Skip to main content

How to spot and handle invoice and payment phishing emails

Gregory Duffie
Updated

If you receive an email asking you to pay an invoice, review a bill, sign a document, or take urgent financial action, stop and look closely before doing anything.

These messages are often phishing or spear-phishing attempts. They are designed to look like real business email, often by pretending to be a coworker, vendor, or executive.

What these phishing emails usually look like

Common examples include messages that:

  • Ask you to pay an invoice immediately
  • Ask you to expedite a payment
  • Ask you to sign a document
  • Look like they came from a coworker or executive
  • Include a fake email chain to make the message look real
  • Create urgency such as “pay this today” or “urgent action required”

Warning signs to look for

Your email system may add warning tags to suspicious messages. Two common examples are:

  • EXTERNAL
  • SPF SOFT FAIL: UNVERIFIED SENDER - CONFIRM BEFORE ACTION

These warnings matter.

  • EXTERNAL means the message came from outside your company
  • SPF SOFT FAIL means the sending system could not verify that the sender is authorized

If a message asks for money, signatures, gift cards, banking changes, or urgent action and it also has one of these warnings, treat it as suspicious.

Common phishing tricks

Attackers often try to make a message look real by using one or more of these tricks:

  • A familiar display name, such as the name of a coworker or executive
  • A fake conversation thread copied into the email body
  • A sender address that does not match the claimed person or company
  • A different reply-to address
  • Urgent wording meant to pressure you into acting fast

Example:

  • The message says it is from your coworker
  • But the real sender is an unrelated outside domain
  • And the reply-to address points somewhere else entirely

That is a strong sign of phishing.

What you should do

  1. Read the warning tags at the top of the message
  2. Check whether the message is asking for money, signatures, account changes, or urgent action
  3. Look at the actual sender address, not just the display name
  4. If anything looks suspicious, do not reply
  5. Do not open attachments unless you are sure the message is legitimate
  6. Delete the email or move it to Junk

Simple rule of thumb

If an email is marked EXTERNAL and asks for payment, signatures, or urgent action, delete it unless you independently verify it first.

What not to assume

  • Do not assume an email is safe just because it uses the name of someone you know
  • Do not assume it is real just because it includes a long message history
  • Do not assume it came from your company just because your company’s name appears in the message

Attackers can type anything they want into the body of an email.

Why these emails still show up

No spam filter catches every message. Some phishing emails are delivered with warning tags instead of being blocked completely, especially when they look similar to real business email.

This is normal. The warning tags are there to help you decide what to do next.

What to do if the message might be real

If you are unsure whether a message is legitimate:

  • Do not reply to the suspicious message
  • Do not use the phone number or links in the message
  • Contact the person or company using a phone number, website, or email address you already trust

This is called independent verification, and it is the safest way to confirm whether a request is real.

Can this be reduced?

Yes, sometimes.

Email filtering can often be tightened so more suspicious messages go to Junk automatically. The tradeoff is that some legitimate messages from poorly configured senders may also go to Junk.

If you are receiving too many of these messages, contact support and ask whether your filtering can be made more aggressive.

Frequently asked questions

Does this mean my mailbox was hacked?

Usually, no. Most of these messages are just impersonation attempts sent from outside domains.

Does this mean my company domain was compromised?

Usually, no. Attackers often place your company name or employee names in the message body to make the email look real.

Should I forward every suspicious message to support?

Not usually. If the message is clearly marked EXTERNAL and asks for payment, signatures, or urgent action, it is generally safe to delete it.

Best practice

Teach everyone in the company this one habit:

Slow down before acting on financial or urgent requests sent by email.

That one step prevents a large percentage of phishing losses.

Related to

Related articles

Comments

0 comments

Article is closed for comments.