SME supplier fraud prevention: signals your AP must catch before payment
Guide from the ininvoice team · Automatic invoice reconciliation.
Accounts payable fraud affects 22% of organisations with fewer than 100 employees, according to the ACFE Report to the Nations 2024. The three most frequent signals: a supplier bank account change communicated by email, invoices arriving with no prior PO and amounts just below approval thresholds. An AP cycle with automatic risk scoring catches these signals before the payment goes out.
SMEs are the most-attacked target in invoice fraud. Not because their controls are worse than larger companies', but because the personal relationship with the supplier creates a trust attackers exploit. The admin manager who has been paying the same construction company for three years is more susceptible to an email that looks like it comes from the construction company's manager asking for an account change.
ACFE estimates that the median loss from fraud in small organisations is USD 150,000. 20% of cases exceed one million. And detection takes an average of 12 months, per the same report.
This article describes the concrete signals an AP process should detect, how risk scoring formalises them and which organisational controls reduce exposure.
The fraud signals that cause the most failures
1. Bank account change communicated by email.
Account-change fraud (Business Email Compromise, BEC) is the most frequent and the most costly. The attacker impersonates the supplier (or compromises their email account) and sends a message requesting that the next payment go to a new account. The email looks legitimate because it comes from the same domain or a similar one (company-s.com instead of company.com).
The anti-fraud rule: no supplier bank account change is processed by email. Always phone verification at the supplier's usual number, not the one in the email. The change is documented with the verification before being updated in the supplier master.
2. Invoice with no prior PO, especially from a new supplier.
An invoice that arrives with no associated PO can be legitimate (urgent purchase, recurring service without a formal contract). But it is also the basic pattern of fictitious-invoice fraud: someone issues an invoice for generic services (consulting, advisory, marketing services) for a moderate amount and hopes it goes unnoticed.
Invoices without a PO from a known supplier carry less risk. Invoices without a PO from a new supplier or one with little history carry high risk.
3. Amounts just below approval thresholds.
If the CFO's approval threshold is EUR 5,000, recurring invoices of EUR 4,800 or 4,950 from the same supplier are a signal. The technique is called "smurfing" in the AP context: splitting a larger amount into several smaller ones to avoid controls. It also appears as invoices slightly below the amount that requires a second signer.
4. Supplier with unusual or inconsistent data.
- Tax ID that does not match the supplier name in the master.
- IBAN from a country different from the supplier's country with no justification.
- Email address from a domain different from the supplier's usual one.
- New contact phone number not in the supplier master.
5. Duplicate invoice with minimal variation.
A duplicate invoice with the same tax ID, amount and period but with a slightly different number. The manual process can approve both if the operator does not explicitly compare them. Double payment is only detected when the supplier reports the error or when the bank reconciles.
The risk score: how to formalise the signals
A risk score turns the above signals into a 0-100 rating per invoice. It does not block automatically; read correctly, it is a system that prioritises human review.
| Signal | Score weight | Suggested action |
|---|---|---|
| New supplier (no history in the system) | High | Manual verification before approving |
| Invoice with no associated PO | High | Request justification from the requester |
| IBAN different from the one registered in the master | Very high | Block + mandatory phone verification |
| Round amount (EUR 1,000, 5,000, 10,000) with no detailed lines | Medium | Request line detail |
| Potential duplicate (same tax ID + amount + period) | Very high | Automatic block until resolved |
| Price variance >5% versus the supplier's historical | Medium | Compare with the supplier's recent invoices |
| Amount just below approval threshold | High | Automatic escalation to the higher approval level |
Calibrating the score depends on each company's volume and approval thresholds. What works for a company with 50 invoices per month can create too many exceptions in one with 500. The goal is for 70-80% of invoices to pass with a low score (green), and the remaining 20-30% receive review proportional to their signal level.
Does your AP have a risk score per invoice?
ininvoice assigns a score to each invoice based on supplier, amount, duplicate and variance signals. High-risk invoices do not pass automatically. Book a demo.
Organisational controls: what software alone cannot do
Risk scoring is a technical layer. There are organisational controls that must exist in parallel:
Segregation of duties. Whoever approves an invoice should not be the one who authorises the payment. Whoever creates a new supplier in the master should not be the one who approves their first invoice. In small SMEs this is hard to implement 100%, but at a minimum there must be a second signer for higher amounts.
Bank account change protocol. Written, known to the whole team: no IBAN change without phone verification to the supplier's usual contact. The email requesting the change is not enough, even if it looks legitimate. Document the verification (date, time, name of the person contacted, number called).
Controlled supplier master. Only authorised people can create or modify suppliers. Any bank account modification is logged with who did it and when.
Team training. The most effective vector for BEC fraud is email. The AP team should know what to do when receiving a suspicious email: do not click links, do not process account changes without verifying, escalate to a manager when in doubt.
Case: professional services company with 120 invoices a month
An engineering firm based in Barcelona handled a BEC fraud situation in 2025. A regular supplier of construction materials had their email account compromised. Attackers, using the compromised supplier account, sent an email to the firm's AP team stating they had changed banks and requesting an IBAN update for upcoming invoice payments.
The AP team received the email, verified it came from the supplier's correct domain and updated the IBAN in the system. The next two invoices from the supplier, totalling EUR 34,800, were paid to the fraudulent account.
Detection took three weeks, when the supplier called to ask why they had not received the payments. Fund recovery was partial.
With a process that requires phone verification for any IBAN change, the fraud would have been detected at the verification step: the supplier's usual phone number does not connect to the attackers.
External vs internal fraud: two different profiles
AP fraud has two origins:
External fraud: attackers who impersonate suppliers, create fictitious invoices or exploit process errors to collect payments not owed. BEC and invoices without a PO are the most common patterns.
Internal fraud: employees who create fictitious suppliers, approve their own invoices or modify bank data of real suppliers. The ACFE 2024 Report indicates that 40% of fraud in small organisations involves accounting or finance staff. Segregation of duties and access controls on the supplier master are the first line of defence.
A risk score based only on invoice signals catches external fraud better. Internal fraud requires access controls, modification logs and periodic auditing of the supplier master.
Frequently asked questions
- Is fictitious-invoice fraud frequent in SMEs?
- Yes. The ACFE 2024 Report indicates that 22% of organisations with fewer than 100 employees suffer some kind of AP fraud. The median loss per case is USD 150,000.
- How do I verify that a new supplier is legitimate before approving their first invoice?
- Basic verification: check the tax ID on the AEAT census to confirm it exists. Check the IBAN and the bank country. Call a phone number found publicly (not the one on the invoice) to confirm the commercial relationship.
- What do I do if I suspect an invoice is fraudulent?
- Do not approve it. Escalate to the finance manager. Contact the supplier through a channel different from the email or phone on the invoice. If you confirm fraud, notify your bank if there are pending payments and consider reporting to the authorities.
- Does three-way matching prevent fraud?
- Partially. Three-way matching detects invoices without an associated PO or delivery note, which reduces the scope of fictitious-invoice fraud. It does not catch bank-account-change fraud, which requires specific organisational controls.
- How does AP fraud affect the company's insurance?
- It depends on the policy. Some liability or commercial crime policies cover losses from external fraud if it can be shown that reasonable controls were in place. Consult your insurance broker.
Five controls that reduce risk now
- No supplier bank account change without phone verification to the usual contact. Documented.
- Every invoice from a new supplier requires approval from a level above the usual approver.
- Invoices with no PO automatically go to manual review. They do not pass automatically.
- The supplier master logs who modifies what. Only authorised people can create or edit.
- The AP team knows the BEC protocol: do not process account changes by email, always verify by phone.
Related content
Automatic risk scoring on every invoice
ininvoice assigns a score by supplier, amount, duplicate and variance. High-risk invoices stop before approval.
Get startedEUR 249/month · No lock-in · Plug and play, no implementation cost