Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas convinced two of the most sophisticated finance teams on the planet — Facebook and Google — to wire him more than $120 million by sending them invoices that looked exactly like the ones their real Taiwanese hardware supplier, Quanta Computer, had been sending for years. Same letterhead. Same banking format. Same kind of language buried in the line items. The accounts-payable teams paid them. The wires cleared.
That case was extreme in scale, not in mechanics. The mechanics — impersonate a real vendor, send an invoice that looks right, get paid before anyone notices — are now happening at every layer of the economy, every day. The FBI's Internet Crime Complaint Center has tracked Business Email Compromise (BEC) and invoice-fraud losses in the billions of dollars annually for several consecutive years, and that figure understates the true loss because most incidents are never reported.
For a CFO in 2026, the question is not whether your AP team is being targeted with fake invoices. It is whether your controls catch them before the wire goes out. This guide walks through what changed, the five red flags every AP team should be trained on, and the verifiable-invoice model that turns fake-invoice fraud from a detection problem into a non-event.
Why fake invoices got worse, fast
Invoice fraud is not new. What has changed in the last twenty-four months is the cost of producing convincing fakes.
Until recently, a credible fake invoice required either insider information (so the attacker knew the legitimate vendor's PO numbers, line-item phrasing, and remittance instructions) or genuine design skill. Both were rate-limiters. Most attempts were obvious enough to catch.
That rate-limiter is gone. A free-tier large language model can be asked to "write me an invoice from [vendor name] in their typical format for $48,300 in cloud services, dated last Friday, with a banking change request in the footer," and produce something that an experienced AP clerk has to look at twice. Add an LLM that can read three of the vendor's previous PDFs scraped from a procurement portal and the next invoice it produces is indistinguishable from the real ones.
The result is a sharp, measurable increase in three attack patterns:
Vendor impersonation — an attacker pretends to be a real existing supplier, often immediately after observing a legitimate invoice cycle.
Banking-change fraud — a real, current invoice is intercepted and reissued with the bank account changed to the attacker's.
Phantom vendor fraud — an entirely fabricated supplier is created in the system and invoiced against, often by an internal collaborator.
All three rely on the same root weakness: the receiving AP team has no way to confirm, in seconds, that the PDF in front of them is the document the vendor actually sent.
The five red flags AP teams should be trained on in 2026
Manual detection is not the long-term answer (we will get to why), but it is still the first line of defence. These are the patterns AP teams should be looking for on every invoice.
Red flag 1: Banking details that have changed
The single most reliable signal in invoice fraud, by a large margin. An attacker's entire economic motive is to redirect the payment, so they almost always change the bank account number, sort code, IBAN, or remittance instructions. Any invoice from an existing vendor whose banking details differ from the vendor master record should be treated as fraudulent until proven otherwise — and "proven" means a callback to a known-good phone number for that vendor (not a number on the invoice itself), not a reply to the email the invoice arrived in.
Red flag 2: Pressure to pay early or out of cycle
"Please process today, my CFO is asking." "Our bank is doing maintenance, can you wire by 5pm?" "We can offer a 3% discount if paid within 24 hours." Real vendors do this occasionally. Fraudsters do it almost every time, because their window before the legitimate vendor notices is short. Any invoice that arrives with urgency language attached, particularly when paired with red flag 1, is a near-certain fraud attempt.
Red flag 3: A subtly different sender domain
Look at the email address the invoice came from, not the display name. Common patterns include vendor.com vs vendor-co.com, vendor.com vs vendor.co, vendor.com vs vendor.com (where one of the letters is a Cyrillic lookalike). Modern email clients hide the underlying domain by default, which is a feature attackers depend on. A monthly review of your top 50 vendors' actual email domains, posted somewhere AP staff will see it, removes most of this attack.
Red flag 4: PO mismatches and "open" PO references
Legitimate invoices reference a specific purchase order, line items that match it, and totals that line up. Fake invoices often reference a PO number that does not exist in your system, or reference a PO that is closed, or omit a PO reference entirely with a vague "see attached." Strict three-way matching (PO, goods receipt, invoice) blocks most phantom-vendor fraud and a meaningful share of vendor-impersonation fraud.
Red flag 5: A document that "looks too perfect" — or has tiny artefacts
This is the AI-era flag. Authentic invoices accumulate small inconsistencies over time: a logo that is slightly off-centre, a footer that has been updated six times, a font that mixes Helvetica and Arial because the template is old. AI-generated invoices tend to be either too clean (no artefacts at all, perfectly aligned, no historical drift) or have specific generative-model tells: rendering glitches in the logo, addresses that are real-looking but do not exist on Google Maps, registration numbers that are correctly formatted but not in the public registry. Train AP staff to spend ten extra seconds on documents that feel "newly minted."
Why detection alone will not hold
Each of those five red flags is real, and training AP teams to catch them does reduce losses. The problem is structural: detection is an asymmetric game. The attacker only has to win once. The AP team has to win every time, on every invoice, often under time pressure, often on the last day of the month when invoice volume spikes.
The mathematics are unforgiving. A team that catches 99% of fake invoices and processes 5,000 invoices a quarter will pay roughly fifty fraudulent ones a year. If the average fraudulent invoice is $30,000, that is $1.5 million in losses against a control that looks, on paper, like it is working.
The only durable answer is to move the verification question from "can we spot the fakes?" to "can the vendor prove this is real?" That is what verifiable invoicing does.
What a verifiable invoice actually is
A verifiable invoice is an invoice that carries a piece of evidence — typically a QR code printed on the document itself — that the receiver can scan to load a hosted proof page served by the issuing vendor (or its verification provider). The proof page shows:
The invoice as the vendor originally issued it (so the receiver can compare it to the one they received).
The vendor's verified identity, including company registration number and registered address.
The bank account the vendor's record-of-truth confirms — so any banking-change-fraud attempt is exposed instantly.
The issuance timestamp, and a change log if the invoice has been revised or revoked.
A direct contact for the vendor's accounts-receivable team for follow-up.
The verification check takes about two seconds. The receiver's phone camera reads the QR, opens the proof page in a browser, and the AP clerk compares what they see to what they have. A fraudulent invoice fails the check in three ways simultaneously: either there is no QR code at all, or the QR resolves to a domain that is not the vendor's, or the proof page shows different banking details than the suspect invoice.
The entire class of attacks based on "send a PDF that looks right" stops working, because the verifier is no longer judging the PDF — they are judging the document against its own canonical record at the source.
This is not a theoretical model. It is the same architecture banks use for verified mobile-app account statements, that universities use for QR-verified degree certificates, and that government agencies are beginning to use for permits and licences. Invoices are the next obvious application.
How to roll out verifiable invoices
The CFO's path to verifiable invoicing has two sides: getting your own outbound invoices verified (so your customers can trust them) and pushing your inbound vendors to do the same.
On the outbound side
Pick the highest-impact invoice flow first. For most companies that is enterprise customer billing, where a single fake-invoice incident at the customer can cost an executive sponsor relationship. Add QR verification to the invoice template in your billing system or document tool — VerifyDoc's Word and Google Docs integrations cover the most common cases out of the box, and the API covers ERP-issued invoices.
Update the email cover. When you send an invoice with a QR, say so in the email body: "This invoice carries a verifiable QR code. Scan it to confirm the document is authentic and the bank details are correct." That single sentence retrains your customers to expect the check, which makes their AP teams safer and yours more trusted.
Treat verification as a sales asset. "All our invoices are verifiable" is a meaningful trust signal in regulated industries — financial services, healthcare, government contracting — and worth surfacing in procurement conversations.
On the inbound side
Add a verification step to your AP control matrix. Any invoice over a defined threshold (say, $10,000) from a vendor that supports verification must be checked via the QR before payment. The check is fast enough that this does not slow the cycle.
Push verification into vendor onboarding. New vendors should be asked, as part of setup, whether their invoices carry verification. This is gentle market pressure — and the vendors most resistant to the question are often the ones the security team wants a closer look at anyway.
Treat banking changes as a hard control. Even with verification in place, any change to a vendor's bank account should require both a verified invoice and a callback to a known-good phone number on the vendor master record. Two independent channels, no exceptions.
A 12-point readiness checklist
If you want to share a single artefact with your AP team this week, this is it. Each item is either in place or it is not.
Vendor master record contains, for every active vendor: legal name, registered address, registration number, AP contact email, AP contact phone, current bank account, last-verified date.
AP staff have a posted reference of the actual email domains for the top 50 vendors by spend.
Three-way matching (PO + goods receipt + invoice) is enforced on all invoices over a defined threshold.
Banking-change requests trigger a mandatory callback to a known-good vendor number — never to a number on the invoice.
Urgency-language invoices (rush, today, expedite) are routed to a senior reviewer, regardless of value.
AP staff have received specific training on AI-generated invoice tells in the last twelve months.
Outbound invoices over a defined threshold carry a QR verification block.
The cover email for outbound invoices explicitly invites the recipient to verify via QR.
Inbound invoices from verification-enabled vendors are checked via QR before payment release.
New vendor onboarding asks whether invoices are verifiable.
There is a documented incident-response procedure for a confirmed fraudulent invoice — including who notifies the bank, who notifies the real vendor, and who notifies the board.
Invoice-fraud loss data is tracked and reported to the audit committee at least annually.
A printable version of this checklist is available as a one-page PDF — download the Verifiable Invoice Readiness Checklist.
- Frequently asked questions
How big is the actual loss exposure for a typical mid-market company?
For companies in the $50M–$500M revenue range, industry surveys consistently put confirmed invoice-fraud losses at roughly 0.05–0.15% of accounts payable spend per year, with another estimated 2–5x that figure in unconfirmed or unreported losses. That makes a $200M-revenue company's true exposure something on the order of $200K–$1M annually. Most of that is preventable.
Won't fraudsters just generate fake QR codes too?
They can generate a QR, but it has to resolve somewhere. If the QR opens at the legitimate vendor's verification domain (or at a verified third-party domain like verifydoc.ai), the proof page comes from the real source. If the QR opens at a lookalike domain, the AP team sees the wrong URL in the browser and treats the invoice as fraudulent. The trust anchor moves from the document to the resolved domain — which is much harder to spoof.
Does this work for paper invoices?
Yes. A QR code printed on a paper invoice scans the same as one on a PDF. This matters more than it sounds, because a meaningful share of invoice fraud still arrives by post, particularly in regulated industries.
What does this cost?
For the issuing side (your outbound invoices), a per-document or per-seat verification subscription, typically a few cents to a few dollars per invoice depending on volume and provider. For the receiving side (your inbound invoices), zero — there is no per-check fee. The economics are dramatically more favourable than the per-query model used by some clearinghouses.
Is verifiable invoicing legally required anywhere?
Not yet, but the direction of travel is clear. Several jurisdictions are tightening rules around e-invoicing authentication (Italy, Mexico, Brazil, parts of the EU under e-invoicing reform proposals) and CFO surveys consistently rank invoice authentication as a rising compliance topic. Adopting verifiable invoicing now is significantly cheaper than retrofitting it under regulatory pressure later.
Where do we start if we have an existing ERP and don't want to change billing systems?
You don't need to. Verifiable-invoicing providers either integrate with the document layer (Word, Google Docs) for templated invoices, or sit between the ERP and the email/print step for system-generated invoices. The ERP itself does not change.
The bottom line for the CFO
Detection-based controls have an upper bound. They are necessary, but they cannot scale faster than the attacker's tools, and the attacker's tools just got an order-of-magnitude better. The strategic move is to change the question from "did our AP team spot the fake?" to "can the vendor prove the invoice is real?" — and to make that proof a two-second check that any clerk can do, on any device, before the wire goes out.
That shift is what verifiable invoicing delivers, and it is the rare control change that makes the AP team's life easier rather than harder. For the cost of adding a QR block to outbound invoices and one new step to the inbound matrix, fake-invoice fraud stops being a quarterly write-off and becomes a problem that other companies have.
If your finance team is ready to move from detection to verification, start a verifiable-invoice trial with VerifyDoc — or read how QR document verification works for the technical detail
