Supplier invoice fraud: signals to detect it before payment

Fraud in accounts payable comes in by email, with an invoice so similar to a real one that it passes the first human filter and sometimes the second. The last line of defence is not the bank; it is the control on how the invoice is validated before it leaves the ERP.

This article captures the five fraud patterns most often seen at SMEs, the signals before payment and how an automated score closes the gap.

Five AP fraud types that arrive by email

1. Ghost supplier. A supplier that does not exist, set up with plausible data but no real activity. Comes through internal collusion or weak onboarding.
2. BEC (Business Email Compromise) on a real supplier. The attacker compromises or impersonates a legitimate supplier’s email and sends an authentic invoice with a changed IBAN. The most expensive per ticket.
3. Deliberate duplicate invoice. The supplier resends a paid invoice with small variations. See detect duplicate invoices.
4. Colluded over-invoicing. Employee and real supplier agree to invoice at inflated prices and split the overcharge. The header matches; the lines do not.
5. Inflated no-PO invoice. Services or consulting invoiced above what was delivered, with no formal PO to match against.

All five leave a trace before payment. The question is not whether the signals exist; it is whether your process sees them in time.

The size of the problem: 5% of annual revenue

ACFE publishes the Report to the Nations on occupational fraud every two years. Recurring estimate: organisations lose on average 5% of annual revenue to internal fraud, and billing fraud is among the most frequent and expensive categories per case.

In Spain, INCIBE publishes regular advisories on CEO fraud and BEC. The Spanish tax authority, with SII and Verifactu, reinforces document traceability, which also hardens the AP chain.

Fifteen concrete pre-payment signals

The signals below are universal: they do not depend on country, sector or supplier.

1. New bank account vs supplier history.
2. IBAN from a different country than the supplier’s tax residency.
3. Account change communicated by email only, no verified phone contact.
4. Sender domain similar but not identical to the historical one (typosquatting).
5. Round amount just below the approval threshold (EUR 4,999, EUR 9,950).
6. Missing PO on purchases that normally carry one.
7. Missing delivery note on physical purchases that require receipt.
8. Invoice date earlier than PO date.
9. Tax ID that does not resolve in public databases or belongs to another legal entity.
10. Non-sequential invoice number vs supplier pattern.
11. Total matches but lines don’t: overprice on one line offset by discount on another.
12. Generic concept (“professional services”) without hourly breakdown or deliverable.
13. Supplier set up <60 days ago with a first high-value ticket.
14. Unusual urgency in the email (“pay today”, “the bank is closing”).
15. Invoice received outside the real sender’s working hours.

A single signal rarely justifies a block. Three or more demand review. Specific combinations (new account + similar domain + urgency) are an immediate red flag.

BEC (vendor email compromise): the most expensive pattern

AP-targeted BEC works like this: the attacker compromises the supplier’s email (or spoofs their domain with a typosquat) and sends a real invoice, sometimes copied from a previous one, with one single change: the IBAN.

What makes it hard: the PDF is often authentic, the amount fits the real pattern and arrives when the actual supplier was going to invoice. What gives it away: the IBAN was not there before, the domain differs by one letter or changes TLD, and the email introduces urgency or asks for confidentiality.

Effective control: compare IBAN against supplier history and require out-of-band verification (call to the known phone number, not to the one in the email) for any account change.

Ghost supplier: detection at onboarding and first payment

The ghost supplier sneaks into master data. Clues are about the supplier more than the invoice: tax ID that does not resolve, tax address that matches an employee’s or a virtual mailbox, phone and email for personal use, first invoice a few days after setup, concept outside the usual catalogue, payments always just below the approval threshold.

Preventive control: validate tax ID and address at setup and review the first payment with a second approver, regardless of amount.

Deliberate duplicate invoice

Not a filing error: the supplier resends an already-paid invoice with small variations so the system does not flag it as an exact duplicate (same amount with a varied number, scan at different resolution, PDF and FacturaE in the same month, two channels in parallel).

Clean detection cross-checks by content fingerprint (supplier + date + amount + lines), not just by number. More in detect duplicate invoices.

Colluded over-invoicing

Subtle. An employee with approval power agrees with a real supplier that invoices come inflated, sharing the overcharge. The approver signs, the supplier exists, the delivery note is received.

The signals are patterns, not events: unit price systematically above market, anomalous supplier concentration on a single approver, 100% approval rate with no exceptions ever, and overpriced lines offset by discounted lines that leave the total tidy.

That is why honest three-way matching is line by line, pre-tax, on unit price, never on the header. The total never lies, but the lines do.

0-100 risk scoring: the logic that closes the gap

Nobody reads 300 invoices/month with enough attention to spot the signals on each one. An automated score does. Every invoice arrives with a 0-100 score combining document, email and history signals:

• 0-29: low risk. If it passes three-way matching, it goes to touchless.
• 30-59: review recommended in the normal queue.
• 60-79: additional approver mandatory before payment.
• 80-100: block until out-of-band verification.

The heaviest signals in production: IBAN change on an existing supplier, look-alike domain, missing PO in categories that always carry one, tax ID that does not resolve, first invoice from a recently set up supplier. The scoring is not the final word: it is the filter that prioritises what the human looks at. The touchless AP layer handles the rest without touching clean invoices.

Prevention plan: five layers that reinforce each other

1. Onboarding with validated tax ID against public registries and bank verification via an independent channel.
2. Line-by-line three-way matching with 2% / EUR 1.50 OR-mode tolerance (see three-way matching).
3. Duplicate detection by fingerprint, not just by number.
4. 0-100 scoring with automatic block above 80.
5. Segregation of duties: approver ≠ payer, and two approvers on first payment to a new supplier.

Checklist for internal auditor

• New suppliers with validated tax ID and first payment reviewed by two approvers.
• Invoices with score > 60: documented justification from the approver.
• IBAN changes with logged out-of-band verification.
• Invoices with no PO in categories that normally carry one: nominal review.
• Supplier-approver concentration >30% of volume without justification.
• Zero exceptions from a single approver for >6 months: a signal, not a virtue.

FAQ

What is the most expensive AP fraud type per case?

BEC (vendor email compromise). The attacker moves real invoices with a changed account and tickets range from thousands to hundreds of thousands of euros.

Does the two-pairs-of-eyes check catch BEC?

Helps, but is not enough. If both approvers look at the PDF and the PDF is fine, it goes through. What fails is not comparing the IBAN against history. That is a system job.

What does the tax authority require on AP fraud prevention?

The Spanish AEAT pushes SII and Verifactu for tax traceability. Not AP anti-fraud per se, but it structures the data and makes invented invoices harder.

Is 5% of revenue lost to fraud realistic?

It is the aggregate average reported by ACFE in its Report to the Nations. The distribution is skewed: many companies have small or zero losses and a few have large ones.

Is a risk score enough on its own?

No. It is the layer that prioritises what to look at. Without three-way matching, segregation of duties and supplier onboarding validation, the score detects less.

Does this work if I still receive paper invoices?

It works worse. Signals like sender domain or send time only exist in email. Migrating invoice intake to a single AP inbox is step zero.

Three things to remember

1. AP fraud leaves a trace before payment. The question is whether your process sees the signals in time, not whether they exist.
2. Signals are universal: new account, similar domain, missing PO, tax ID that does not resolve, total matches but lines don’t.
3. A 0-100 score with line-by-line three-way matching and segregation of duties closes the gap that even two pairs of eyes miss.

To see it on your invoices, try ininvoice. Pricing and features.

Related content

• Touchless accounts payable
• How to detect duplicate invoices
• Line-by-line three-way matching
• Price variance invoice vs PO
• Common supplier invoice errors