A vendor's bank account changes overnight, an invoice email arrives from a domain that looks almost right, and someone in finance pays it before anyone notices the difference. That is business email compromise, and it is one of the most common ways small companies lose real money to fraud. I built an Invoice Fraud Firewall in n8n specifically to catch it, and this is how it actually works.
The problem I was solving
At Help Tech Co. Ltd., I run the company's accounts payable and receivable process in QuickBooks, which means I am also the last line of defense against a payment fraud attempt. The classic attack is simple: a scammer registers a domain that looks almost identical to a real vendor's, waits until an invoice is due, then emails "updated bank details" from that look-alike address. If nobody checks closely, the payment goes out to the fraudster instead of the real vendor. I wanted a system that caught this automatically, before a human even had to think about it.
How the workflow is built
The Invoice Fraud Firewall is an n8n workflow that monitors a finance inbox for anything that looks like a payment-related email. When one arrives, it uses Gemini to extract the vendor name, the invoice amount, and the IBAN or bank account number from the email body, even when that information is buried in a PDF attachment or written in inconsistent formatting. That extracted data gets compared against a trusted vendor registry I maintain in Google Sheets, which holds the verified bank details for every vendor we actually deal with.
- Look-alike domain detection: comparing the sending domain against known vendor domains, character by character, to catch typosquatting.
- Reply-To mismatch detection: flagging emails where the visible sender and the actual reply address do not match, a classic phishing tell.
- Urgency language scoring: flagging phrases designed to rush a decision, like "urgent" or "before end of day," which are common in real fraud attempts.
- IBAN comparison: checking the extracted bank details against what is on file for that vendor, and flagging any mismatch immediately.
Clean, review, or critical
Every email that comes through gets scored into one of three tiers: Clean, Review, or Critical. Clean emails match everything on file and need no action. Review emails have one or two soft signals, like unusual urgency language, and get a note but no hold. Critical emails, where the bank details do not match the vendor registry or the domain looks suspicious, get held automatically with an instant alert sent to Telegram so a human checks before any money moves. Nothing gets paid on a Critical flag without someone actually looking at it first.
The goal was never to replace judgment. It was to make sure a tired person on a busy Thursday afternoon does not miss the one email that matters.
Why the audit log matters as much as the detection
Every decision the workflow makes, whether it flags an email Clean, Review, or Critical, gets logged to Google Sheets with a timestamp and the reasoning behind the score. This matters for two reasons. First, if a scoring rule turns out to be too aggressive or too loose, I can look back at real examples and tune it. Second, and just as important, an automation that silently makes decisions with no record is not something a business should trust with its money. I would rather over-log everything and prune later than find out after the fact that a decision was made with no trace of why.
What this says about how I build automation
This is the same principle running through every n8n workflow I build, whether it is this one, the AI Lead Intelligence system, or the Multi-Stage Invoice Approval Pipeline: AI is genuinely good at extraction and pattern matching, but the decision that actually moves money or approves something sensitive should have a human checkpoint, full audit logging, and clear escalation rules. That combination is what turns "the AI flagged something" into a system a finance team can actually rely on. If you are weighing whether an automation like this makes sense for your own AP process, I would rather walk through your specific setup than sell you a generic answer. You can read more about how I got into this kind of work, or just reach out directly.