Fake Invoices Hit 47% of Mid-Market Companies in the Past Year

That is the central takeaway from “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms,” a PYMNTS Intelligence report that examined how social engineering has become a dominant threat vector for companies with annual revenues between $100 million and $1 billion.

Drawing on a survey of 60 heads of payments, the report showed that social engineering attacks are no longer sporadic events. They are routine operational hazards that exploit relationships, workflows and third-party dependencies.

The findings painted a picture of firms operating in a dense web of vendors, suppliers and service providers where trust is necessary but increasingly risky.

Nearly every respondent reported at least one social engineering incident in the past year. These attacks frequently target payment processes, where speed and familiarity can override caution. Fake invoices, phishing emails and ransomware attacks often originate not inside the firm itself but through compromised third parties that appear legitimate.

The result is a threat environment where even well-defended companies remain exposed because their partners may not be.

Key data points from the report illustrate the scope and nature of the risk:

• Social engineering attacks that target payments were at least somewhat concerning to 87% of mid-market firms, with concern rising among firms facing higher levels of economic uncertainty.
• Fake invoice scams were experienced by 47% of companies in the past year, making them the most common form of social engineering attack reported.
• Social engineering-related incidents have become widespread, as 97% of respondents reported at least one such attack over the last 12 months.

Beyond the headline figures, the report highlighted how attackers exploit ordinary business practices. In many cases, hackers gain access to a vendor’s email or billing system, then use that access to send payment requests that look routine.

Employees are not deceived by technical sophistication so much as by familiarity. A known sender. A normal process. A sense of urgency. The fraud succeeds because it fits seamlessly into daily operations.

The burden of defense falls unevenly. Small mid-market firms spend a higher share of revenue protecting themselves, often without clear benchmarks for what is sufficient.

More than six in 10 firms with revenues between $100 million and $400 million allocate at least 3% of annual revenue to combating social engineering threats. Larger peers spend less as a share of revenue, reflecting scale advantages but also differing risk tolerance.

The range of spending suggests uncertainty about which investments reduce exposure.

The report also connected social engineering risk to broader economic pressure. Firms categorized as operating under high uncertainty are more likely to report extreme concern about these attacks.

For goods-focused companies, which process high volumes of invoices and rely heavily on suppliers, the risk is amplified. Each additional partner expands the attack surface.

Taken together, the findings suggest that social engineering is less a technical problem than an organizational one. Controls cannot stop at the firewall. They must extend across vendor relationships, payment workflows and employee training. Trust remains essential to commerce, but unmanaged trust is now a liability. This is the reality mid-market firms are confronting.