When invoices become a trap: Invoice fraud and what you can do about it
An accountant opens her mailbox in the morning. There is an email from her long-standing IT service provider – with an invoice for €14,800 attached. The IBAN looks strange, but a short note in the document explains: “Please note our new bank details.” She transfers the amount. Three weeks later, the real supplier sends the first reminder for the invoice – because the money was transferred to the wrong account. To an account abroad. The money is gone, irretrievably. Scenarios like this play out every day in companies around the world. This type of attack has a name: invoice fraud, a sub-form of what is known as Business Email Compromise (BEC). What is often overlooked is that there are always two victims. The recipient who transfers the money and the company whose identity was misused for the attack – and which may not even notice.
What is invoice fraud and how can I recognize it?
Invoice fraud is a type of fraud in which attackers manipulate invoices—usually the bank details—and send them to companies, which then unwittingly transfer the payment to an account belonging to fraudsters.
The following warning signs often appear in connection with invoice fraud:
What helps recipients combat invoice fraud?
The most effective measures are organizational in nature. The dual control principle for payments above a defined amount is a fundamental standard, especially for new or changed bank details. A changed IBAN should always be confirmed by telephone via a known number. In addition, regular training and clear internal processes help to give employees confidence in their actions: no technical system can replace an attentive person who picks up the phone when they see an unfamiliar IBAN.
Your domain, your reputation
When attackers send fake invoices in the name of a company and using the corresponding domain, it’s not just the company’s reputation that’s at stake: damaged business relationships, loss of trust among customers and partners, and possible legal consequences are also a threat. And what’s particularly insidious is that in many cases, the affected company doesn’t even notice anything at first.
There are three typical scenarios for invoice fraud:
In domain spoofing, the attacker imitates the company’s own domain without actually having access to the infrastructure – they simply send emails with a fake sender address.
In account compromise, a real email account has been taken over through phishing or a data leak and is now being actively used for fraud.
The third scenario occurs when the domain is not or insufficiently protected by DMARC: attackers can then send emails on behalf of the domain.
Protection against invoice fraud with SPF, DKIM, and DMARC
Three protocols together form the technical foundation for protecting your domain from misuse. They build on each other and only provide full protection when used in combination.
A DMARC record contains a policy with three levels:
p=none: Emails are delivered, but reports on authentication results are sent to a defined address. Recommended for the introductory phase for analysis.
p=quarantine: Unauthenticated emails end up in the spam folder.
p=reject: Unauthenticated emails are rejected completely. This is the only level that offers real protection against domain spoofing.
DMARC provides regular aggregate reports in XML format: They show which servers sent emails on behalf of your domain, how often SPF and DKIM were applied correctly, and in which cases authentication or alignment problems occurred.
Why many stick with p=none – and how 25Reports helps
Many companies have set a DMARC record – but remain permanently at p=none. This sounds like a cautious step, but in fact it offers no protection: without enforcement, attackers can continue to abuse the domain for spoofing unhindered. The sender’s reputation suffers in the long term, and trust among recipients declines.
Why are so many companies not moving forward? There are two closely related problems.
Problem 1: Lack of transparency about your own email infrastructure
When companies set up DMARC for the first time, it often turns out that far more systems send emails on behalf of their domain than they are aware of: old CRM systems, ERP software, external service providers, monitoring tools, newsletter platforms. Before these sources are fully authorized, p=reject would reject legitimate emails—without sending an error message to the sender. It is precisely this failure mode that is feared because it can go undetected for days in business-critical processes.
Problem 2: The aggregate reports are practically impossible to evaluate
DMARC sends reports as XML files, which provide an overview of the senders who send on behalf of your domain. Without specialized tools, these files are simply unmanageable for IT teams in their day-to-day work. Those who do not use a suitable solution have formally activated reporting, but in fact have no overview. And if you don’t systematically evaluate the reports, you won’t know which senders are not yet authorized – and therefore can’t safely switch to p=reject.
The result is a structural obstacle: powerful monitoring is a prerequisite for p=reject. p=reject is a prerequisite for real protection. If you skip the monitoring step, you’ll never reach your goal.
25Reports: DMARC monitoring without specialized knowledge
This is exactly where 25Reports comes in. Instead of raw XML data, 25Reports offers a central dashboard that visualizes senders, volumes, and authentication results for all monitored domains in real time. Millions of data records are condensed into clear key figures and trend charts. Each domain receives a live rating from A to F with specific suggestions for improvement.
An important detail: In everyday life, it is not every single IP address that is relevant, but rather the question of which systems or services actually send emails for a domain. 25Reports therefore automatically summarizes sender IP addresses and displays them as a common sender. This reduces noise and reveals the questions that are actually relevant: Which systems are sending? Are they all authorized? Where is action needed?
Focus instead of information overload
DMARC reports often contain senders that are not DMARC-compliant but do not require any action. 25Reports allows you to specifically mark such senders and exclude them from tables and alerts. This allows administrators to focus their attention on where action is actually needed.
Instead of manually checking the dashboard every day, users automatically receive a notification when relevant events occur: unknown senders appear, authentications fail, the number of unauthenticated emails increases noticeably, or the DMARC rating of a domain changes. Changes to SPF or DMARC entries in the DNS are also monitored and reported, including a comparison of the old and new entries. This is particularly relevant when external service providers manage DNS entries.
Protection against invoice fraud – without downtime risk
With a complete view of all senders and clear recommendations for action, companies can systematically improve their DMARC rating and gradually tighten their policy – from p=none to p=quarantine to p=reject – without running the risk of blocking legitimate emails because a legitimate sender was overlooked.
Invoice fraud is not an abstract security problem – it is an everyday threat with concrete consequences for companies on both sides of the attack.
On the recipient side, clear processes, the dual control principle, and telephone verification of changed bank details are the most effective measures. On the sender side, SPF, DKIM, and DMARC form the technical foundation—but only if DMARC is actually configured to p=reject.
25Reports offers intelligent DMARC monitoring and alerting
The path to achieving this necessarily involves effective monitoring. Tools such as 25Reports make this step feasible: they create the transparency needed to fully understand your own email infrastructure, giving companies the basis they need to securely and controllably implement the only effective protection against domain spoofing.
With 25Reports, DMARC finally becomes easy. The solution takes care of all DMARC monitoring for you—automated, graphically presented, and, of course, GDPR-compliant. Try 25Reports now for 30 days free of charge!
