I’ve paid a fraudulent invoice — what do I do now?
If you’ve just realised a payment went to a fraudster rather than a genuine supplier, the next hour matters more than almost anything else you’ll do about it. Here’s exactly what to do, in order.
1. Call your bank immediately — don’t email, call
Use your bank’s fraud line, not your usual relationship manager’s email. Faster Payments and CHAPS transfers can sometimes be recalled or frozen if you act within hours rather than days, because the receiving bank may still be able to hold the funds before they’re moved on again. Every hour you wait reduces the chance of recovery.
2. Stop any further payments to the same supplier or account
If the fraud came through a compromised supplier relationship, there may be more invoices in the pipeline using the same fake bank details. Flag the supplier record and hold any pending payments until you’ve verified their real, current details by phone.
3. Report it to Report Fraud
Report Fraud is the UK’s national fraud and cybercrime reporting service (it replaced Action Fraud in December 2025) — report online at reportfraud.police.uk or by calling 0300 123 2040, available 24 hours a day. You’ll be given a crime reference number. Keep it: your bank, your insurer, and any reimbursement claim will likely ask for it.
4. Ask your bank about reimbursement
Since October 2024, UK banks have been required to assess reimbursement claims for a wide range of authorised push payment (APP) fraud, including invoice and mandate scams — this isn’t automatic, and eligibility and limits vary, but it’s a separate process from the police report and worth pursuing in parallel rather than waiting for one to finish before starting the other. Ask your bank directly what’s covered for your account type.
5. Contact the genuine supplier
Let the real supplier know their identity or email has been used in a scam — they may be compromised too, and other customers of theirs could be targeted next. This also confirms, in writing, what their actual bank details should have been, which you’ll want for your records either way.
6. Preserve everything
Don’t delete the fraudulent email or invoice. Screenshot it, save the full email headers if you can, and keep a timeline of who did what and when. This evidence matters for your bank’s investigation, any insurance claim, and the police report.
7. Review how it happened — calmly
Once the immediate response is underway, look at how the fake invoice or detail-change request got through. Was it a missed verification step, a particularly convincing forgery, or a gap in your process for handling “urgent” requests? That answer is what actually prevents the next one — and it’s rarely about any one person doing their job badly.
Recovery isn’t guaranteed, and being upfront about that matters more than false reassurance: industry estimates suggest only a minority of invoice fraud losses are ever fully recovered. That’s precisely why catching the fake invoice before payment goes out is worth far more than any process for afterwards — which is the problem we built Invixa to solve.