Skip to main content
Holger Rünkaru logo
🇪🇪 Eesti
/ 12 min read

Why Invoice Fraud Succeeds — and How to Stop It at Your Company

Why This Topic Matters

In the first nine months of 2025, Estonian businesses lost over 2.3 million euros to Business Email Compromise (BEC) scams — more than in all of 2023 combined. The number of phishing and fraud sites doubled in 2024 compared to the previous year. And in 2026, the trend has not reversed — if anything, it is accelerating.

At the same time, these attacks are becoming harder to spot. AI-generated fraud emails are grammatically flawless, personalized, and timed to land at exactly the right moment.

Most BEC scams do not succeed because the attackers are exceptionally clever. They succeed because the targeted company lacks simple agreements about who confirms large payments and how. Technology plays an important role, but without clear processes, even good security tools cannot always help.

This article covers three layers that together form effective protection: agreements and processes, technical measures, and security awareness.

1. Agreements and Processes

Every New Bank Account Number Needs a Phone Call

A typical scenario: the company’s accountant receives an email from a supplier announcing a new bank account number. The email is convincing — the right sender name, familiar tone, a reference to a specific invoice and prior correspondence. The accountant updates the details and transfers the next payment to the new account. Weeks later, it turns out the supplier’s email had been compromised and the money went to the attackers.

These incidents cost tens or hundreds of thousands of euros at a time. The fault does not lie with the accountant — it lies with a process that allows it to happen.

Establish a simple rule: every time a supplier announces a new bank account number, call the supplier on a known phone number (not the one in the email) and confirm the change. It takes two minutes and eliminates the single biggest risk.

CEO Fraud — Speed Is the Attacker’s Best Weapon

The second common scenario is executive impersonation, often called CEO fraud. An employee receives an email in which a senior leader urgently asks them to transfer money to a specific account — sometimes adding that the transaction is confidential and should not be discussed with anyone.

The email may appear to come from exactly the right address. Attackers often replicate the executive’s writing style, signature, and even excerpts from earlier conversations. The only distinguishing feature is the sense of urgency and the request to skip verification.

Have a clear conversation with your team: no member of management will ever request a payment by email that bypasses the normal approval process — regardless of how urgent it may seem. If such an email arrives, the correct response is to call the executive directly and confirm.

This rule is worth emphasizing to employees: questioning is not insubordination. Questioning is exactly what is expected. In a healthy company, “let me verify” is always the right call.

2. Technical Measures

The first section covered agreements — those stop a fraud attempt when the attacker is already “inside.” Technical controls help stop the attacker before that point and detect their activity afterward. The more we can hand off to technology, the easier life becomes for end users.

2.1 Identity Protection — Keep the Attacker Out of the Account

Most BEC scams begin with the attacker gaining access to someone’s email account. The most common method in 2025–2026 is the AiTM attack (Adversary-in-the-Middle): the attacker creates a fake login page that relays both the password and the MFA confirmation to the real service in real time. The result — the attacker obtains a valid session even though the victim entered the correct password and approved MFA.

What to do:

  • Enable MFA for all users. Standard MFA (authenticator app, SMS) blocks over 99% of automated attacks. This is a baseline requirement and should be applied beyond email alone.

  • Disable legacy protocols. IMAP, POP3, and SMTP AUTH do not support MFA — they are an open door for attackers. Both Microsoft 365 and Google Workspace allow you to disable them from the admin console.

  • Use Conditional Access policies. For example: allow sign-ins only from your country and from managed devices. If someone tries to log in from an unfamiliar country, block it automatically.

Once the basics are in place, consider the next level:

  • For high-risk accounts, consider FIDO2 keys. A hardware security key (e.g. YubiKey) is the only MFA method that is immune to AiTM attacks — the authentication is cryptographically bound to the correct URL and will not work on a fake page.

  • Give each user only the permissions they need. This is the principle of least privilege — if the accountant does not need admin rights, they should not have them. The fewer permissions a compromised account holds, the less damage the attacker can do. The same applies to applications and service accounts: review who has admin access and remove it from anyone who does not use it daily.

2.2 Email Domain Protection — Stop Attackers from Impersonating You

If your company’s domain lacks proper authentication, an attacker can send emails pretending to be you. Protection consists of three components that work together:

  • SPF (Sender Policy Framework) — specifies which servers are authorized to send email from your domain.

  • DKIM (DomainKeys Identified Mail) — cryptographically signs every outgoing message so the recipient can verify it is genuine.

  • DMARC (Domain-based Message Authentication) — combines SPF and DKIM and tells the recipient what to do when a message fails authentication. The goal is to reach a reject policy, where forged messages are blocked entirely.

Check your domain’s status: go to mxtoolbox.com/dmarc and enter your domain. If the result says “No DMARC record found,” your domain is unprotected.

2.3 Email Security Solutions — More Than a Spam Filter

A default email filter catches most spam, but not targeted BEC attacks. These emails often contain no malicious link or attachment — just convincing text. That is why you need more:

  • Impersonation protection — detects emails that mimic the names and addresses of your company’s leaders or partners.

  • External email tagging — every email from outside the organization gets a visible label. If “the CEO” writes, but the email is tagged as external, that is immediately suspicious.

  • Machine-learning phishing detection — automatically identifies login pages that look like Microsoft, Google, or other well-known services but have the wrong address.

  • Reply-to mismatch warnings — if the sender address and the reply-to address do not match, the user is warned before sending a response.

The specific names and implementation of these features differ depending on your email platform, but enabling them is straightforward. Check the current state with your IT specialist or managed service provider.

2.4 Detecting a Compromised Account

This is the most underestimated part of technical defense. Once an attacker gains access to an account, they do not start sending fraudulent emails immediately. First, they study the mailbox — looking for invoices, payment details, and contacts. Then they set up a forwarding rule so that all incoming mail quietly reaches them as well. Often they also create hiding rules that delete security alerts or conceal replies. Only then — sometimes weeks or months later — do they send a fake invoice to your partner.

Catching these preparations gives you the chance to stop the fraud before any damage occurs. The most important thing is to monitor changes to mailbox rules and forwarding settings — these are the first signs that someone unauthorized is in the account. Both Microsoft 365 and Google Workspace offer built-in alerts that notify the administrator automatically. They just need to be configured.

Ask your IT partner: is monitoring of forwarding rules and mailbox permission changes turned on? Are alerts reaching the right person? These two questions are a good place to start.

3. Security Awareness — the Culture Layer

In the first chapter, we built agreements. In the second, we put technology to work. The third layer is the hardest but also the most impactful — people’s awareness and the company’s security culture. Technology stops a lot, but in every organization, it is people who decide whether to click, call, or ask.

3.1 What Every Employee Should Know

Employees do not need to become cybersecurity experts. It is enough if they recognize the main warning signs and know what to do when they spot one.

The most important skill is noticing urgency. Almost every fraud email — whether a fake invoice, a request from “the boss,” or an account closure warning — uses pressure: “act now,” “do not tell anyone,” “deadline is today.” The attacker knows that a person acting out of panic does not think deeply. If an email creates a feeling that you must respond immediately and without consulting anyone — that in itself is a red flag.

The second important thing to understand is that a fraud email may not contain bad grammar or a suspicious link. Modern BEC emails are often grammatically correct, personalized, and appear to come from a familiar address. Employees need to know that a convincing email does not mean a safe email.

And third: employees need a clear action plan. Not “be careful,” but a specific step — “if in doubt, call the sender” or “forward suspicious emails to IT.” Vague guidance does not work because people tend to assume everything is fine and move on.

3.2 Simulated Phishing Tests — Do They Work?

Simulated phishing tests mean the company sends its employees controlled test emails that mimic typical scams. The goal is to measure how many people click and give them immediate feedback.

Why does this matter? Because knowledge alone does not change behavior. Someone may hear in a training session that phishing emails are dangerous, but in a real situation — in the middle of a busy workday, a familiar name in the sender field — they still react automatically. A simulation provides that experience in a safe environment: the experience sticks better than a training slide.

But there is one critical condition: the test must be a learning tool, not a punishment. If an employee feels they “got caught” and will be penalized, next time they will not report a suspicious email — they will stay quiet. The result is the opposite of what you want. The right approach is to give the employee who clicked a brief explanation — what they should have noticed, how to react next time — and move on. No shaming, no public call-outs.

Testing frequency depends on the company, but once per quarter is a good starting point. Too rarely — people forget. Too often — it becomes noise and employees stop paying attention.

3.3 Training: Long Lectures or Short Bites?

The traditional approach is a one-hour security training session once a year. It often checks the compliance box, but its impact on daily behavior is small. A week later, most of the content is forgotten.

The alternative is short training bites — 3-to-5-minute videos, quizzes, or examples delivered regularly, for instance once a month. They do not require separate scheduling and keep the topic consistently top of mind. A short bite can also be tied to a current topic — “this time, let’s look at how to recognize a QR code scam” — which makes the content more relevant and concrete.

The best results come from combining both: a more thorough overview once a year (new threat trends, a reminder of company rules, discussion) and regular short refreshers in between. The key is that training should not feel like a checkbox exercise, but something that connects to the employee’s daily work.

3.4 Building a Security Culture — an Environment Where People Dare to Ask

The most important question is not “do your employees know what phishing is?” — but “would your employee dare to say they clicked a suspicious link?”

In many organizations, incidents go unreported because employees fear the consequences. They hope nothing happened and stay silent. But an early report — even if the alarm turns out to be false — gives the IT team a chance to respond before damage occurs. Every hour counts.

The foundation of security culture is simple: asking and reporting is always the right choice, regardless of whether the threat turns out to be real. This needs to be said clearly and repeatedly — and it works best when leadership sets the example. If a manager shares with the team that they, too, received a suspicious email and verified it, that shifts the norm. Security is not something “IT handles” — it is a shared responsibility.

In practice, this means three things:

  • Make reporting easy. One button in the email client, one address to forward to — the fewer steps, the more likely people will use it.

  • Acknowledge the reporter. Even if the email turns out to be harmless — “thanks for checking” is the right response. Never “it was obviously safe.”

  • Talk about incidents openly. When an incident happens in the company — whether a phishing test or a real attempt — share the lessons with the team. Not “someone made a mistake,” but “our experience, our lesson.”

Summary

No single measure protects a company from BEC fraud. Agreements without technology leave the door open for attackers. Technical controls without awareness fail when someone believes a convincing email. And awareness without processes means that even a cautious employee does not know what specifically to do.

The three layers together — agreements, technical measures, and security culture — create a defense that requires significantly more effort from attackers to break. And since attackers always look for the easiest path, they move on to the next target.

The good news is that getting started does not require a large budget or an IT team. A phone verification rule for bank account changes, enabling MFA, adding a DMARC record, and having an open conversation with your team — these four steps already reduce risk significantly.

If you want to assess your organization’s readiness or need help taking the first steps — get in touch. Let’s review where your company stands today — whether you are just starting out or already halfway there — and what the right next step would be.

Share: Bluesky X/Twitter Facebook LinkedIn

Read Next