Scam Recovery

How to Trace a Fake-Invoice Scammer

A fake invoice does not look like a scam. It looks like a routine bill from a vendor you already use, a subscription renewal, or a “past due” notice that lands in your accounts inbox on a busy afternoon. By the time anyone notices the bank details were swapped or the company never existed, the wire has cleared. If a bogus invoice or a hijacked payment request has hit your business, this guide walks through exactly what to do: how to try to claw the money back, which agencies to report to, and the part almost no one else covers, how the real person or shell company behind the invoice gets identified and located through lawful public-records research, so your report and any civil claim have a named target instead of a dead email address.

Move on the Money First Report the Right Way Since 2004
First HoursWhen a Recall Is Possible
FTC + IC3Where to Report
The PersonTraced, Not Just the Email
Since 2004Lawful Skip Tracing

The Short Version

If a fake invoice just got paid, money movement comes first: call your bank or payment provider immediately and ask for a wire recall or payment reversal, because a domestic wire can sometimes be stopped or recovered if you flag it fast enough. Save the invoice, the full email headers, the account and routing numbers you were told to pay, and every message. Then report it: file with the FBI Internet Crime Complaint Center at ic3.gov, because invoice fraud is treated as business email compromise and IC3 runs a recovery process for wire fraud, and report the scam to the Federal Trade Commission. Do not assume the trail ends at an anonymous email. The lookalike domain, the bank account that received the funds, the phone number, and the shell company on the invoice all tie back to real people. People Locator Skip Tracing works that human trail lawfully so you can name and locate who is actually behind it. Recovery is never guaranteed, but a fast move plus a named target is far stronger than a report into the void.

Watch: Tracing a Fake-Invoice Scammer

What to do first, and the lawful path to identifying who sent it.

▶ Video Overview

What a Fake-Invoice Scam Actually Is

It is not a clumsy spam blast. It is a targeted attack on your payables process.

A fake-invoice scam is a request for payment that looks legitimate but routes your money to a criminal instead of to whoever you actually owe. It is one of the most profitable forms of business email compromise precisely because it does not trip the usual scam alarms. There is no broken English screaming “you won a prize.” There is a clean PDF, a familiar logo, an amount that looks plausible, and a tone that says this is just another Tuesday in accounts payable. The whole design is to slip through a busy team that processes dozens of bills a week and trusts the names it recognizes.

The most damaging versions hijack a real relationship. A scammer who has compromised or spoofed a vendor’s email watches a genuine billing thread, then sends a follow-up that changes only one thing: the bank account and routing number for payment. Everything else, the project name, the prior amounts, the signature block, is real, because it was copied from correspondence the victim already trusted. Other versions never involve a real vendor at all: a shell “directory listing,” a phony “domain renewal,” or a subscription you never ordered, betting that someone will pay a small, routine-looking amount without checking. Whichever shape it takes, the goal is the same, and the lawful research that helps people identify a person who scammed them applies here just as it does to any other fraud.

How to Spot the Fake Invoice

The tells are subtle by design. If several of these fit, treat it as fraud.

New Bank Details

An existing vendor “updates” its account and routing number mid-relationship. A changed payee account is the single biggest red flag in invoice fraud.

A Lookalike Domain

The sender address is one character off from the real one, swapping a letter, adding a dash, or using a near-identical spelling of the company name.

Urgency and Secrecy

The message pushes for a fast wire before a “deadline” and discourages calling to confirm, hoping to bypass your normal approval step.

An Invoice You Don’t Recognize

A bill for a service you never ordered, a directory you never joined, or a domain renewal from a company that is not your registrar.

Reply-To Mismatch

The display name looks right, but the actual reply-to or return address points somewhere else entirely once you expand the header.

A Link Instead of an Attachment

You are sent a link to “view the invoice” rather than a normal attached document, often a step toward phishing your login.

The First Moves If You Paid

Speed decides whether a wire can still be recalled. Work these in parallel.

If the payment already went out, the clock matters more than anything else. A domestic wire or transfer can sometimes be frozen or pulled back if the bank acts before the money is withdrawn on the other end, so call your bank’s fraud line first, not your vendor. Then report the wire fraud to the FBI Internet Crime Complaint Center, which runs a dedicated recovery process for business email compromise and works with banks to try to halt fraudulent transfers. Do these at the same time, because each hour reduces the odds.

1

Call Your Bank’s Fraud Line

Ask specifically for a wire recall or payment reversal and report it as fraud. Give them the receiving account and routing numbers and the exact time the payment left.

2

Preserve the Evidence

Do not delete anything. Save the invoice file, the full email headers, the sender address, the payment instructions, and every reply, then keep it all in one dated folder.

3

File With IC3 and the FTC

Submit a detailed report to the FBI at ic3.gov and to the Federal Trade Commission. Include the receiving bank account, the sender domain, and the amount and timing of the transfer.

4

Verify the Real Vendor

Using a phone number you already had on file, not one from the suspect email, confirm what the genuine vendor is actually owed and warn them their thread may be compromised.

What to Gather Before You Report

A complete file is the one investigators, and our team, can actually act on.

The difference between a report that sits and one that produces a lead is detail. Pull the money trail and the contact trail into a single place before you file. On the money side, capture the receiving bank name, the account number and routing number you were told to pay, the amount, the date and time of the transfer, your wire confirmation or transaction reference, and any card or ACH records showing the funds leaving your accounts. On the contact side, save the full invoice document, the complete email headers (not just the visible “from” line, but the underlying return-path and originating server details), the exact sender and reply-to addresses, any phone number on the invoice, the business name and address printed on it, and the website or lookalike domain involved. Note how first contact happened and whether it broke into a real billing thread. The receiving account number and the sender domain are the two most valuable items, because each is a thread that can be pulled lawfully to a real registrant, a business filing, or an account holder. The more precisely the transfer and the identifiers are documented, the better the odds that the people behind the invoice can be named and located.

The Three Shapes It Takes

Knowing which one hit you points to where the trail begins.

TYPE 01

Vendor Impersonation

A spoofed or lookalike domain poses as a supplier you use and sends a clean invoice with the scammer’s bank details. The trail usually starts with the domain registration and the receiving account.

TYPE 02

Hijacked Real Thread

A criminal who breached a real mailbox replies inside a genuine billing chain, changing only the payment instructions. The vendor’s account may be compromised, so the lead is the new receiving account, not the trusted thread.

TYPE 03

Shell-Company Invoice

A phony “directory listing,” “domain renewal,” or unordered subscription from a business that exists only on paper. The shell entity itself, its filing and its registered agent, is often the most direct path to a real person.

Each shape leaves different evidence, which is why documenting the sender domain and the receiving account both matters. A spoofed domain points to registration records; a hijacked thread points to whichever account the money was redirected to; a shell invoice points to a business filing. In every case, those identifiers can be researched lawfully, the same groundwork behind a thorough fraud investigation, to move from an anonymous-looking bill to a name.

Where to Report Every Channel

File with all of these. Each one does something the others cannot.

WhereWhat It DoesHow to Reach
FBI IC3Central federal intake for business email compromise and wire fraud. Runs a recovery process that can work with banks to halt fraudulent transfers.ic3.gov
FTCLogs the fraud for enforcement and gives you a consumer recovery and identity-protection plan if your data was exposed.reportfraud.ftc.gov
FTC Consumer GuidancePlain-language steps on phishing and fake-invoice tactics to help your team recognize the next attempt.consumer.ftc.gov
Your BankMay recall or claw back a pending wire and document the money trail leaving your accounts.Fraud department, in writing
Receiving BankCan flag and, with a law-enforcement request, freeze the account that received the funds.Via your bank and IC3
State Attorney GeneralAdds your case to state-level fraud and consumer-protection actions.Your state AG consumer division

Do not skip a channel because you assume nothing will come of it. Reporting promptly to IC3 is what activates the recovery process that can reach the receiving bank, and detailed complaints are how investigators connect one receiving account to many victims. Your report may be the one that ties a cluster of fraudulent invoices to an account the authorities can reach.

How the Account and the Person Get Traced

Two separate trails. Most guidance only mentions the first.

The money trail. The receiving bank account is the anchor. When you report fast through IC3 and your bank, law enforcement can ask the receiving institution to freeze the balance and, with proper legal process, identify the account holder. Banks verify customer identity to open accounts, so even an account opened by a money mule is tied to a real name, address, and onboarding record. This is the part the FBI and the receiving bank do, which is exactly why reporting quickly and in detail is the highest-leverage thing a victim can do.

The human trail. This is the lane almost no guidance covers, and it is where People Locator Skip Tracing fits. Behind the anonymous-looking invoice are real footprints: the registrant or hosting details behind a lookalike domain, the business filing and registered agent behind a shell “company,” the person who opened or controls the bank account that received your wire, and the individual tied to the phone number, email, or address printed on the bill. Those identifiers can be researched lawfully through public records and skip-tracing techniques to surface a real name, current address, and associates, the same work behind our guidance on finding someone behind an email address and on identifying a scammer by phone number. A named, located individual or entity changes everything: it strengthens your IC3 report, gives a prosecutor or an attorney something concrete, and opens the door to a civil claim that an anonymous invoice alone never could.

What Recovery Realistically Looks Like

Honest odds, and the legitimate paths that exist.

It would be dishonest to promise a full refund, and anyone who does is best ignored. The truth sits between hopeless and easy, and it depends heavily on how fast you moved. The strongest path is the wire recall or freeze: when a fraudulent transfer is flagged before the funds are pulled out the far end, banks working with IC3 can sometimes recover all or part of it. This is why the first few hours matter so much and why bank-first is the rule.

A second path is a civil claim against an identified perpetrator, mule, facilitator, or shell entity, which depends entirely on being able to name and locate a real person or business and any assets attached to it. That is where lawful skip tracing and a careful search for hidden assets do the heavy lifting, by turning a frozen-or-not account into a defendant with something worth pursuing. A third avenue, worth raising with your accountant, is treating the loss appropriately for tax purposes. None of these is guaranteed, all of them improve with speed and documentation, and several can run at the same time. The constant across every path is the same: the more completely the fraud is documented and the more clearly a real party can be named, the better the odds.

Don’t Get Hit Twice

The recovery scam targets businesses that already lost money. Watch for these.

An Upfront Fee

Any “fund recovery” outfit that wants payment before it returns a cent is a scam. Legitimate help is not pay-to-unlock.

A Guarantee

“We will get one hundred percent back” is impossible to promise. Real outcomes depend on bank action and the law.

They Found You

Unsolicited contact from a “recovery agent” who somehow already knows you were defrauded is a major red flag.

Banking Logins or Remote Access

No legitimate firm needs your online-banking credentials or remote control of your accounting system. Ever.

Fake Government Ties

Claims of being “authorized by” a federal agency to recover your funds for a fee are not how agencies operate.

Pay Another Invoice

Being asked to send another payment to “release” or “process” your recovery is the original scam, repeated.

How People Locator Skip Tracing Helps

We trace the person and the shell behind the invoice, lawfully, so your case has teeth.

Small Businesses

Identify who got the wire

Attorneys

Locate an identified mule or shell

Accountants

Run down a suspicious payee

Property Managers

Vet a vendor who changed accounts

Nonprofits

Trace a diverted grant or payment

Anyone Defrauded

Find a person before pursuing them

Invoice fraud runs on the same rails as other scams, so the people behind it surface through the same lawful research that powers full-spectrum skip tracing. Send us what you have, even if it feels like nothing: a receiving account number, a lookalike domain, a sender email, a phone number, a business name on the invoice, or the address it printed. We work strictly for lawful, permissible purposes, we never promise a recovery we cannot control, and we tell you honestly what the records can and cannot show. For a legitimate matter, an initial locate typically comes back within 24 hours.

Our Commitment

We do not sell false hope or “guaranteed recovery.” We do the lawful research most services skip: tracing the real people and shell entities behind fake invoices and the accounts that received the money, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — our investigators conducting skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal, financial, or tax advice.

Frequently Asked Questions

Can I find out who is behind a fake invoice?

Often, yes. A fake invoice carries identifiers, the receiving bank account, the sender or lookalike domain, a phone number, and the business name printed on it, and each can be researched lawfully through public records and skip tracing. The receiving account and the domain registration are usually the strongest threads to a real person or shell entity.

I already paid the fake invoice. What do I do first?

Call your bank’s fraud line immediately and ask for a wire recall or payment reversal, because a transfer flagged fast enough can sometimes be stopped or recovered. Then report the wire fraud to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC. Preserve the invoice, the email headers, and the payment details in one place.

Where exactly should I report a fake-invoice scam?

File with the FBI Internet Crime Complaint Center at ic3.gov, which treats invoice fraud as business email compromise and runs a recovery process, and report it to the Federal Trade Commission at reportfraud.ftc.gov. Also notify your bank, the receiving bank through your bank, and your state attorney general. Each channel does something the others cannot.

Can the money actually be recovered?

Sometimes, never by guarantee. The strongest path is a fast wire recall or account freeze when the fraud is reported before the funds are withdrawn on the other end. After that, recovery may come through a civil claim against an identified perpetrator. Speed and complete documentation drive the odds.

The sender used a spoofed or lookalike email. Can anyone still be identified?

Frequently, yes. Even a spoofed message leaves identifiers, the domain registration or hosting behind a lookalike address, the receiving bank account, the phone number on the invoice, and the business filing behind a shell company. Those can be researched lawfully to surface a real name and current location.

A firm offered to recover my funds for a fee. Is that legitimate?

Treat it as a second scam. Recovery operations that demand an upfront fee, guarantee results, contact you out of the blue, ask for your banking logins, or want another payment are preying on victims. Legitimate help does not require pay-to-unlock, and government reporting through IC3 and the FTC is free.

What does People Locator Skip Tracing actually do on a case like this?

We work the human trail, not your bank’s internal process. Using lawful public-records research and skip tracing, we help identify and locate the real people and shell entities behind fake invoices, lookalike domains, and the accounts that received your money, producing a named, located party that strengthens your report and any civil claim. We do not take custody of funds or promise recovery.

Is it too late if the fake invoice was paid weeks ago?

Not necessarily. The immediate wire-recall window may have closed, but reporting is still worthwhile because investigations and account freezes can happen later, and identifying a perpetrator or shell entity can support a civil claim. Acting sooner is always better, but an older case is far from worthless.

Hit by a Fake Invoice? Start Tracing.

We trace the real people and shell entities behind fake invoices and the accounts that received the money, lawfully, so your reports and any civil case carry weight, typically with an initial locate fast. Contact us to get started.

Start Your Request →