Red flags in payment requests and invoices

This is not about being gullible

The CFO of a mid-sized company wires $1.2 million to a fraudulent account. A 68-year-old retiree transfers her life savings to someone she believes is her financial advisor. A freelancer pays a fake invoice and loses a month's income. These are not rare edge cases — they are happening thousands of times a day, to intelligent, careful people.

Fake executive email scams and payment fraud are the most financially damaging cybercrime categories by a wide margin. They succeed not through technical exploitation, but through trust. Attackers spend weeks or months monitoring email conversations before striking — often sending their fraudulent payment instruction at exactly the right moment, in a thread that looks completely genuine.

The anatomy of a payment fraud attack

Here is how a typical BEC attack unfolds:

• Reconnaissance — the attacker identifies you, your employer, or a vendor you work with. They study your email patterns, invoicing habits, and relationships — often from publicly available information or a prior data breach.
• Account access or spoofing — either your or your vendor's email is compromised, or the attacker registers a domain that looks nearly identical (yourvendor.com vs your-vendor.com).
• The switch — at a natural payment moment, you receive an email from what appears to be your contact, asking you to update their bank details or pay a new invoice to a new account.
• The window closes — once the wire transfer is executed, recovery is extremely difficult. Banks freeze suspect accounts within hours. The money is usually gone within 24 hours.

Red flags in invoices and payment requests

• Unexpected invoice for a service you don't recognize — often accompanied by a threatening call-or-refund message. The goal is to make you contact them, not to actually collect.
• Changed payment details from a known supplier — this is the most common BEC trigger. Always verify account changes by calling the supplier on a number you independently find — not the number in the email.
• Pressure to pay immediately — "must be paid today," "penalties after 48 hours," "final notice." Urgency is manufactured to prevent verification.
• Payment method that benefits the attacker — wire transfers to new accounts, gift cards, cryptocurrency, money transfer services. Legitimate businesses almost never suddenly require these.
• The reply-to address is different from the from address — this is a critical indicator often missed. Your reply may go to an attacker-controlled inbox even if the from address looks correct.
• Slightly wrong branding or contact details — mismatched logos, wrong addresses, phone numbers that don't match the company's official website.
• The email thread looks real but the instruction doesn't fit — attackers who have compromised an account can insert themselves into legitimate email threads. The context looks genuine; only the final payment instruction is fraudulent.

The overpayment trap

You receive a payment that "accidentally" exceeds the agreed amount. The sender asks you to refund the difference via a different method — bank transfer, gift card, crypto. The original payment later bounces or is reversed. The money you "refunded" is gone. This pattern is used in freelancer fraud, marketplace scams, and fake rental deposits.

Never refund the difference until the original payment fully clears — which can take up to 10 business days for checks and international transfers. When in doubt, ask your bank to verify that the funds are genuinely clear before releasing anything.

Checklist before paying any invoice

• Did I expect this invoice from this sender?
• Does the payment destination match what I have on file from a previous interaction?
• Can I verify this request by calling the sender on an independently sourced number?
• Is the payment method unusual for this relationship?
• Is there pressure to pay quickly?
• Have I double-checked the reply-to address?

If any answer is "no" or "not sure" — stop. Verify before paying. If you have already paid and suspect fraud, contact your bank's fraud line immediately and submit the communication to MountainShield for an advisory assessment and next-step guidance.