The invoice was real. The bank account wasn’t.

The scenario:

The CFO received an invoice from a supplier they’d used for years. Same format. Same contact name. Same thread. 

One thing was different: the bank details. The invoice was sent from the supplier’s actual email address. Their mailbox had been compromised two weeks earlier. The attacker had been sitting in the inbox, watching invoices go back and forth, waiting for the right moment. 

The attack:

STAGE 1: INITIAL COMPROMISE

Attacker compromises the supplier’s email account via credential stuffing.

Creates inbox rules to hide replies from the real account owner.

Monitors all email threads involving invoices and payments.

-

STAGE 2: RECONNAISSANCE

Identifies the target company as a regular customer with recurring invoices.

Studies invoice format, payment terms, typical amounts, and contact names.

Waits for the next legitimate invoice cycle (12 days of monitoring).

-

STAGE 3: INTERCEPTION

Intercepts the real invoice email before the supplier sees the reply.

Modifies only the bank account details on the PDF invoice.

Resends from the supplier’s actual email address in the existing thread.

The email passes SPF, DKIM, and DMARC checks (it’s from the real domain).

-

STAGE 4: EXTRACTION

CFO processes the invoice through normal AP workflow.

Payment of £127,000 is sent to the attacker’s account.

Attacker moves funds within 4 hours.

Fraud is discovered 8 days later when the real supplier follows up on non-payment.

What stopped it:

Nothing. The payment was made. The fraud was discovered too late to recover funds. The client’s insurance covered part of the loss, but the supplier relationship was damaged.