I have had a spate of fake invoices. The wording of the emails are good, obviously copied from real instances of such invoices, but I can immediately tell as I get mulltiple copies sent to my slight variations of email address and those particular email addresses are never used for purchases.
NB those of you with GMAIL addresses can add extra bits to your email address (*) for each organization that you deal with and can then easily see whether a query is not being sent to the 'right' address.
(*) I think its after a PLUS SIGN before the @ sign, but check on google rules.
see: https://www.google.co.uk/maps/place/Jewson+Hornsey/@51.5857067,-0.1145659,17z/data=!4m5!3m4!1s0x48761be9287c5779:0x3e44a8c2a3365c4f!8m2!3d51.5857067!4d-0.1123772