What to do if I shared my bank details in a scam?

Immediately contact your bank's helpline (like SBI 1800-11-1109) to block your account and seek recovery options.

How do I identify an invoice swapping scam?

Look out for any sudden changes in payment instructions, odd language use in emails, and urgent requests for payments.

How can I report an invoice swapping scam in India?

Report the scam through the cybercrime helpline by calling 1930 or visit cybercrime.gov.in to file a complaint.

What are the recovery steps after falling victim to this scam?

Contact your bank to report the transaction, check if they can reverse it, and file a complaint with cybercrime authorities.

Invoice Swapping via Compromised Email Threads

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Verdict: Suspicious | Risk Score: 8/10 | Severity: high

Category: UPI, Phishing

How Invoice Swapping via Compromised Email Threads Works

Overview: Invoice swapping scams have escalated due to attackers hijacking business email threads. Here, the fraudster monitors ongoing correspondence between an Indian company and its vendors. By intervening, they replace genuine supplier invoices with fake ones containing altered payment details, thus manipulating accounting teams into transferring funds to the wrong account. Small and large enterprises are vulnerable, especially those relying heavily on email for payment instructions. How It Works: Scammers first gain unauthorized access to a company’s email system—often via phishing or weak passwords. They observe email exchanges mentioning financial transactions or invoice payments. When the timing is right, the scammer intercepts the thread, replaces or edits the invoice, and updates account numbers or IFSC codes. The crafted fake may also contain an urgent note, pushing the finance department to make the payment immediately. The finance staff, believing the communication is part of their regular workflow, execute the transfer. The original vendor is left unpaid, while money is irreversibly moved to the scammer’s account. India Angle: This scam frequently affects Indian companies that use Gmail, Outlook, Zoho, or similar services, especially in commercial hubs like Mumbai, Hyderabad, and Chennai. Attackers use local bank references (like HDFC, ICICI, SBI) and may mention UPI IDs for smaller payments. Both regional and pan-India businesses are being hit, with attackers even imitating GST or PAN details to appear authentic. Real Examples: A Chennai importer is due to pay a supplier in Delhi. Just before the expected invoice, the accounts team receives an email—seemingly from the right email ID—with a PDF attachment. The attached invoice looks perfect but lists a different HDFC account. The email is part of their ongoing thread, so the team doesn’t doubt it and pays the full amount. Days later, the supplier chases for the missing payment. Red Flags: - Supplier’s account or payment instructions change without proper communication - Urgent payment requests, often coming just before a public holiday or weekend - Unusual language or formality in emails that feels out of place - Documents attached as unusual file types (.img, .zip) or with heavy compression - Previous emails in the thread appear copied or quoted inaccurately Protective Measures: Always confirm any invoice or payment change over the phone using a trusted supplier contact, not just via email. Ensure every fund transfer above a certain amount requires secondary approval. Compare every new invoice’s details—like GST number, bank account, and IFSC—with prior invoices from the same vendor. Be wary of emailed invoice changes around holidays. Conduct regular IT security audits and enforce strong password policies company-wide. If Victimised: Immediately alert your business bank’s fraud department to attempt account freezing. Report the fraud at cybercrime.gov.in and dial 1930 for central help. Inform all stakeholders, including the real vendor, so further losses can be prevented. Review your internal cybersecurity practices to prevent future breaches. Related Scams: - Business Email Compromise (BEC) for payroll or executive impersonation - Tech support scams where IT department receives bogus vendor change requests - Fake supplier onboarding scams using fraudulent documentation

How This Scam Works — Detailed Explanation

Invoice swapping scams often begin with attackers meticulously monitoring email communications between an Indian company and its vendors. Scammers may gain access to an employee's email through phishing attacks, where victims unknowingly provide their login credentials or by directly hacking into company email accounts using various malicious tactics. Platforms like WhatsApp are also leveraged to maintain communication, while vendors may receive messages from what appears to be a legitimate company email. This method allows attackers to stay updated on invoices and payment terms, creating an opportunity to insert their fraudulent invoices seamlessly into the existing email conversation.

Once the fraudster has accessed the necessary information, they employ various psychological tricks to manipulate accounting teams. They may use urgency in their emails, pressuring recipients to complete payments quickly. In many cases, attackers create a false sense of legitimacy by mimicking the language and style of prior communications. They can use the names of known employees or impersonate long-standing vendor contacts, which can make suspicious activity harder to discern. Naturally, the discrepancies are often subtle and can lead to financial loss if accounting teams aren't cautious, as they trust their existing workflow when processing these documents.

When a victim falls prey to an invoice swapping scam, the impact can be immediate and devastating. For example, an Indian SME—a manufacturing unit in Tamil Nadu—may receive a fake invoice for raw materials where the vendor's bank details have been altered. Assuming the invoice is genuine due to its continuity within an email thread, the accounts department processes the payment via UPI. Funds may be transferred directly to the scammer's account, leading to a significant loss of ₹20 lakh. In India, such incidents are growing increasingly common, with reports indicating a staggering loss of ₹1,000 crore in total due to similar frauds that involve email threads and altered invoices.

The repercussions of these scams don’t just include lost funds; they can also lead to legal ramifications for the victimized company. Companies involved may face regulatory scrutiny due to failure in adhering to RBI guidelines regarding financial transactions. Moreover, cybersecurity advisories from CERT-In have indicated that these scams are evolving, and email accounts of businesses are often at risk. As companies share critical financial data through emails, the threat landscape becomes increasingly complex and dangerous for businesses of all scales.

Distinguishing between legitimate communications and scams is pivotal for businesses to avoid falling victim to invoice swapping fraud. Companies should watch for unexpected changes in vendor bank accounts or payment instructions. If an email demands sudden urgency or includes unusual file types—like .zip or .exe extensions—these are major red flags. Language inconsistencies or shifts in formality can also suggest that emails are not genuine. Regularly verifying payment details through a secondary communication channel can prevent serious losses, ensuring that all transactions are above board and secure.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Invoice Swapping via Compromised Email Threads Target?

General public across India

Red Flags — How to Identify Invoice Swapping via Compromised Email Threads

Unexpected change in vendor bank account or payment instructions
Unusual urgency or pressure in email communications
Odd file types or compressed invoices attached
Language mismatches or formality shifts in email replies
Inconsistencies in quoted previous emails

What To Do If You Encounter Invoice Swapping via Compromised Email Threads

Report any suspicious email or transaction immediately to the cybercrime helpline at 1930 or visit cybercrime.gov.in.
Verify any changes in vendor payment methods by calling the vendor directly using their official contact information.
Educate your team on recognizing phishing attempts and suspicious emails to limit the likelihood of falling for such scams.
Implement a dual approval procedure for payments above a certain threshold to enhance security within your financial processes.
Conduct regular cybersecurity training sessions focusing on email safety and fraudulent activity awareness.
Monitor bank accounts closely for unauthorized transactions and report any discrepancies to your bank's helpline immediately.

How to Report Invoice Swapping via Compromised Email Threads in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my bank details in a scam?: Immediately contact your bank's helpline (like SBI 1800-11-1109) to block your account and seek recovery options.
How do I identify an invoice swapping scam?: Look out for any sudden changes in payment instructions, odd language use in emails, and urgent requests for payments.
How can I report an invoice swapping scam in India?: Report the scam through the cybercrime helpline by calling 1930 or visit cybercrime.gov.in to file a complaint.
What are the recovery steps after falling victim to this scam?: Contact your bank to report the transaction, check if they can reverse it, and file a complaint with cybercrime authorities.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.