Your accounts team receives an email from a regular supplier. The invoice looks normal – right company name, right email address, right kind of work. The only thing that has changed is the banking details. A small note at the bottom says they have switched banks.
So your team pays it. And the money goes to a criminal.
This is happening to businesses across South Africa every week. It is not a sophisticated hack. It is not a security breach. It is someone sending a convincing email from what looks like a trusted address. And it works because most people do not know what to look for.
How invoice scam emails actually work
The mechanics are simpler than most people expect.
A scammer sends an email that appears to come from a real business – a supplier, a contractor, a service provider your company regularly pays. The email contains an invoice with banking details that have been changed. Everything else looks legitimate.
There are two common versions:
The intercepted invoice: The scammer has somehow seen a real invoice (through a compromised email account, a forwarded chain, or even a previous data breach). They copy the format exactly and resend it with different banking details. Sometimes they time it to arrive just before or just after the real invoice.
The spoofed sender: The scammer sends the email from an address that looks like the real supplier. They either register a domain that is almost identical (kw1k.support instead of kwik.support) or they spoof the email address entirely, making it appear to come from the genuine domain without ever accessing that domain’s email system.
The second version is what makes this particularly dangerous. When someone can send an email that genuinely appears to come from accounts@yoursupplier.co.za, most people will not question it.
How to spot a fake invoice email
No single check catches every fake. But these seven together will catch most of them.
1. Banking details have changed This is the biggest red flag. If a supplier you have been paying for months or years suddenly has new banking details, verify by phone before paying. Call the number you already have on file – not the number in the email.
2. The email address is slightly different Look carefully at the sender’s address. Scammers register domains that look almost identical: replacing an “l” with a “1”, adding a hyphen, swapping two letters. At a glance, “accounts@kwlk.support” looks like “accounts@kwik.support”. Check character by character.
3. The tone or formatting is off If your supplier usually sends plain-text emails and this one has a fancy template (or the other way around), pay attention. If the greeting is generic (“Dear Sir/Madam”) when they normally use your first name, that is a signal.
4. It arrived at an unusual time Scammers often send emails outside normal business hours, hoping they will be processed quickly the next morning without much scrutiny.
5. There is unexpected urgency “Please process this payment urgently” or “This invoice is overdue and must be settled immediately.” Real suppliers send reminders. They do not create panic.
6. The attachment type is unusual Your supplier normally sends PDFs but this invoice is a Word document, a zip file, or a link to download from a cloud service. That is worth questioning.
7. Something just feels wrong Trust your instinct. If an email makes you pause, even if you cannot pinpoint why, verify it before acting on it. A two-minute phone call costs nothing. A paid fake invoice costs everything.
What to do if you receive a suspicious invoice
Do not reply to the email. If the sender’s address has been spoofed or compromised, your reply goes straight to the scammer. They will confirm the “new banking details” and you will believe it is genuine.
Instead:
- Call the supplier on a known number. Use the phone number from your records, their website, or a previous verified communication. Not the number in the suspicious email.
- Ask them to confirm the banking details. Specifically ask if they have recently changed banks. If they have not, you have caught a scam attempt.
- Forward the email to your IT support. The email headers contain information about where the message actually came from. Your IT team can determine if the sender was spoofed or if someone’s email account has been compromised.
- Warn your colleagues. If one person in your office received a fake invoice, others may have too. A quick heads-up can prevent someone else from falling for it.
- Report it. In South Africa, report internet fraud to SAPS and to your bank’s fraud department. If the email impersonated a real supplier, let that supplier know too – their other clients may be getting the same email.
What to do if you have already paid a fake invoice
Act fast. The sooner you move, the better the chance of recovering the money.
- Contact your bank immediately. Ask them to attempt a reversal or to flag the recipient account. Some banks can freeze funds if they act quickly enough.
- Report the fraud to SAPS. File a case. You will need the case number for your bank and potentially for insurance.
- Notify the real supplier. They need to know their identity is being used to defraud their clients. They may also need to check if their email has been compromised.
- Check your own email accounts. If the scammer had access to a real email thread, someone’s account may be compromised. Change passwords and enable multi-factor authentication on all email accounts.
- Document everything. Save the email, the invoice, the payment confirmation, and any correspondence. You will need these for the police report, your bank, and your insurer.
Under POPIA, if client personal information was exposed as part of the incident (for example, if the scammer accessed email threads containing client data), you may have a legal obligation to notify the Information Regulator and affected parties. Talk to your IT support about what data may have been exposed.
How to stop scammers sending email as your business
You cannot stop someone from trying to scam your suppliers or clients with fake invoices. But you can stop them from using your actual email domain to do it.
Three DNS records – SPF, DKIM, and DMARC – tell the rest of the world’s email servers which emails from your domain are real and which are fake. When properly configured, emails that fail authentication get rejected before they reach anyone’s inbox.
The critical record is DMARC. With a DMARC policy set to “reject”, any email that cannot prove it came from your authorised mail servers gets blocked. Your clients and suppliers never see it.
The problem is that setting these records up is only half the job. They need ongoing monitoring. Records break when you change email providers, add a new marketing tool, or update your infrastructure. Without monitoring, you will not know something is wrong until your legitimate emails start bouncing, or until a spoofed email slips through.
This is exactly what our BEACON platform does. It monitors your email authentication continuously, shows you who is sending email as your domain (both legitimate and fraudulent), and alerts you when something needs attention. From R150 per month.
If you want to understand how SPF, DKIM, and DMARC work in more detail, our article DMARC explained: why someone is sending emails as your business walks through each layer step by step.
Check your email authentication for free
Not sure whether your domain is protected? We will check your current SPF, DKIM, and DMARC configuration and tell you exactly where you stand. No cost, no obligation.
Or talk to us directly:
Call: 087 820 5005 WhatsApp: 081 526 1626
If your business handles invoices by email (and most do), it is worth knowing whether your domain is protected. A five-minute check now could save a much more expensive conversation later.
0 Comments