A fake invoice. A forged approval.
The fraudsters threatening businesses today are not the hoodie-wearing hackers of Hollywood myth. They are patient, methodical, and disturbingly professional. And increasingly, they are winning.
Rather than targeting your IT infrastructure, today's most sophisticated criminals are targeting something far harder to patch: human psychology. Your approval workflows. Your payment cycles. Your vendors. Your inbox at 4:47pm on a Thursday, when decision fatigue is at its peak and everyone is trying to get out the door.
That is where modern business fraud lives.
A Real Invoice Fraud Attack: What Happened to Forensic Restitution
In a recent episode of The F Word podcast, fraud investigators Indianna and her colleague revealed that Forensic Restitution itself had been targeted.
The attack began with a fake invoice from a fabricated company called "Grayrose Marketing Group." The document was professionally formatted, included legal language, and arrived with follow-up emails. There was nothing overtly suspicious. It was designed to blend seamlessly into a high-volume invoice queue.
Then came the critical layer.
The fraudsters fabricated an internal approval email that appeared to originate from a senior team member, confirming the invoice had been reviewed and cleared for payment. A spoofed email address placed that person's name directly inside the conversation thread.
To anyone scanning their inbox under pressure, it looked legitimate.
This is not hacking in any traditional sense. This is social engineering: a calculated combination of psychology, impersonation, and timing. And it came within reach of succeeding against a team of professional fraud investigators.
Why Business Email Compromise Is Getting Harder to Detect
The era of the poorly-spelled phishing email is fading. What has replaced it is considerably more dangerous.
Artificial intelligence now enables criminals to clone voices from publicly available podcasts and videos with minimal effort. Deepfake video call technology is advancing at a pace that is outrunning most corporate security awareness programs. And finance departments have emerged as a primary target, for a straightforward reason: that is where money moves.
The category of crime these attacks fall under, Business Email Compromise (BEC), is one of the fastest-growing fraud types globally. The FBI's Internet Crime Complaint Center has consistently ranked it among the costliest forms of cybercrime, with billions in losses reported annually.
The attack surface is no longer your firewall. It is your people, and specifically, the overworked employee processing their fortieth invoice of the day.
The Red Flags Most Finance Teams Are Still Missing
Awareness is the first line of defence, and it starts with knowing what to look for.
- Invoices from vendors that do not appear in your existing supplier records
- Internal approval emails that cannot be independently verified through a second channel
- Urgent payment requests that circumvent standard approval processes
- Email addresses with subtle character variations, one letter transposed or a domain slightly altered
- Unsolicited follow-up pressure to accelerate payment
None of these signals are foolproof in isolation. In combination, they warrant a pause.
The Most Effective Fraud Defence Is Not a Software Solution
Technology plays a role in fraud prevention. But experts are consistent on one point: culture is the most powerful control a business can build.
A single employee who feels empowered to stop a payment and say "something about this does not feel right" can prevent losses running into hundreds of thousands of Canadian dollars, and spare leadership a very difficult conversation with the board.
That kind of culture does not develop from a policy document. It develops when people at every level understand that slowing down a suspicious transaction is not obstruction. It is exactly what the business needs them to do.
Controls need to be in place before the fake CEO email arrives, not after.
We break down the exact red flags, the psychology behind these attacks, and the controls businesses should already have in place before the fake CEO email or deepfake phone call lands on someone’s desk.