AI-Generated Deepfake Invoice

How This Attack Works

Attackers use generative AI tools to produce invoices that are visually indistinguishable from legitimate vendor documents — replicating logos, fonts, signatures, and formatting from publicly available samples or previously stolen invoices. The AI-generated PDF is emailed to accounts payable from a lookalike domain. Because the document passes visual inspection and matches expected invoice patterns, it bypasses human review. Some variants include fabricated purchase order numbers that match real company formats obtained via open-source intelligence.

Red Flags to Watch For

• ✗
  Invoice arrives unsolicited with no corresponding purchase order in your procurement system
• ✗
  Vendor logo and formatting look correct but the bank account or routing number changed
• ✗
  Invoice PDF metadata shows it was created by an unfamiliar tool or has a creation date that does not match the invoice date
• ✗
  Sender domain has an extra character, hyphen, or TLD swap compared to the real vendor domain
• ✗
  Amount is just below your internal single-approver threshold — a common reconnaissance tactic
• ✗
  Legitimate vendor cannot confirm the invoice when called at their established number

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• ai-invoice-portal.comMALICIOUS
• digital-invoice-processing.netMALICIOUS
• vendor-doc-ai-generated.comMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.