They Could Be Watching You: The Silent Fraud Threatening Your Invoices

Did you know that some companies have lost tens of thousands of euros just by sending an invoice via email? Worse yet: they don’t even realize it until it’s too late.

mail How Does This Fraud Work?

The scheme is simple but extremely effective:

  1. A company issues an invoice and sends it by email to its client.
  2. A hacker has already gained access to the sender’s or recipient’s email account.
  3. The hacker modifies the PDF file or the message body, changing the bank account number.
  4. The client pays as usual. The supplier waits for payment... but the money has disappeared.

Neither the client nor the supplier detect the fraud until the unpaid invoice is claimed. By then, the funds have vanished.

lock_person How Do Cybercriminals Gain Access?

The most common methods include:

  • Phishing: emails that trick employees into revealing passwords.
  • Malware: malicious software with remote access.
  • Access from compromised accounts: suppliers or clients.
  • Weak or shared passwords: facilitating access.

gavel Legal Loopholes and Unclear Responsibilities

Who is responsible?

  • The supplier who sent the invoice?
  • The client who paid to a wrong account?
  • The bank for not detecting fraud?

Current legislation does not provide clear answers. Insurers usually exclude this type of fraud, and lawsuits can drag on for years.

There is no clear legislation requiring parties to verify bank details securely before a transfer.

shield_lock What Measures Can Companies Take?

There are effective ways to reduce the risk:

check_circle Best Practices:
  • Avoid including IBANs directly in emails without prior confirmation.
  • Confirm any bank account changes by phone (using known numbers).
  • Use strong and unique passwords.
  • Enable two-factor authentication (MFA).
build Protection Techniques:
  • Digitally sign emails.
  • Encrypt sensitive email content.
  • Block automatic forwarding rules in email accounts.
  • Audit access and connected devices.

dangerous The False Sense of Security

SMEs are the most vulnerable. Without an IT department, audits, or training…

A company with just 3 people can lose €20,000 without realizing it.

report_gmailerrorred What To Do If You Have Already Been a Victim?

  • Call your bank and block the transfer.
  • Report it to the police or cybercrime units.
  • Notify the supplier or client involved.
  • Audit your systems and fix vulnerabilities.
  • Consult cybersecurity experts.

lightbulb Conclusion

This type of fraud is becoming a very serious problem, and it’s no science fiction. It’s no longer just a technical issue but a basic business responsibility.

Protecting yourself is cheaper than recovering.

Article published by Matas Informàtica. Interested in this topic? Contact us to assess your risk and protect your invoicing processes.