How to protect your business from invoice fraud

Invoice fraud costs UK businesses millions of pounds every year. Unlike many types of business crime, it doesn't require sophisticated hacking or technical knowledge; in many cases, all it takes is a convincing email and a changed bank account number.

If you send or receive invoices as part of running your business, understanding how invoice fraud works and how to protect yourself is not optional. It's essential.

This guide covers the most common types of invoice fraud targeting UK small businesses, the warning signs to look for, and the practical steps you can take to protect your payments.

What is invoice fraud?

Invoice fraud is when a fraudster tricks a business into making a payment to the wrong bank account, usually their own. The invoice itself may look completely genuine, with a correct business name, logo, invoice number, and amounts, but the payment details have been changed.

The business pays, the money lands in the fraudster's account, and by the time anyone notices, it's usually gone.

Invoice fraud can target you in two ways:

As a sender, someone intercepts or clones an invoice you've sent to a client and changes the bank account details before it reaches them. Your client pays what they think is your invoice, but the money goes to a fraudster.

As a recipient, you receive a fake or modified invoice appearing to come from a supplier, contractor, or service provider you work with. You pay it, believing it's genuine.

Both scenarios can be financially devastating for a small business — and recovering the money is rarely straightforward.

How common is invoice fraud in the UK?

Invoice fraud, also known as Authorised Push Payment (APP) fraud, is one of the fastest-growing types of financial crime in the UK. According to UK Finance, APP fraud losses exceeded £460 million in 2023, with businesses accounting for a significant portion of that figure.

Small businesses are particularly vulnerable because they often lack the internal controls and verification processes that larger organisations have in place. A sole trader or small team processing payments quickly, without a second pair of eyes on every invoice, is exactly the kind of target fraudsters look for.

The most common types of invoice fraud

1. Business Email Compromise (BEC)

A fraudster gains access to, or spoofs, an email account belonging to either your business or a supplier. They intercept invoice communications and swap the bank details before the email reaches its destination.

This is particularly dangerous because everything looks genuine. The email address looks right, the invoice looks right, and there's often a plausible reason given for the change in bank details ("we've switched banks", "our old account is being updated").

2. Invoice cloning

A fraudster copies a real invoice, either by intercepting it in transit or finding it through a data breach, and recreates it with different payment details. The cloned invoice is then sent to the client.

The client has no reason to question it; the invoice number, amounts, and business details are all correct. Only the bank account or payment link is different.

3. Supplier impersonation

A fraudster contacts you pretending to be a supplier you already work with, claiming their bank details have changed. They send a convincing letter or email asking you to update their payment details in your system. The next invoice you pay using those updated details goes straight to the fraudster.

4. Fake invoice scams

You receive an invoice for goods or services you never ordered or received. These are usually for small amounts, directory listings, advertising, and domain renewals, with the hope that the business pays without checking.

Warning signs of a fraudulent invoice

Unexpected change in payment details, any request to change bank account details, especially by email, should be treated with extreme caution. Always verify by calling the supplier on a number you already have on file, not one provided in the suspicious email.

Urgency, fraudulent invoices often create artificial urgency. "Please pay by the end of today to avoid late fees." Legitimate suppliers give reasonable payment terms.

Slightly wrong email address, look carefully. [email protected] and [email protected] look almost identical at a glance. Fraudsters register lookalike domains specifically for this.

Inconsistent formatting: if an invoice from a regular supplier suddenly looks different, a different font, a different layout, a different logo quality, treat it as suspicious.

Unsolicited invoices, an invoice arriving out of nowhere for something you don't recognise, is a red flag. Verify before paying.

Requests to change your process: Please don't use the old payment portal; just bank transfer directly to this account. Fraudsters try to bypass existing verification systems.

How to protect your business from invoice fraud

1. Verify bank detail changes by phone

Never update a supplier's bank details based solely on an email request. Always call the supplier directly using a phone number from your existing records, not one provided in the email, to confirm the change is genuine.

This single step prevents the vast majority of supplier impersonation fraud.

2. Use invoice verification

When you send invoices, include a verification link that your clients can use to confirm the invoice is genuine before paying. Built For Small Business Invoicing includes a free invoice verification system before payment; every invoice generated includes a unique verification URL. If a client clicks the link and the signature doesn't match, they'll see an immediate warning that the invoice may have been tampered with.

This protects both you and your clients. If a fraudster clones one of your invoices and changes the payment details, your client can verify the invoice before paying and catch the fraud before any money moves.

3. Use secure payment links

Instead of sharing bank account details on invoices, use a secure online payment link. With Built For Small Business Invoicing, clients can pay directly via Stripe from the invoice, no bank details to intercept or change. If there's no bank account number on the invoice, there's nothing for a fraudster to swap.

4. Set up two-factor verification for payments

For larger payments, implement a process where a second person in your business confirms the payment before it's made. Even for sole traders, having a policy of calling a supplier before making any payment above a certain threshold adds a meaningful layer of protection.

5. Protect your email account

Many invoice fraud cases start with a compromised email account. Use a strong, unique password for your business email, enable two-factor authentication, and be cautious about clicking links in emails, even from addresses you recognise.

6. Keep your accounting software secure

If a fraudster gains access to your invoicing or accounting software, they can see all your clients, invoice amounts, and payment history. everything they need to craft a convincing fake. Use strong passwords, enable two-factor authentication, and review who has access to your accounts regularly.

7. Educate anyone who handles payments

If you have staff who process invoices or make payments, make sure they know what to look for. A simple written policy, we always call suppliers to verify bank detail changes, we never pay an invoice we don't recognise, we always check the sender's email address carefully, which can prevent costly mistakes.

8. Check your email domain security

DMARC, DKIM, and SPF records on your email domain make it much harder for fraudsters to spoof your email address. If you're using Google Workspace, Microsoft 365, or a business email provider, check that these records are set up correctly. Your IT provider or email host can help with this.

What to do if you've been a victim of invoice fraud

Act immediately, contact your bank as soon as you realise what's happened. Banks have fraud teams that can sometimes recall payments if acted on quickly enough. Time is critical.

Report it to Action Fraud: The UK's national fraud reporting centre. Call 0300 123 2040 or report online at actionfraud.police.uk. Even if you don't recover the money, reporting helps track patterns and may prevent others from being targeted.

Notify the genuine supplier: If a fraudster has been impersonating a supplier, let them know immediately. They may be unaware, and other clients could be at risk.

Review your processes: Once the immediate situation is dealt with, review how the fraud happened and what controls would have prevented it. Update your payment verification procedures accordingly.

Keep records: Document everything about the fraud, emails, invoices, payment receipts, and bank statements. You'll need these for reporting and any potential recovery process.

Invoice verification with Built For Small Business

Every invoice created with Built For Small Business includes a free invoice verification link printed on the invoice. When your client receives the invoice, they can visit the verification URL to confirm:

• The invoice was genuinely issued by your business
• The invoice has not been modified since it was created
• The invoice number, amount, and dates are authentic

If a fraudster clones your invoice and changes the bank details or payment link, the verification signature check will fail, and your client will see an immediate warning before they make any payment.

This feature is free on all plans and requires no setup. It's built into every invoice automatically.

Create your first invoice free, no account required

Frequently asked questions

What is the most common type of invoice fraud in the UK?
Business Email Compromise (BEC) and invoice cloning are the most common types. Both involve intercepting or copying legitimate invoices and changing the payment details before the client pays.

Can I get my money back if I've paid a fraudulent invoice?
It depends on how quickly you act. Contact your bank immediately; some banks can recall payments if contacted within hours. Report to Action Fraud regardless of whether the money is recovered.

How do I know if an invoice I've received is genuine?
Check the sender's email address carefully, call the supplier on a number from your existing records to verify, and look for any inconsistencies in formatting or payment details. If the invoice includes a verification link, use it.

Does invoice fraud only affect large businesses?
No, small businesses are frequently targeted because they often have fewer verification procedures in place. Sole traders and small teams processing invoices quickly are common targets.

Is invoice verification free with Built For Small Business?
Yes, invoice verification is included free on all plans, including the free Foundation plan. Every invoice automatically includes an invoice verification link at no extra cost.

What should I do if a supplier says their bank details have changed?
Always verify by calling the supplier directly on a phone number from your existing records, not any number provided in the email or letter requesting the change. Never update payment details based solely on an email request.