Invoice Swapping via Compromised Email Threads — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Beware the 2026 Indian Invoice Swapping Scam via Compromised Email Threads

Invoice swapping via compromised email threads is a rising threat in India’s digital payment scene, putting businesses at risk of losing lakhs of rupees through UPI and bank transfers.

What Is the Invoice Swapping via Compromised Email Threads?

This scam involves fraudsters gaining unauthorized access to email conversations between Indian companies and their vendors or suppliers. By hacking into or phishing a company employee’s email account, the attackers monitor ongoing invoice exchanges and payment details. They then insert fraudulent invoices into the genuine email thread—often using WhatsApp or email—to trick vendors into paying fake bank accounts or UPI IDs instead of the legitimate ones.

Indian businesses, especially small and medium enterprises (SMEs) that rely heavily on digital communication for financial transactions, are prime targets. According to public complaints reported to cybercrime cells and advisories from CERT-In, such scams have seen a sharp increase since 2023, with losses reaching crores of Indian Rupees across sectors like manufacturing, trading, and services.

The Reserve Bank of India (RBI) and the Indian Computer Emergency Response Team (CERT-In) have issued warnings about phishing and email compromise scams impacting UPI transactions. The Indian Cyber Crime Coordination Centre (I4C) also encourages businesses to adopt email security best practices to prevent invoice tampering.

How This Scam Works — Step by Step

1. Initial Access via Phishing or Hacking: Attackers send a phishing email to an employee of a company, imitating official communication or offering fake updates related to HR, payments, or policy changes. The employee unknowingly shares login credentials or clicks a malicious link, leading to email account compromise.

2. Monitoring Email Threads: Once inside the email account, fraudsters quietly monitor ongoing conversations with vendors. They observe details like invoice numbers, payment amounts, due dates, and bank/UPI details.

3. Inserting Fraudulent Invoices: At a strategic point, scammers send a fake invoice or payment request that appears in the same email thread. This invoice looks authentic because it follows the previous legitimate communication, often using the same language style and format.

4. Vendor Receives Fake Payment Details: Vendors receive the invoice with fraudulent bank account numbers or UPI IDs. They trust the continuity of the thread and proceed to make payments accordingly.

5. Funds Are Diverted: The money is sent to the scammer’s account. Because UPI payments are instant and irreversible, the victim vendor finds it difficult to recover the lost funds.

6. Continued Communication to Avoid Suspicion: Sometimes, scammers maintain contact via WhatsApp or email to answer queries, further delaying detection.

Real Warning Signs to Watch For

• Unexpected Change in Payment Details: Invoice suddenly shows a different bank or UPI ID than usual, even within a trusted email thread.
• Urgent Payment Requests: Pressure to pay quickly due to a “deadline” or “late fee” that wasn’t mentioned before.
• Emails from Unusual Addresses: Sender email may look like the company’s but has subtle changes (e.g., xyz@company.in vs. xyyz@company.in).
• Poor Grammar or Formatting Errors: Though scammers try to mimic professional communication, minor inconsistencies can slip through.
• WhatsApp Messages Linked to Emails: Additional payment requests or confirmations over WhatsApp that were not typical earlier.
• Lack of Verifiable Contact Information: Invoices missing contact numbers, tax details, or official seals.
• New Contact Person Suddenly Appears: Someone unknown in previous communication asks for payment approval.

What Happens to Victims

Financially, victims can lose large sums instantly, especially if multiple invoices are targeted. Since UPI and NEFT transactions in India typically cannot be reversed once completed, victims face significant hurdles in recovering money. The scam can strain vendor-company relationships and cause cash flow issues.

Emotionally, businesses experience stress and mistrust in digital communication channels. There may also be reputational damage if a company’s name is spoofed in the scam. Compromised email access can lead to broader data leaks, putting confidential information and Aadhaar-linked financial data at risk.

Victims who have undergone SIM swap fraud, a common accompaniment to these scams, find it even harder to secure their accounts and phone-based OTP verification.

What RBI and CERT-In Say

RBI’s guidelines emphasize vigilance in verifying payment details and not sharing banking credentials via email or phone. CERT-In regularly alerts Indian organizations on phishing and email compromise incidents, urging businesses to adopt multifactor authentication (MFA) for corporate emails.

The Indian Cyber Crime Coordination Centre (I4C) runs the 1930 cybercrime helpline for reporting such frauds and works closely with CERT-In to track evolving threats. RBI’s helpline for banking-related frauds also assists victims in taking corrective action.

Although there are no RBI advisories specific only to invoice swapping scams, the general framework for safe digital transactions applies—never trust unsolicited invoice changes without verification.

How to Protect Yourself

1. Enable MFA on Corporate Email Accounts: This adds a crucial layer of security against hacking.
2. Verify Payment Details Outside Email Threads: Always confirm any changes using a direct phone call to a known representative.
3. Train Employees on Phishing Awareness: Regular workshops and simulated phishing tests help prevent credential leaks.
4. Use Digital Signatures or Secure Invoicing Software: These reduce chances of invoice tampering.
5. Monitor Email Forwarding Rules: Check if any unauthorized automatic forwarding is set up.
6. Keep Antivirus and Email Filters Updated: They help detect malware and suspicious link clicks.
7. Maintain a Whitelist for Vendor Communications: Accept invoices only from verified email/domain addresses.

What to Do If You've Been Targeted

• Immediately Inform Your Bank and UPI Provider: Report unauthorized payments to seek any possible reversal assistance.
• Change Compromised Email Passwords and Enable MFA: Prevent further access by attackers.
• Report the Incident to the 1930 Cybercrime Helpline: Filing an FIR with local police and the cybercrime.gov.in portal is essential.
• Alert Your Vendors and Partners: Inform them about the scam to prevent further losses.
• Check and Secure Your Aadhaar and Mobile Number: Contact UIDAI and telecom providers if you suspect any SIM swap.
• Retain All Communication Evidence: Save email threads, WhatsApp messages, and transaction records for investigation.

Frequently Asked Questions

Q: Can UPI transactions from a fake invoice be reversed?
A: UPI payments are often instant and do not have a guaranteed reversal mechanism. If you notice unauthorized payments, contact your bank immediately and file a police complaint, but recovery is challenging.

Q: How do scammers get access to company emails?
A: Most commonly through phishing emails where employees mistakenly share login credentials or from exploiting weak passwords without MFA protection.

Q: How can vendors verify if an email invoice is genuine?
A: Always cross-check payment details via a phone call to a known contact within the company. Watch for inconsistencies in invoice formatting or sender email addresses.

Verify suspicious messages and learn more about the latest scams at BharatSecure.app. If you encounter fraud, promptly report it at the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.