Is That Invoice Real? How AI-Powered Payment Fraud Targets Small Practices
Your accounts payable process runs on trust. A supplier sends an invoice, someone approves it, and the payment goes out. That rhythm works well until someone outside your business learns to imitate the people inside it convincingly enough to slip in unnoticed.
That is exactly what business email compromise fraud does. And AI has made it significantly harder to catch. Attackers no longer need skill or patience to craft a convincing message. Tools are now widely available that research a target business, match writing styles, and generate emails that reference real suppliers, active projects, and current invoice values. The result is fraud that looks indistinguishable from a legitimate request.
The most common version targets payment details. An attacker intercepts a supplier exchange, alters the destination account, then sends a short message claiming the supplier has updated its banking details. The surrounding content is often drawn from real correspondence. Nothing looks wrong because very little has changed - just the account number the money will go to.
Voice cloning adds another layer. AI tools can now replicate a person's voice from a short audio sample, making it possible to leave voicemails or place calls that sound like a known director or partner. For practices that rely on verbal approvals for high-value payments, this removes one of the few checks that email security alone cannot protect against.
The reason standard training has not kept pace is that the signals it once focused on are gone. Odd phrasing, mismatched logos, suspicious sender addresses - modern fraud does not contain those. When a fraudulent request is indistinguishable from a legitimate one, placing the burden of detection on a busy administration team is not a strategy. It is a vulnerability.
What actually works is removing the ambiguity from high-risk actions at a process level. Any request to change supplier bank details or approve an urgent payment outside the normal cycle should require confirmation through a separate, known channel - not a reply to the same email thread. Calling a supplier on a number already on file, or confirming with a colleague in person, breaks the impersonation regardless of how convincing the original request looked. This does not require new technology. It requires a written procedure and the habit of following it. If your practice needs help building those controls, IT support for professional services is where to start.
Access controls matter too. Restricting who can authorise payments and requiring multi-factor authentication - a second verification step beyond a password - on financial systems limits how much damage a compromised account can cause. If an attacker gains access to a supplier's email, requiring additional verification on your end creates friction that can stop a fraudulent change before any money moves. Understanding ways to reduce damage when a breach hits your practice can help you think through these controls before they are needed.
When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Happy to recommend this service.
Maggy Tai Rākena
IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.
Ruby Williams
The culture around this matters as much as the controls. A team member who pauses a payment to verify it is not creating problems. They are doing exactly what good process asks of them. When that is understood across the business, including by directors and partners, staff are far more likely to slow down when something feels off - even when they cannot say exactly why.
The process controls that contain this kind of fraud do not have to be complicated. They have to be consistent. Verification as a standard step, not an occasional one, is what shifts the advantage away from attackers. It is also worth knowing that the fallout from a breach extends well beyond the initial incident, which is why consistent controls matter more than a one-off response. For more on how cybersecurity for NZ businesses applies to real operational risks like this, that page covers the broader picture.
If you want to know where your current controls stand, ITstuffed offers a 15-minute IT Fit Check at itstuffed.co.nz/booking - no preparation needed on your part.