Fiducio guide
Invoice fraud in construction: a guide for SMEs
Construction and trades firms move large sums to suppliers and subcontractors every week — almost always on invoices sent by email. That makes accounts payable one of the most targeted parts of the business. This guide explains how invoice fraud works and how to protect your payments.
Why construction is a prime target
Construction payments are high-value, frequent, and often urgent — a supplier needs paying to keep materials moving or a subcontractor on site. Payment details arrive by email, sometimes buried in PDF attachments, and finance teams process many invoices under time pressure. Fraudsters exploit exactly this: high volume, high value, and a culture of paying quickly to avoid delays on site.
The most common invoice fraud patterns
- Bank-detail change fraud (mandate fraud): a real or impersonated supplier emails to say their bank details have changed. The next payment goes to the fraudster.
- Supplier impersonation: an email from a lookalike domain or a hijacked reply-to address mimics a supplier you trust.
- Fake invoices from unknown payees: a first-time payee submits a plausible invoice with UK bank details and pressure to pay.
- Duplicate invoices: the same invoice reference is submitted twice, hoping it is paid again.
- Attachment diversion: the email body looks clean, but the fraudulent bank details sit inside a PDF attachment.
- Urgency and authority pressure: "pay today", "the director approved it", or "before the site stops" to rush the payment through.
Why standard tools miss it
Spam filters and antivirus look for malware and known-bad senders. Invoice fraud usually contains neither — it is a well-written email with a legitimate-looking invoice. The only reliable check is whether the payment details match the supplier bank details you have already verified, and whether the sender is really who they claim to be. That is a payments problem, not an email-security problem.
How to protect your payment process
- Keep a verified record of each supplier's sort code, account number, and a trusted phone number.
- Never confirm a bank-detail change by replying to the email — call the supplier on a number you already hold.
- Treat any new or changed bank details as high-risk until independently confirmed.
- Require a second approver for high-value or first-time payments.
- Check invoice references against what you have already paid to catch duplicates.
- Record who verified each payment and how, so there is an audit trail.
The key rule: any new or changed bank detail should be confirmed by phone on a number you already hold before the payment is released.
How Fiducio helps
Fiducio monitors the accounts payable mailboxes you choose, extracts the payment details from each invoice or payment email (including PDFs), and compares them against your verified supplier baseline from Xero. When something does not match — changed bank details, an unknown payee, an impersonated sender, or a duplicate invoice — it flags the payment for verification before you pay, with clear reasons. See how Fiducio works.
Protect your payments before the next invoice
Start a 30-day evaluation of Fiducio — monitor your accounts payable mailboxes for invoice and payment fraud. From £99/month ex VAT after the trial.