ASAAnti-Scam Arsenal

Invoice fraud check

Verify an invoice before you pay. Upload a PDF/image for AI analysis, or enter the details to run IBAN checksum, VAT-format, and Business-Email-Compromise risk checks.

Drop invoice here, or browse

PDF, PNG, JPG, WEBP · max 10 MB

Before you pay

  • Call the vendor at a KNOWN phone number (one you already have on file — not one from the invoice or email) and verbally confirm the bank details.
  • Compare the bank details against previous invoices from this vendor. If they've changed, get written confirmation on company letterhead and voice-verify.
  • Verify the company registration number at the official registry: Companies House (UK) · opencorporates.com (global search) · EU Business Registers Interconnection.
  • Check the email sender address carefully — attackers use typosquats like acme-invoices.com instead of acme.com, and reply-to addresses that differ from the From address.
  • If bank details have changed AND the invoice arrived by email, treat it as a BEC attempt until proven otherwise. This combination is the single most common BEC pattern.

Common invoice-fraud patterns

Recognizing the template makes the attack lose its edge.

Bank-details swap (BEC)

Attacker compromises a vendor's email, intercepts a real invoice, swaps the bank details, and re-sends. The invoice is genuine — only the IBAN was tampered with. Voice verification on a known number is the primary defense.

Supplier impersonation

Look-alike domain (acme-billing.com vs acme.com) sends a plausible first invoice. Often paired with 'our system is being updated — please use these new details.'

CEO-authorized fake invoice

A 'CEO' email asks Finance to pay an urgent attached invoice outside normal workflow. Urgency + workflow bypass is the trigger.

Invoice for services not rendered

Small recurring amounts (£49, $99) that look like subscriptions. Auto-approved by Accounts Payable because nobody remembers ordering it.

Duplicate invoice

Same invoice re-submitted with slight number change hoping the first payment wasn't tracked. Dedupe by vendor + amount + invoice number.

Overpayment refund scam

'We overpaid your invoice — please refund the difference.' The original payment will later bounce. Never refund until the funds have fully cleared, not just shown as available.

Heuristic checks. Validating an IBAN's checksum doesn't confirm the account belongs to the vendor; a format-valid VAT number doesn't confirm it's registered. For any invoice over a meaningful amount, always voice-verify the bank details with the vendor on a number you already have.