How Two Companies Paid Fake Invoices — And How BIMI & VMC Could Have Prevented It

Author: John Smoljko 

Email remains one of the most widely used communication channels in business — and unfortunately, one of the easiest to exploit. In the past year, two mid‑sized European companies became victims of a classic but highly effective attack: fake invoices sent from look‑alike domains.

Both companies believed they were paying legitimate suppliers. Both processed the invoices without suspicion. And both later discovered the same painful truth:
the emails didn’t come from their partners at all.

What Went Wrong

In both cases, attackers registered domains that looked almost identical to the real supplier domains. A single letter changed, a hyphen added, or a different top‑level domain — enough to fool a busy finance department.

Because the legitimate companies had:

• no DMARC enforcement,
• no BIMI,
• no VMC (Verified Mark Certificate),

…their partners had no visual or technical way to verify the authenticity of the sender.

The result:

• The fake domain passed basic checks
• The email looked routine
• The invoice looked legitimate
• The payment was processed

No warnings. No visual cues. Just a costly mistake.

How BIMI and VMC Could Have Stopped This

BIMI

BIMI (Brand Indicators for Message Identification) allows organizations to display a verified brand logo in supported inboxes — but only when the domain passes strict authentication (SPF, DKIM, DMARC).

If the real suppliers had BIMI:

• Their partners would expect to see the official logo
• Any email without the logo would immediately look suspicious
• A look‑alike domain would fail BIMI and show no brand indicator

This alone would have raised a red flag.

VMC (Verified Mark Certificate)

A VMC is a digital certificate that cryptographically proves that the logo belongs to the organization. It requires:

• a registered trademark,
• a verified identity,
• and DMARC enforcement.

With a VMC:

• Only the legitimate company can display the verified logo
• Attackers cannot fake or imitate it
• Partners instantly recognize authentic communication

In short:
BIMI gives visibility. VMC gives trust. Together, they prevent exactly these types of invoice fraud attacks.

The Lesson

These two companies didn’t lose money because their finance teams made a mistake.
They lost money because their suppliers lacked modern email authentication and visual identity protection.

In a world where look‑alike domains can be registered in minutes, brand verification is no longer optional.

How to Protect Your Organization

To avoid becoming the next victim:

• Enforce DMARC (quarantine or reject)
• Implement SPF and DKIM correctly
• Deploy BIMI
• Secure your brand with a VMC certificate
• Educate partners and clients to look for your verified logo

A small investment in authentication prevents large losses in the future.