Email Security: Stopped Invoice Fraud Before Money Moved

How Nexus IT Solutions (Nexus ITS) protected a business from a vendor impersonation and payment diversion attempt.

The Situation

A malicious actor targeted Accounts Payable with a familiar business problem: an ‘outstanding invoice’ and a request to update payment instructions. The goal was straightforward; redirect future payments to a fraudulent bank account by convincing staff to accept new ACH remittance details.

What Made this Attempt Convincing

• Look-alike domains were registered to mimic a legitimate vendor identity.
• Invoice emails were sent repeatedly over multiple days to both an AP mailbox and an individual employee.
• When emails didn’t arrive, the attacker escalated to phone calls to create urgency and steer the user into ‘helping’ with delivery.
• The initial email content and phone calls did not focus on updated ACH instructions.
• Late-stage phone calls and emails focused on immediate urgency to update ACH instructions an action that can create ongoing financial exposure if accepted.

The Outcome

Nexus ITS managed email security quarantined the fraudulent invoices before they reached end users, blocking the most dangerous step of the attack: delivery to the inbox. The investigation then confirmed the attempted impersonation and prevented release of quarantined messages. The investigation also led to the discovery of additional phone calls both to the company phone number and personal cell phone.

Why this matters: Invoice fraud is rarely technical. It is procedural. When security controls prevent delivery, attackers often pivot to pressure tactics (calls, urgency, persistence) to bypass process.

How Nexus ITS Responded

• Treated a quarantine restore request as a security review, not a convenience task.
• Flagged suspicious indicators and identified multiple related messages using similar look-alike domains.
• Verified the vendor using independently sourced contact information and confirmed legitimate vs fraudulent domains.
• Denied restoration of quarantined messages to reduce exposure and user interaction risk.
• Delivered an after-incident report with timeline, findings, and recommendations.

Results for the Business

• Fraudulent invoices were blocked before delivery, reducing the likelihood of a payment diversion event.
• The organization avoided acting on unverified remittance changes during a high-pressure scenario.
• Leadership received clear documentation to reinforce controls, training, and AP verification standards.

Key Takeaways for Finance and Operations

• If an invoice email is quarantined or ‘missing,’ assume there is a security reason and use a verified channel to validate the request.
• Never accept changes to bank details or remittance instructions based on an email thread alone.
• Implement a simple approval standard: call-back verification + two-person review for payment instruction changes.
• Quarantine restore requests should route to IT/security review by default.

Recommended Safeguards Nexus ITS Helps Implement

• Enhanced email filtering for impersonation, domain reputation/age, and suspicious invoice patterns.
• A ‘no restore without review’ workflow for invoice and payment-change messages.
• AP verification playbook (call-back scripts, approval steps, and vendor domain allow-listing where appropriate).
• Short, practical employee training focused on invoice fraud and payment change social engineering.

About Nexus IT Solutions

Nexus ITS helps small and midsize businesses protect critical workflows with managed IT and security services. We focus on practical controls that reduce real financial risk; like invoice fraud, business email compromise, and payment diversion attempts.

Ready to reduce invoice fraud risk? Nexus ITS can start with a short discovery call and then provide a concise action plan focused on the controls that prevent payment-change scams, without jargon or alarmism.