🧾Invoice Replacement Scam (Business Email Compromise)

What is Invoice Replacement Scam ?

The IBAN replacement scam (also known as Business Email Compromise – BEC) is a form of cybercrime where fraudsters impersonate your business partner, supplier, or employee and send a fake email or invoice with a changed bank account (IBAN) to which you are asked to transfer payment.

How fraudsters gain access?

1. Hacking (Compromise)

• Phishing attacks are used to steal employee passwords.

• With a weak email server or no two-factor authentication (2FA), criminals can access the real email account of your counterparty (e.g., accountant, salesperson, or manager).

• They monitor communication for weeks or months without revealing themselves, waiting for the perfect moment to attack.
  
  

2. Imitation (Spoofing)

• Fraudsters create fake email addresses that look almost identical to real ones (e.g., invoice@firmа.com instead of invoice@firma.com – note the replaced letter).

• Emails are sent from lookalike domains to avoid suspicion.
  
  

Sending a fake invoice with a new IBAN

After monitoring the communication, scammers:

• Send a realistic-looking email, often copying the style, signature, and template of the legitimate sender.

• Claim the company’s bank account has changed and all future payments should go to the “new IBAN”.

• Provide reasons like: “newer bank account,” “issues with the old account,” or “faster processing.”

• Important: The fake IBAN is often registered abroad, under a company with a similar name (a “money mule”) to appear credible.
  
  

The victim makes the payment

This usually happens when:

• The employee is under heavy workload.

• There’s a new staff member.

• There’s poor communication between accounting and management.

• There’s blind trust in a regular counterparty.
  
  

Money is quickly transferred and withdrawn

• The account belongs to a money mule – a real person or company, often abroad (EU or Asia).

• Funds are withdrawn in cash or moved through several accounts to erase the trail.

• In many cases, recovery is impossible unless immediate action is taken.
  
  

Key indicators:

• Unexpected email with a new bank account.

• Urgency to make the payment quickly.

• Small change in the email address (e.g., @firmata.com → @f1rmata.com).

• Unusual grammar or writing style.

• Lack of prior normal communication.
  
  

How to protect yourself:

For companies:

• Establish an IBAN confirmation procedure – e.g., verify via phone before processing payments.

• Always compare email domains.

• Enable 2FA for all business emails.

• Implement SPF, DKIM, and DMARC for domain security.

• Train staff on phishing and social engineering.
  
  

For citizens:

• Carefully check bank details before sending money.

• Compare with previous invoices.

• Don’t trust urgent payment requests without verification.
  
  

What to do if you have already become a victim?

1. Contact your bank immediately

• Request to block or recall the transfer if funds haven’t been withdrawn.

• Use your bank’s fraud hotline without delay.
  
  

2. Contact the police / GDBOP – Cybercrime

• Email: cybercrime@cybercrime.bg

• Phone: 112 (emergencies)

• Or visit your nearest regional police department (RPD).