Skip to content
Threat IntelligenceJuly 2026 · 6 min read

Inside a $40,000 Invoice Fraud Attempt (And How It Was Stopped)

A compromised supplier mailbox, a spoofed invoice, and a same-day payment deadline. Here is how a business-email-compromise attempt against an Australian finance team nearly worked — and the four controls that stopped it.

$40Kthe transfer stopped before it left the account

Business email compromise does not look like the ransomware note or the flashing alert most people picture when they hear “cyberattack.” It looks like an email. A completely ordinary, well-timed, slightly-too-convenient email. This is what one attempt against an Australian finance team looked like from the inside, and the four controls that stopped a $40,000 transfer before it left the account.

01The setup: a compromised supplier, not the target

The attacker did not breach the finance team's own systems at all. They compromised the mailbox of one of the firm's suppliers — most likely through a phishing email sent weeks earlier — and then simply watched. Real invoice threads, real payment cycles, real amounts. No noise, no smash-and-grab. Patience is the entire strategy.

02The move: a near-perfect forgery, perfectly timed

When a genuine invoice cycle came up, the attacker sent a follow-up from the compromised supplier mailbox, referencing the real invoice thread, with one change: updated bank details for a $40,000 payment, framed as a routine account switch. It arrived close to the existing payment deadline, from an address the finance team had corresponded with for months. On a quick read, it looked exactly like every other invoice in the thread.

03The gaps that let it get this far

  • No dedicated email security layer — default mailbox filtering does not flag a message from a legitimate, previously-trusted sender.
  • No out-of-band verification process for bank-detail changes — the request was never checked against anything outside the email thread itself.
  • No log visibility into the mail rule the attacker's access had planted, which was quietly forwarding a copy of relevant threads.

04What stopped it

A dedicated email security layer flagged an anomaly in the sending pattern before the payment was actioned. That gave the finance team the pause needed to apply a verification step that should have existed already: a phone call to a known, independently-sourced number for the supplier — not a number in the email — to confirm the bank-detail change. The supplier had no idea their mailbox had been compromised. The transfer was held. Zero dollars moved.

“We were a $40,000 invoice away from a payment-redirection fraud. It was caught before the funds moved.”

05The four controls, in order of cost

  • A mandatory callback-verification policy for any bank-detail change — the cheapest control on this list, and the one that actually stopped the transfer.
  • Dedicated email security with anomaly detection layered over default mailbox filtering.
  • Log monitoring (SIEM) with visibility into mailbox rules and forwarding behaviour, not just inbound spam.
  • Staff training on business-email-compromise red flags, refreshed on a schedule rather than run once at onboarding.

This is the pattern behind most successful invoice fraud: it rarely starts with your own systems being breached at all. It starts with trust in a relationship you cannot fully control, and it is stopped by a verification step that costs nothing but a phone call. Read the full, anonymised case file for how the recovery and the standing policy were put in place.

Where this leaves you

Knowing the risk is not the same as knowing your own exposure.

The Cyber Readiness Assessment gives you a written, prioritised answer in ten business days — credited toward your first year if you go further with us.