Published: May 5, 2026
Category: Business Technology / Cybersecurity

The scam does not always look like a scam anymore.

A fake invoice used to be easier to spot. Bad grammar. Strange email address. Weird formatting. Something just felt off.

That is not always the case now.

Today, a fraudulent payment request may look like it came from a real vendor, a known client, a manager, a title company, a payroll contact, or a service provider your business already works with. Sometimes the message is not even asking for anything unusual. It may simply say:

“Please note our updated payment information for future invoices.”

That one sentence can be enough to create a serious problem.

Business email compromise, often called BEC, is one of the most financially damaging online crimes because it takes advantage of how much businesses rely on email for everyday work. The FBI warns that these scams often appear to come from a known source making a legitimate request.

For small businesses, the danger is not just “hackers.” The real danger is an office process that depends too much on trust, speed, and habit.

Why small offices are especially vulnerable

Small offices usually run lean.

The same person may answer phones, pay invoices, respond to customer emails, handle scheduling, and manage vendor relationships. In accounting offices, insurance agencies, property management companies, staffing firms, and professional service businesses, the pace can get hectic fast.

That creates the perfect environment for invoice and payment scams.

The scammer does not need to break into your entire business. They only need one employee to believe one message at the wrong time.

The Federal Trade Commission warns that scammers target small businesses with fake invoices, impersonation scams, tech-related scams, phishing messages, and urgent payment requests. The FTC specifically advises businesses to train employees, verify invoices and payments, and avoid being rushed into sending money or sensitive information.

This is why the solution cannot simply be “tell employees to be careful.”

Careful is not a process.

The real problem: no payment verification routine

Most invoice scams work because the business does not have a strict rule for payment changes.

A vendor emails a new bank account.

A manager asks for a quick payment.

A client sends updated billing instructions.

A software company says the account is overdue.

Someone in the office is busy, trusts the message, and acts.

That is the failure point.

Your business needs a simple rule:

No payment change should be trusted through email alone.

That includes:

• New bank account information

• Changed mailing addresses

• New wire instructions

• New ACH details

• Urgent payment requests

• Gift card requests

• Payroll direct deposit changes

• Vendor contact changes

• Unusual refund requests

Even if the email looks normal, the request needs to be verified through a second method.

The “Before You Pay” checklist

Before your business pays an invoice or accepts changed payment instructions, use this checklist.

1. Check the sender carefully

Do not just look at the display name.

A message may say it came from “John at ABC Supply,” but the actual email address may be slightly different.

Look for:

• Extra letters

• Swapped letters

• Similar-looking domains

• Free email addresses instead of company addresses

• Strange reply-to addresses

• Emails that come from a different address than usual

The FBI warns that scammers often spoof email accounts or websites with slight variations that are easy to miss.

Example:

Looks real:
billing@companyname.com

Fake version:
billing@cornpanyname.com

At a quick glance, those can look almost identical.

2. Slow down urgent requests

Urgency is one of the biggest red flags.

Be cautious with messages that say:

• “This must be paid today.”

• “I am in a meeting, just handle it.”

• “Do not call, just process it.”

• “The account will be suspended.”

• “We need this before close of business.”

• “Please keep this confidential.”

The FTC warns that scammers often create urgency, intimidation, or fear because they want people to act before checking the request.

A real vendor, manager, or client should not object to a reasonable verification process.

3. Verify payment changes by phone

This is the most important step.

If someone sends new payment instructions, do not verify using the phone number in the email.

Use a phone number you already trust, such as:

• The number from your saved vendor record

• The number on a previous legitimate invoice

• The number from the company’s official website

• The number from a contract or onboarding document

Then call and confirm:

“We received updated payment instructions. Before we make any changes, I need to verify that your company sent this request.”

This one step can prevent a major financial mistake.

4. Require approval for unusual payments

Every business should decide what counts as an unusual payment.

Examples:

• A payment above a certain dollar amount

• A first-time vendor payment

• A change in bank account information

• A wire transfer

• A rush payment

• A refund request to a new account

• A payment requested by text or email only

For those payments, require approval from a second person.

Even in a very small business, this matters.

If only one person controls the inbox, invoice approval, and payment, there is no safety net.

5. Do not send passwords or sensitive information by email

Some scams are not asking for money directly. They are trying to get access.

A fake message may ask for:

• Email login information

• Microsoft 365 credentials

• Bank login details

• Payroll system access

• Employee W-2 information

• Client records

• Password reset codes

• MFA approval codes

The FTC advises businesses to train employees not to send passwords or sensitive information by email, even when the request appears to come from a manager.

A simple office rule helps:

Passwords, MFA codes, and banking details should never be sent through email.

A simple office policy you can use

Here is a plain-language policy small businesses can adopt:

Any request to change payment details, banking information, payroll deposit information, vendor contact information, or invoice payment instructions must be verified through a trusted second method before any change is made. Email alone is not enough. Urgent requests must still follow the same process.

That policy should be shared with every employee who touches:

• Email

• Billing

• Payroll

• Vendor accounts

• Client payments

• Bookkeeping

• Office administration

The goal is not to make people paranoid.

The goal is to give employees permission to pause.

Technology helps, but process still matters

Security tools can reduce risk, but they do not replace common sense procedures.

For example, multifactor authentication can make it much harder for someone to break into an account. CISA recommends MFA for key systems, especially email, and says MFA adds another layer of protection beyond a password.

Microsoft’s 2025 Digital Defense Report also reported that most identity attacks still target common weaknesses like weak and reused passwords, with password spray attacks making up 97% of identity attacks.

That means small businesses should focus on the basics:

• Use multifactor authentication

• Avoid shared passwords

• Use strong, unique passwords

• Keep old employee accounts disabled

• Review who has admin access

• Keep software updated

• Back up important files

• Train employees on payment scams

• Use a written process for invoice approval

None of this needs to be overly complicated.

But it does need to be consistent.

What to do if your business already paid a scammer

If a suspicious payment has already been sent, move quickly.

Take these steps:

1. Contact your bank immediately.

2. Ask the bank to attempt a recall or freeze.

3. Save the emails, invoices, headers, and payment records.

4. Report the incident to the FBI’s Internet Crime Complaint Center.

5. Change affected passwords.

6. Review email forwarding rules and account access.

7. Check whether any other invoices or contacts were changed.

8. Notify affected vendors or clients if needed.

The FBI recommends contacting your financial institution immediately and reporting business email compromise scams to IC3.

Speed matters.

The longer the delay, the harder recovery becomes.

The bottom line

Invoice scams work because they blend into normal business activity.

They do not always look dramatic. They do not always involve a hacked computer. Sometimes they are just a normal-looking email sent at the right time to the right person.

That is why every small business should have a simple payment verification routine.

Not because employees cannot be trusted.

Because even good employees can be rushed, distracted, or fooled by a message that looks real.

A strong office process protects the business, protects the employee, and protects the money leaving the account.

Need help reviewing your business technology process?

AtlasTek Solutions helps small businesses build practical, manageable IT processes for email security, account access, Microsoft 365, device support, backups, and day-to-day technology issues.

If your office does not have a clear process for payment verification, employee account access, or basic security controls, now is a good time to get those pieces organized before there is a problem.

Serving small businesses in Corbin, London, Williamsburg, Somerset, and surrounding areas.