Protect your email domain from fraudsters. Introducing: BEACON our fully managed DMARC service.

Protecting Your Business From Invoice Fraud: A Practical Guide

by | Dec 3, 2025 | IT Security

Protecting Your Business From Invoice Fraud: A Practical Guide

Here is a practical action plan to help protect your business and customers from invoice scams.

 

This is the follow-up to our article on spotting invoice scams. If you haven’t read that one yet, start there, it covers what to look for and why these scams work so well.

This article is for business owners and finance managers who want to actually do something about it. We’ll cover both sides: stopping your team from paying scammers, and stopping scammers from impersonating you to your clients.

None of this is complicated. Most of it costs nothing. Let’s get into it.

Protecting yourself when paying suppliers

 

Make phone verification official policy

You probably already verify banking changes by phone, most businesses do after they’ve had a close call. But is it written down? Does everyone know it’s mandatory, not optional?

Put it in writing. Make it clear: no banking detail changes get processed without a phone call to a known number. Not the number in the email. A number from your records or the supplier’s official website.

This takes ten minutes to write up and costs nothing. It’s still the single most effective defence.

Two pairs of eyes on beneficiary changes

When someone loads a new beneficiary or changes existing details, have a second person verify before any payment goes through. Most accounting systems support this. If yours doesn’t, do it manually, a quick sign-off from a manager before processing.

This catches mistakes and scams alike.

Use your bank’s verification tools

Most South African banks now offer beneficiary verification services. When you add a new beneficiary, the bank checks whether the account number matches the name you’ve entered. It’s not foolproof, but it adds friction for scammers using mule accounts.

Ask your bank what’s available. FNB, Standard Bank, Nedbank, and Absa all have some version of this.

Be careful with email on your phone

Mobile email apps often hide the full sender address, showing only the display name. On a small screen, Smith Trading <accounts@smithtrading-invoices.co.za> might just show as “Smith Trading”, and you’d never notice the dodgy domain.

If you’re approving payments or reviewing invoices on your phone, take extra care. When in doubt, check on a computer where you can see the full details.

Protecting your clients from scammers pretending to be you

 

This is the bit most businesses forget about. You’re worried about paying fake invoices, but what about fake invoices sent in your name?

If a criminal intercepts your invoice and swaps in their banking details, your client pays the wrong account, and you’re left chasing money that’s already gone. Even if it’s not technically your fault, it damages the relationship and you’re still out of pocket.

Here’s how to make it much harder for them.

Add a warning to your invoices

Put a clear notice on every invoice PDF and in your email signature. Something like:

Banking details notice: Our account details have not changed. Before loading a new beneficiary or processing a payment, please verify our banking details by phoning us on [your number] or checking [your website]/banking-details. We will never notify you of changed banking details by email alone.

Keep it short, keep it visible. And critically, tell people to check the URL carefully. Scammers register look-alike domains all the time. Your clients should know to look for exactly yourcompany.co.za, not yourcompany-accounts.co.za.

Create a banking details page on your website

Give your clients somewhere trustworthy to verify your details outside of email. A simple page at yourcompany.co.za/banking-details with your correct account information.

Reference it on every invoice. If a client ever gets a suspicious email, they know exactly where to check.

Stop criminals sending email as your domain

Here’s where it gets slightly more technical, but stay with me, this is important.

There’s a standard called DMARC that tells email servers what to do when someone tries to send an email pretending to be from your domain. Without it, anyone can send emails that appear to come from you@yourcompany.co.za, and most email systems will just deliver them.

With DMARC properly configured, those fake emails get blocked before they ever reach your clients’ inboxes.

The catch: setting it up wrong can accidentally block your own legitimate emails, things sent from your invoicing software, your CRM, your mailing list. It needs to be done carefully, with proper monitoring.

That’s why we built BEACON. It’s our fully managed DMARC service, we handle the setup, monitor the reports, and make sure nothing breaks. You get protection without having to become an email authentication expert.

If you’re not sure whether your domain has DMARC, or what it’s set to, we can check in about two minutes. Just ask. Or use our free DMARC checker: https://beacon.kwik.support/dmarc-checker

Hardening your email setup

 

These are things your IT person (or provider) should be checking.

Secure email connections

Everyone accessing email should be using encrypted connections, port 993 for IMAP with SSL/TLS. If anyone’s still on port 143 or has encryption disabled, their login credentials could be intercepted. This is basic hygiene but often overlooked, especially on mobile devices and older computers.

External email warnings

Most email systems can automatically tag emails from outside your organisation with something like [EXTERNAL] in the subject line. It’s a small thing, but it makes staff pause before trusting an email that looks internal but isn’t.

Check for suspicious mailbox rules

When criminals compromise an email account, they often set up hidden rules, forwarding copies of all incoming mail to themselves, or automatically moving certain messages to deleted items so the real user never sees them.

If you’ve had any account compromises (or even just suspicious activity), audit the mailbox rules. This is a common persistence mechanism that gets missed.

Consider advanced email filtering

Standard spam filters are good at catching viruses and obvious phishing, but invoice scams rarely contain anything technically malicious. They’re just normal-looking emails asking for money.

Advanced email security gateways use pattern recognition to spot impersonation attempts, unusual requests, and social engineering, the kind of thing a human might notice but a basic filter won’t. Whether it’s worth the investment depends on your risk and volume, but it’s worth knowing the option exists.

Where to start

 

If you’re feeling overwhelmed, here’s the priority order:

  1. Write down your phone verification policy, free, immediate impact
  2. Add a warning to your invoices, free, protects your clients
  3. Create a banking details page on your website, cheap and quick
  4. Get DMARC sorted, prevents domain spoofing, biggest technical win
  5. Audit email settings, secure ports, mailbox rules, external tagging

You don’t have to do everything at once. But do something this week.

Need a hand?

 

This is what we do. Kwik Support helps South African businesses lock down their email and stay ahead of scams like this, from quick wins like secure port checks to full DMARC implementation with BEACON.

If you want us to take a look at your setup, give us a shout. No obligation, no jargon, just practical advice.

Have questions or want help protecting your business? Get in touch.

Contact Us