Strong red flags in invoice scams
These signals do not prove fraud by themselves, but combinations should stop payment until independent verification is complete.
- Bank account, routing, ACH, or wire instructions changed by email.
- Reply-to domain does not match sender domain.
- Free-mail address used for corporate finance instructions.
- Same-day urgency, threats of service interruption, or secrecy.
- First-time vendor, missing PO match, or unusual amount.
- Payment rail is wire, crypto, instant transfer, or gift card.
Safer signals that still need documentation
The checker reduces risk score for verified controls, but it never marks a payment as guaranteed safe.
- Vendor is known and invoice matches an approved PO.
- Payment instructions were verified by a known phone number from vendor master records.
- Dual approval is complete for any payment-instruction change.
- Payment rail matches established history.
Privacy stance
The structured MVP intentionally avoids file upload and account storage.
- No PDF upload in v1.
- The rules check runs client-side in the browser.
- Remove account numbers, tax IDs, and confidential customer data before pasting optional text.
- Use the output as an AP control aid, not forensic proof.
Best next action after the result
The result panel gives AP a checklist and copyable note. The post-result CTA points teams to the AP Fraud SOP Kit so the same controls can become a repeatable approval process.
- High risk: hold payment, call the vendor, document the verification source, and escalate internally.
- Review: pause until AP completes callback and dual approval if payment details changed.
- Low: still document normal AP controls before releasing funds.
Invoice Scam Check FAQ
Does this prove an invoice is fraudulent?
No. It provides risk indicators and workflow prompts. It does not verify the vendor, bank account, invoice PDF, or legal authenticity.
Why no file upload?
Privacy and speed. The first MVP avoids storing invoices or attachments. AP teams can paste limited text after removing confidential account data.
What is the most important step before paying?
Call the vendor on a phone number from your existing records, never a number supplied in the suspicious email or PDF.
Can a legitimate vendor email still be compromised?
Yes. A real mailbox can be hijacked, so bank-detail changes and unusual urgency still require callback and dual approval.
What should I copy into the payment approval trail?
Use the generated internal approval note, then add the verified phone source, caller name, date/time, decision, and second approver.
Can we turn this into an AP policy?
Yes. Use the AP Fraud SOP Kit for a vendor bank-change policy, callback script, hold triggers, and incident checklist.