gains Mailbox Access

Hours, days, or weeks later, the attacker logs in using stolen credentials. They now sit inside a real mailbox with access to real conversations.

Step 4: The Attacker Searches for Invoices

Rather than causing disruption, attackers quietly search for:

  • Sent invoices
  • Ongoing billing conversations
  • Accounts payable contacts
  • Regular customers

Their goal is speed and payment.

Step 5: Bank Details Are Changed

They modify an invoice or send a follow-up email stating bank details have changed.

The wording sounds routine:

  • We have updated our bank account
  • Please use the new details going forward
  • This applies to future payments

Step 6: Payment Is Made

If no verification process exists, payment is made to the attacker.

By the time fraud is discovered, the funds are usually gone.

Why Technology Alone Is Not Enough

Email security tools and MFA are critical. However, no technical system blocks every phishing email.

Invoice fraud succeeds because:

  • The email looks legitimate
  • The sender is trusted
  • The request sounds routine
  • No verification process exists

This is why a documented invoice fraud prevention policy is essential.

What an Invoice Fraud Prevention Policy Must Do

An effective invoice fraud prevention policy removes assumptions from payment decisions.

It must clearly define how staff respond when:

  • Bank details change
  • Payment instructions are updated
  • New supplier details are provided

Most importantly, it must enforce verification through a separate communication channel.

The Golden Rule: Verify Using a Different Method

If banking details are changed, verification must never happen the same way the request was received.

If the change arrives by email, you do not confirm it by email.

If a mailbox is compromised, the attacker will simply reply and confirm it.

Best Practice Verification Process

Your policy should mandate:

  1. Treat all bank detail changes as high risk
  2. Pause payment until verification is complete
  3. Verify by phone
  4. Use a trusted phone number sourced independently
  5. Document the verification

You should record:

  • Who performed the verification
  • When it occurred
  • Who confirmed the details
  • What number was called

This creates accountability and audit evidence.

Vendor Due Diligence: How to Avoid Subscription and Supplier Scams

Invoice fraud is not the only financial risk businesses face.

Many scams now begin with social media advertisements offering:

  • Discounted software subscriptions
  • Cheap business services
  • Bulk product deals
  • Investment opportunities

The website looks professional. The branding appears legitimate. Reviews may even look real.

Many businesses pay for the service and never receive anything.

Worse still, credit card details are often harvested and later sold on dark web marketplaces. This leads to ongoing fraudulent transactions long after the original purchase.

Proper vendor due diligence significantly reduces this risk.

Due Diligence Checklist Before Paying a New Vendor

When working with a new supplier, service provider, or subscription platform, perform the following checks.

1. Verify the Business Registration

In Australia, confirm the ABN using the official government register:

https://abr.business.gov.au

Ensure:

  • The ABN is active
  • The business name matches
  • The address details align

If details do not match, treat this as high risk.

2. Check Domain Age and History

Scam websites are often newly created.

You can:

  • Check when the domain was registered
  • Search for historical versions of the website
  • Review independent reputation checks

Newly registered domains advertising major discounts should raise concerns.

3. Validate Contact Information Independently

Never rely solely on:

  • Contact forms
  • Email addresses on the site
  • Phone numbers listed on the page

Instead:

  • Search the company independently
  • Call a number found via separate sources
  • Confirm business details verbally

4. Review Online Presence

Legitimate businesses typically have:

  • Consistent LinkedIn profiles
  • Established Google reviews
  • Company history
  • News mentions

Scam operators often have:

  • Minimal social presence
  • Recently created accounts
  • Generic stock photos
  • No traceable leadership team

5. Inspect Website Red Flags

Common scam indicators include:

  • Slight misspellings in domain names
  • Poor grammar
  • No physical address
  • Only prepaid or credit card options
  • Urgency messaging such as limited time only

If the price feels too good to be true, it usually is.

6. Use Secure Payment Controls

Whenever possible:

  • Use virtual credit cards
  • Set transaction limits
  • Avoid direct bank transfers
  • Use payment providers with dispute protection

Direct transfers offer little recovery option.

7. Check for HTTPS and Certificate Validity

Ensure the website:

  • Uses HTTPS
  • Has a valid certificate
  • Does not trigger browser security warnings

However, remember that HTTPS alone does not guarantee legitimacy.

8. Conduct a Small Test Transaction

For new suppliers, consider:

  • Starting with a small purchase
  • Confirming delivery
  • Verifying invoice accuracy

Only then proceed with larger transactions.

9. Perform Dark Web Monitoring

If you suspect card details may have been exposed, immediately:

  • Cancel the card
  • Notify the bank
  • Monitor for fraudulent activity
  • Review login activity across systems

Many organisations discover multiple fraudulent transactions weeks after the initial scam.

Why Due Diligence Must Be in Your Policy

An invoice fraud prevention policy should extend beyond payment redirection.

It should also include:

  • New vendor onboarding checks
  • Subscription approval workflows
  • Finance approval thresholds
  • Documented supplier verification

This reduces exposure from both email compromise and fake supplier scams.

For organisations working toward SMB1001 Silver and above, these controls support financial governance and risk management requirements.

Banking Controls: How to Limit Financial Exposure Even If Fraud Occurs

Strong policies reduce risk. However, smart banking controls limit damage if something slips through.

Many organisations focus only on email security and supplier verification. Yet some of the most effective fraud prevention controls sit inside your banking platform.

If configured correctly, your bank can become your final line of defence.

Dual Authorisation for Payments

One of the most powerful fraud prevention controls is dual approval for bank transfers.

Most Australian banks support payment workflows where:

  • Accounts payable staff process payments
  • A second authorised person reviews pending payments
  • A senior executive approves and releases funds

This structure works particularly well when:

  • Finance staff prepare transactions
  • The CFO logs in separately
  • Payments are reviewed before submission

If invoice fraud slips past verification controls, dual approval can stop the transfer before funds leave the account.

No single person should have unrestricted authority to both create and approve payments.

This simple separation of duties dramatically reduces fraud risk.

Daily Transaction Limits

Another critical control is restricting daily transfer limits.

Many businesses leave bank limits unnecessarily high. This increases exposure if credentials are compromised.

Instead:

  • Set realistic daily transfer caps
  • Adjust limits temporarily when large payments are required
  • Reduce limits again immediately afterward

This ensures attackers cannot empty large sums in a single transaction.

Lower limits buy time for detection and intervention.

Credit Card Exposure: A Major Overlooked Risk

Credit cards are frequently overlooked in fraud prevention discussions.

Many organisations make the mistake of:

  • Using one or two corporate cards for all vendors
  • Sharing card details across departments
  • Storing the same card with dozens of suppliers

If that card becomes compromised:

  • It must be cancelled
  • Every supplier must be updated
  • Subscriptions may fail
  • Services can be suspended
  • Business operations may be disrupted

This scenario happens far more often than most expect.

Why Virtual Credit Cards Are Strongly Recommended

A far safer approach is issuing:

  • Individual credit cards for staff who require one
  • Separate cards for major vendors
  • Virtual credit cards for subscription trials

Providers such as Airwallex make this process straightforward and secure.

We use virtual credit cards for any new subscription we wish to trial. If that vendor were breached, the exposure on that card is minimal. We can immediately cancel the card without disrupting unrelated services.

This strategy limits:

  • Financial exposure
  • Operational disruption
  • Supplier update burden

Instead of replacing one card across 40 suppliers, you simply cancel one isolated virtual card.

Benefits of Virtual Cards for Subscription Security

Virtual cards allow you to:

  • Set individual spending limits
  • Restrict merchant categories
  • Freeze or cancel instantly
  • Monitor usage separately
  • Isolate vendor risk

If a supplier suffers a breach and card data is leaked onto the dark web, the damage is contained.

This approach is particularly effective when trialling new vendors discovered through online advertising or social media promotions.

Why This Matters for Vendor Due Diligence

Even after conducting ABN checks, domain validation, and reputation reviews, there is still risk.

No due diligence process guarantees zero exposure.

However, banking controls and virtual card strategies significantly reduce the impact of a bad decision.

Fraud prevention is not about assuming nothing will go wrong.

It is about limiting the blast radius if something does.

Our Recommendation

We recommend that organisations:

  • Enable dual payment approval in online banking
  • Separate payment creation and approval roles
  • Reduce daily transaction limits
  • Avoid using one or two shared corporate credit cards
  • Issue virtual cards for subscriptions and trials
  • Set strict per card limits

We partner with Airwallex and can assist businesses with secure setup and configuration.

If you are interested in implementing virtual credit cards and stronger payment controls, you can get started here:

https://airwallex.sjv.io/K0kK4a

Common Gaps We See

Many businesses fall short because:

  • Anyone can subscribe to services
  • Corporate cards have no limits
  • Vendor checks are informal
  • Finance teams assume legitimacy
  • No central supplier register exists

Attackers exploit these weaknesses.

Training Is Critical

Staff must understand:

  • How invoice fraud works
  • How fake supplier scams operate
  • Why social media ads can be malicious
  • Why verification delays are acceptable

Regular cyber awareness training significantly reduces risk.

Cyber Security Training

How We Help Businesses Reduce Financial Fraud Risk

At Sentry Cyber, we help organisations:

  • Draft and implement invoice fraud prevention policies
  • Build vendor due diligence procedures
  • Align policies with SMB1001 requirements
  • Train finance and operations teams
  • Review Google Workspace and Microsoft 365 controls
  • Conduct security assessments

Many businesses implement these controls as part of a broader security assessment:

Security Assessment

FAQ: Invoice Fraud and Vendor Due Diligence

What is an invoice fraud prevention policy?
It is a documented set of rules defining how businesses verify and approve payment requests, especially when bank details change.

How do social media vendor scams work?
Attackers create fake websites and advertise heavily discounted services. Businesses pay but receive nothing, and card details are often reused fraudulently.

How can businesses verify a new supplier?
By independently verifying ABN registration, domain age, contact details, and company history before making payment.

Is email confirmation safe for bank detail changes?
No. Email confirmation is unsafe if a mailbox has been compromised.

Should due diligence checks be documented?
Yes. Documented verification protects the business and supports compliance requirements such as SMB1001.

Final Thoughts

Invoice fraud and vendor scams are not theoretical risks. They are common, financially damaging, and often preventable.

Technology helps, but disciplined verification processes stop losses.

A strong invoice fraud prevention policy combined with structured vendor due diligence checks significantly reduces your exposure.

If you are unsure whether your current payment and supplier onboarding processes would withstand a real attack, now is the time to review them.

If you would like help implementing or reviewing your invoice fraud prevention policy and vendor due diligence controls, contact the Sentry Cyber team.