Business Email Compromise: How Fake Invoice and Payment Change Scams Target Small Businesses

Most small businesses don’t lose money to some dramatic movie-style cyberattack. A lot of the time, it starts with an email that looks routine. That could be an invoice, a payment request, a message from a vendor, or a note saying bank details have changed. This type of fraud is commonly called business email compromise, or BEC. The FBI says criminals target businesses by compromising legitimate email accounts through social engineering or computer intrusion. In 2025, the FBI’s Internet Crime Complaint Center received 24,768 BEC complaints, with reported losses of about $3 billion.

Part of what makes this scam work so well is that it often looks real. Sometimes the criminal gets into a real business email account and watches conversations before stepping in. Other times, they use a lookalike domain, a spoofed reply address, or a message that appears to come from someone your staff already knows. FBI guidance notes that criminals may study compromised inboxes, create forwarding or deletion rules, and then impersonate the business, the vendor, or both in order to redirect payments.

What this scam looks like

One common version starts with a message that says a vendor has new banking instructions and wants the next payment sent to a different account. Another version uses a fake invoice that looks real enough that a busy employee may not stop to question it. The FTC warns that scammers often create phony invoices that make it look like the business ordered something and hope the person paying the bills assumes the invoice is real. It also warns that scammers often pretend to be someone you trust and create urgency so you act before checking.

Sometimes the message appears to come from the owner, a senior employee, or a known supplier. It may ask for a wire transfer, a rush payment, or a quiet change to payment instructions. That’s part of what makes this scam so effective. It blends into normal business activity. It doesn’t always look suspicious at first glance. It looks like normal work. This kind of scam can work especially well in smaller organizations, where one person may wear multiple hats and move quickly just to keep things running. The FBI has said small and medium-size organizations, and those with limited IT resources, are especially vulnerable to BEC scams.

What small businesses should do before money goes out

Before sending money, slow the process down and build in a few simple checks:

• Don’t trust payment changes just because they came through email. If a vendor says banking details changed, verify it using a phone number or contact method you already know is real. Don’t reply to the email or use the contact information in the message.

• Require a second review for higher-risk payments. That can include changed payment instructions, wire transfers, or first-time invoices. A short pause for a second check is much better than sending money to a criminal account.

• Make sure your approval process is clear. The person paying the bills should know what needs extra review and what should never be approved based on email alone.

• Protect business email accounts. Turn on multi-factor authentication and talk with whoever manages your Microsoft 365 or Google Workspace environment about steps like limiting automatic forwarding, watching for spoofing, and helping staff spot suspicious email addresses.

• Train the people who handle money and vendor communication. Anyone dealing with invoices, payroll, vendor emails, or payment approvals should know that urgency, secrecy, and last-minute payment changes are warning signs.

• Give employees permission to pause and verify. Staff should never feel pressured to rush a payment or act on a request that feels off. A quick phone call can prevent a very expensive mistake.

What to do if the money already went out

If you think your business already sent money because of one of these scams, act fast. Contact your financial institution as soon as you realize what happened and ask whether the transfer can be recalled or reversed. The FBI also says to file a detailed complaint with its Internet Crime Complaint Center (IC3).

You should also preserve the evidence. Keep the emails, invoices, wire details, headers, screenshots, account numbers, and any phone numbers used in the scam. Then secure the affected email account or accounts by changing passwords and reviewing mailbox rules, especially if someone’s inbox may have been compromised. The documentation you gather is important both for recovery and for understanding whether the scam came from outside spoofing or from a real account takeover.

Final takeaway

Business email compromise sounds technical, but the scam itself is often simple. Someone pretends to be a trusted person or company and tries to get your business to send money where it shouldn’t go. The best defense is to verify payment changes through a known contact method, slow down urgent requests, protect email accounts with multi-factor authentication, and make sure the people handling money know what to watch for. If a small business is going to lose money to fraud, this is one of the most believable ways it happens. That’s exactly why it deserves attention.