Invoice & Payment Fraud

What Is Invoice & Payment Fraud?

Vendor invoice fraud is one of the highest-volume B2B attacks: an attacker registers a one-character lookalike of a real supplier domain, drafts an invoice that mirrors the supplier's normal format, and emails it to your AP team in the hope that the volume of month-end invoices will let it slip through unnoticed. There is no malware to detect and no urgent banking-change drama to flag - just a clean PDF for goods that were never delivered, with attacker bank details printed directly on the page. The control that stops it is the 3-way match: every invoice has to line up with an open purchase order, a goods receipt from the receiving dock, and the verified vendor master maintained by Procurement. If any of those three legs is missing, the invoice does not move to the payment run, no matter how plausible the PDF looks. In this simulation, you are an AP Specialist at Westmark Industrial. An invoice for $42,890 from a real long-standing supplier - Apex Steel & Fabrication - lands in your inbox with a one-hyphen lookalike domain, no PO reference, and a remit-to bank that does not match the vendor master. You will inspect the email, open the PDF, run the match in the AP system, compare the verified vendor record, place an out-of-band callback to confirm with the real Apex contact, reject the invoice as fraud in the AP workbench, and file a structured fraud report so the SOC can pivot on the indicators and warn the rest of AP. The exercise demonstrates why bank details printed on an invoice are not authoritative, why 'PO pending' is a tell that no PO actually exists, why even a clean-looking PDF for a real supplier name can be entirely fraudulent, and why every rejected fraud attempt is worth reporting even when no money moves.

What You'll Learn in Invoice & Payment Fraud

• Run the 3-way match (purchase order, goods receipt, invoice) on every vendor invoice and refuse to advance any invoice with a failed leg
• Recognize that bank details printed on an invoice are not authoritative and must always be reconciled against the vendor master under Procurement's change control
• Spot lookalike sender domains, missing or placeholder PO references, and unusually short payment terms as red flags of vendor invoice fraud
• Reject contact information supplied inside a suspicious invoice or its accompanying email - the phone number and reply-to are part of the attack
• Use the verified phone number from the vendor master to place an out-of-band callback that confirms the invoice is genuine before any payment moves
• Reject confirmed-fraud invoices in the AP system with a structured reason code that produces an audit trail and a SOC notification
• File a structured fraud report capturing the lookalike domain, spoofed phone, fraudulent bank account, and 3-way match output so the SOC can hunt for parallel campaign attempts

Invoice & Payment Fraud — Training Steps

1. Monday Morning Invoice Queue

   It is Monday morning at Westmark Industrial. You're Alice, an Accounts Payable Specialist, and the end-of-month invoice queue is sitting at twenty-three open items. Wednesday's payment run is the deadline. Most of the queue is routine. Each invoice gets matched against its purchase order and goods receipt in InvoiceFlow before payment is queued - the 3-way match is the only thing standing between a fraudulent invoice and the wire room.

2. An Invoice From Apex Steel

   A new email lands in your inbox from Apex Steel & Fabrication, one of your standing suppliers. The subject line references invoice INV-AS-2025-1147 and a PDF is attached.

3. A Closer Look at the Email

   Apex sends invoices like this every month, so on a quick read nothing about the message rings an immediate alarm. Slow down anyway. Two details in the email should make you stop before you process the PDF.

4. Download the Invoice PDF

   Even with the lookalike domain, the only way to know if this invoice is real is to inspect it the same way you inspect every other invoice. Pull the attached PDF down to your Downloads folder so you can open it.

5. Open the Downloaded PDF

   The PDF is now in your Downloads folder. Open it from the file manager so you can see the line items, payment terms, and the remit-to bank details printed on the invoice.

6. What the Invoice Claims

   The PDF is well-formatted - vendor letterhead, line items, payment terms. The two parts that matter most to fraud detection are the purchase order reference and the banking details . Look at both.

7. Run the 3-Way Match

   An eyeballed PDF is not the control. The control is the 3-way match in InvoiceFlow: invoice line items must match an open purchase order, the goods receipt must confirm those items were actually delivered, and the vendor banking details must match the vendor master. If any of those three legs fail, the invoice does not move to the payment run.

8. Sign In to InvoiceFlow

   InvoiceFlow uses Westmark SSO - the same account that gates every internal portal. Use the saved credentials in your password manager.

9. Upload the Invoice for Matching

   InvoiceFlow opens to your AP workbench. The email arrived in your personal inbox, not the AP intake mailbox - so InvoiceFlow does not yet have the invoice. Click the upload button, choose the PDF you just downloaded, and let the system parse it and run the 3-way match.

10. The Match Results

    InvoiceFlow runs the match in seconds. Three of the four checks fail - and the system has not auto-blocked the invoice, only flagged it. Whether to escalate or pay is your decision.