Protect your email domain from fraudsters. Introducing: BEACON our fully managed DMARC service.

The Invoice Scam That’s Catching Everyone Out

by | Dec 3, 2025 | IT Security

The Invoice Scam That’s Catching Everyone Out

If you run a business in South Africa, or work in one that pays suppliers, you need to know about this.

 

We’re talking about it because we see it constantly. At least once a week, one of our clients receives a supplier invoice where the banking details have been swapped out.

The invoice looks completely legitimate. Same logo, same formatting, sometimes even sent from the real supplier’s email address. The only thing that’s changed is where the money goes.

This isn’t some rare, sophisticated attack. It’s happening to businesses across every industry, every single day.

How do they pull it off?

 

There’s no single method. Sometimes the criminals have gotten into your supplier’s email account and are sending from their actual address. Sometimes they’ve compromised someone in your own organisation and are watching payment conversations from the inside.

And sometimes they haven’t hacked anyone at all, they’ve just registered a domain that looks almost identical (smithtrading-accounts.co.za instead of smithtrading.co.za) and sent a convincing fake.

What they all have in common: patience. These aren’t rushed, sloppy attacks. The criminals often watch email threads for weeks, learning how your business operates, who pays whom, what invoices look like, and when payments are due. Then they strike at exactly the right moment.

Your spam filter won’t catch it because there’s nothing technically malicious in the email. No virus, no suspicious link. Just a polite, professional-looking message asking you to pay money into the wrong account.

What to watch for

 

The biggest red flag is the obvious one: any email announcing changed banking details. That’s the entire scam. Everything else is just packaging.
But here are the smaller things that often give it away:

  • A supplier you’ve paid for years suddenly wants you to use a different bank
    Your Johannesburg contact now has a Cape Town branch code
  • Unusual urgency, “please update before you process today’s payment”
  • The email asks you to ignore or delete previous correspondence
  • The sender address is almost right, but not quite
  • The tone or formatting feels slightly off from what you’re used to
  • The display name is set to look like an email address, you see supplier@supplier.com at a glance, but when you click to see the full details, the actual sending address is something like accounts@randomdomain.com
  • Pressure to skip your normal verification process, “just this once”
  • A phone number in the email that’s different from what you have on file

None of these on their own means it’s definitely a scam. But combine one or two with a banking change request? That’s your cue to stop and verify.

Why smart people fall for this

 

This scam works because it exploits trust, not technology. The email comes from someone you know (or appears to). It references real invoices, real amounts, real projects. It fits naturally into an existing conversation. There’s nothing obviously “phishy” about it.

And let’s be honest, when you’re processing dozens of payments and trying to meet deadlines, it’s easy to just update the details and move on. The criminals know this. They’re counting on it.

The one rule that stops this

 

Phone them. That’s it.

Before you change any supplier’s banking details, or load a new supplier for the first time, call them on a number you already have. Not the number in the email (criminals include fake “verification” numbers too). Use a number from their website, your existing records, or one you’ve called before.

Ask directly: “Did you send us new banking details?”

This takes five minutes. It’s the difference between paying your supplier and paying a criminal.

If you’ve already paid

 

Move fast, you may only have hours before the money disappears.

  1. Call your bank’s fraud hotline immediately. Not tomorrow. Not after lunch. Now. Request an urgent recall.
  2. Contact the receiving bank too, if you paid to a Capitec account, Capitec can freeze it.
  3. Report it to SAPS and get a case number (you’ll need this for insurance).
  4. Notify SABRIC at www.sabric.co.za, they track these incidents nationally.
  5. Tell the real supplier, their email might be compromised, putting their other customers at risk.

We’ve seen successful recoveries when people acted within the first hour. After a day or two, the money is usually gone.

Protecting your own customers

 

Everything above assumes you’re the one receiving dodgy invoices. But what about invoices you send out? The same scam can work in reverse, criminals intercept your invoices and change the banking details before your clients see them.

A clear warning on your invoices helps. So does publishing your correct banking details on your website where clients can verify independently. There are also technical controls that stop criminals from sending emails pretending to be your company, but that’s a topic for another article.

The bottom line

 

This scam succeeds because it’s simple and it exploits normal business behaviour. But it falls apart the moment someone picks up the phone to check.

Share this with your team. Share it with your suppliers. The more people who know what to look for, the harder it becomes for these criminals to operate.

When banking details change, pick up the phone.

For a practical action plan, read our follow up article:
Protecting Your Business From Invoice Fraud: A Practical Guide

Have questions or want help protecting your business? Get in touch.

Contact Us