Vendor and Invoice Fraud: How B2B Payment Fraud Works and How to Stop It

Vendor and invoice fraud happens when a scammer gets into a business's payment systems and either sends fake invoices for goods or services that weren't delivered, pretends to be a real vendor to change payment information, or works with employees to approve fraudulent payments. It preys on the trust and routine of B2B payment processes and the accounts payable workflow.

One important scope note up front, because the term is often used loosely. This article covers all forms of invoice and vendor fraud, not just those perpetrated via Business Email Compromise (BEC). BEC is a delivery vector, a vehicle that gets the fraudulent instruction into the inbox of a finance manager. Once that instruction is followed, the money is vulnerable to invoice fraud. The distinction is important because a defense that is only against email-based attacks completely misses internal collusion, phone-based vendor impersonation, system-level manipulation, and supply chain fraud.

The following sections provide more in-depth explanation on the topic:

  • Types of Vendor and Invoice Fraud
  • The BEC Overlap: When Email Is the Weapon
  • Internal Vendor Fraud: When the Threat Comes From Within
  • Red Flags in Accounts Payable Workflows
  • Controls: How to Safeguard Your Organization
  • The Connection between Money Laundering and Invoice Fraud
  • How Sanction Scanner Can Help You

Types of Vendor and Invoice Fraud

Six recurring typologies explain the vast majority of cases. Each has its own mechanism, its own indicators, its own controlling discipline.

Support 20260707094630 6429

Submission of a false invoice. The fraudster submits a bill for goods or services that never occurred, often using a company name similar enough to an actual vendor to pass a cursory review. The invoice falls within the normal approval limits so it is processed by the AP department because nothing about it appears alarming, and the payment goes out the door. The attack is most effective in large organizations that process a high volume of invoices, where individual review is necessarily hasty. The key control is the three-way match: All invoices are verified against a purchase order and a delivery receipt prior to payment.

Redirecting invoices (change of bank details). Most dangerous by far, because the invoice itself is real. A fraudster calls the accounts payable (AP) officer, posing as a current vendor, and requests an update to the vendor’s banking details. Once this change is made, any future legitimate payments to that vendor are directed to an account controlled by the attacker. The change request often comes through a compromised vendor email account, which the industry now calls Vendor Email Compromise (VEC), a subspecies of BEC. The defining control is the callback: Before any banking detail change is processed, the request is verified by calling the vendor at the phone number on the original contract, never the number in the change request itself.

Impersonation of the vendor. A scammer will set up a company with a name that sounds a lot like a legitimate vendor’s, “Acme Consulting LLC” instead of “Acme Consulting Inc.”, for example, register a similar looking domain, and submit invoices that, at a glance, look totally legit. AP officer, having no reason to suspect anything, pays the fake company. The defining control is upstream at vendor onboarding: KYB screening that confirms company registration, ultimate beneficial ownership, registered address and bank account ownership before a vendor makes its way into the master file.

Internal collusion and insider vendor fraud. The person with AP system access sets up a phony vendor and approves payments to himself or an accomplice. Or the employee inflates real vendor invoices and pockets the difference. Billing schemes are among the highest risk asset misappropriation sub schemes identified in the ACFE’s 2024 report. The typology consistently appears in occupational fraud studies because the perpetrator has both the access and the knowledge of internal controls necessary to bypass them. The key controls are segregation of duties (the person who adds a vendor cannot also be the person who approves payment to that vendor) and periodic vendor master file audits.

Invoicing duplicates. A legitimate vendor sends the same invoice twice, either by accident or on purpose, and the AP officer pays them both. In high volume environments, where each invoice gets seconds of attention, duplicates can easily be missed. The defining control is automated duplicate detection. It matches on invoice number, amount, vendor identifier, and date and flags any match for review prior to payment.

Phantom services and overbilling. A vendor bills you for more units, services, or hours than they actually provided. The pattern is most common in services that are inherently difficult to verify, such as consulting, IT services, construction, advisory work, where the deliverable is intangible or the work was done off site. The signature controls pair fair market value analytics on invoice amounts with digital footprint verification: Does this “consulting firm” actually have employees on LinkedIn? A business address? A web presence consistent with the work being billed?

That absence on those basic markers is a big signal.

Fraud Type

How It Works

Who Is Involved

Difficulty to Detect

Key Control

Fake invoice submission

Invoice for goods/services never delivered, often from a look alike vendor

External fraudster

Medium

Three way match (PO + receipt + invoice)

Invoice redirection

Banking detail change request reroutes legitimate vendor payments

External fraudster, often via VEC

High invoice is real

Mandatory callback to vendor's known number

Vendor impersonation

Look alike company name and domain submits invoices that appear legitimate

External fraudster

Medium High

KYB screening at vendor onboarding

Internal collusion

Employee creates fake vendor or inflates real invoices for personal gain

Insider (often with accomplice)

Very High median 12 months to detect

Segregation of duties + vendor master file audits

Duplicate invoicing

Same invoice paid twice through process gaps

Vendor (intentional or accidental)

Low Medium

Automated duplicate detection

Overbilling / phantom services

Vendor charges for hours, units, or services not delivered

External vendor (sometimes with insider)

High hard to verify intangibles

Fair market value analytics + digital footprint verification

The BEC Overlap: When Email Is the Weapon

Many invoice fraud cases arrive through Business Email Compromise, where a compromised or spoofed email directs the payment change or sends the fake invoice. There is overlap and that is why so much industry coverage lumps them together. To conflate them is a defensive blind spot.

BEC is the delivery vehicle, the means by which a fraudulent instruction reaches the finance team. But the same invoice fraud can arrive by phone, by letter, by an in-person request to an AP officer, or through internal manipulation of the vendor master file, none of which an email-security tool will catch.

Practical takeaway in these cases is if an organization only protects against BEC, it has closed one delivery channel and left the others open. Email security is needed to catch the BEC delivered instruction before it reaches the finance team, and payment controls are needed to catch the fraudulent payment even when the instruction did get through, or when it never came through email in the first place. The two layers supplement rather than substitute for one another.

Internal Vendor Fraud: When the Threat Comes From Within

Internal vendor fraud does most damage per case, for the simple structural reason that the perpetrator has legitimate system access and the operational knowledge to navigate the institution’s controls. The median duration of an occupational fraud scheme is 12 months before detection, and the longer a scheme runs undetected, the larger the median loss grows, according to the ACFE's 2024 report. Internal vendor fraud is both common and expensive because of the combination of access and time.

In a 2025 case at Maidstone Crown Court, a bookkeeper at the electrical machinery firm CSL Power Systems was found to have defrauded the company of £78,000 over roughly 16 months, using company cards for personal spending, hotel stays, dinners, even a five-piece set of Tefal pans, and concealing it behind fake invoices in the AP system. One invoice for "black frames" actually matched the pan purchase; a £75.96 "spill kit" invoice covered dog chews. Within a month, she had joined another firm, where she defrauded a further £18,500 before a chance encounter with someone from CSL exposed her. Despite the total, she was spared jail, receiving a 45-month sentence suspended for two years.

The case has several general features. The scheme lasted over a year before it was discovered, in accordance with a median of 12 months by ACFE. She had multiple outlets for making money, from credit card abuse to fake invoices and eventually a fraudulent finance agreement in her ex partner’s name. This is typical of mature internal fraud cases, which have more than one outlet for the proceeds. The discovery was essentially accidental rather than a result of internal controls: A random encounter, not a planned audit, revealed the second employer’s losses. That last point is the one institutions should sit with the longest. The post discovery review did not close the control gap that had permitted the first £78,000 to leave CSL through fake invoices. That control gap permitted the same person to defraud the next employer through the same mechanics within weeks.

The controls that actually catch this pattern are operational, not technical: Enforced segregation of duties (the person who adds vendors cannot be the person who approves payments to them); mandatory vacation policies, because internal fraud often surfaces precisely when the perpetrator is absent and someone else has to handle their workload; and regular vendor master file audits that flag vendors sharing an address or bank account with an employee, vendors added and paid within the same week, and vendors with no corresponding purchase orders.

Red Flags in Accounts Payable Workflows

The AP workflow has three effective layers of monitoring: Vendor, invoice, and payment, and the best programs look at indicators across all three as one combined signal, not three separate checklists.

Red flags on the vendor level:

  • A new vendor submitting high-value invoices immediately, often before any basic verification.
  • A vendor address that is a residential property or PO box.
  • A vendor bank account in a country other than the vendor's declared country of registration.
  • A vendor with no website, no employees on LinkedIn, and no listing in the relevant corporate registry.
  • A vendor name suspiciously similar to a known legitimate vendor.
  • Recent changes to vendor bank details, especially when the request arrives by email.

Invoice level red flags:

  • Round-number invoices (exactly $50,000 rather than $49,837.50), which is the hallmark of a fabricated amount.
  • Invoices just below approval thresholds: if dual approval kicks in over $25,000, a steady stream of $24,950 invoices is no coincidence.
  • Invoices for intangible services ("consulting," "advisory," "strategic support") that are hard to verify against a deliverable.
  • Duplicate invoice numbers or amounts within short windows.
  • Volume spikes for a single vendor with no corresponding contract change.
  • Invoices submitted in concentrated bursts at period end, when AP teams are busiest and review is shallowest.

Payment level warning signs:

  • Payment requests that require approval outside the regular workflow.
  • A payment to a new bank account for a long-established vendor relationship.
  • Wire transfers to high-risk jurisdictions for vendors that have historically been domestic only.
  • Payments to vendors with no supporting purchase order or contract.

Red Flag Category

Specific Indicator

Why It Matters

What to Do

Relevant Sanction Scanner Capability

Vendor

New vendor + immediate high value invoice

Classic bust out pattern

Hold first payments pending KYB completion

KYB

Vendor

Residential or PO box address

Inconsistent with legitimate B2B vendor

Require physical address verification

KYB

Vendor

Banking details change request via email

Signature of VEC delivered redirection fraud

Callback verification before any change

Fraud Detection

Vendor

No LinkedIn employees, no registry record

Likely shell or non operating entity

Block onboarding pending verification

KYB + Adverse Media

Invoice

Round number amount

Often fabricated rather than computed

Manual review and source document check

Transaction Monitoring

Invoice

Amount just below dual approval threshold

Deliberate evasion of secondary review

Lower the threshold or remove the gap

Transaction Monitoring

Invoice

Intangible services description

Hardest category to verify against delivery

Require contract reference and deliverable

KYB + Fraud Detection

Invoice

Duplicate number/amount in short window

Duplicate billing pattern

Automated duplicate detection at submission

Transaction Monitoring

Payment

New bank account on long standing vendor

Hallmark of invoice redirection

Callback verification, hold payment

Fraud Detection + Sanctions Screening

Payment

Wire to high risk jurisdiction, atypical

Geographic deviation from baseline

Enhanced due diligence on counterparty

Sanctions Screening + Transaction Monitoring

Payment

Vendor missing from PO/contract records

Indicates approval bypass

Reject pending audit trail

Transaction Monitoring

How to Prevent Vendor and Invoice Fraud: Key Controls

The real controls that stop invoice and vendor fraud are not new. They are well understood, well documented and at best under implemented. Six are the most important.

Separation of duties:

The person who adds a vendor to the system should not be the same person who approves payments to the vendor. The person requesting the payment should not be the person releasing the payment. Most cases of internal collusion involve a weak segregation such as one role with the create vendor and approve payment privileges, or two roles assigned to the same person in a small AP team. It’s structural control, not technical. The cost of implementation is largely governance.

Procedures for beneficiary verification and callbacks:

Before changing any vendor banking detail, call the vendor at a known phone number, the one on the original contract, not the one in the change request email. Most invoice redirection fraud is prevented by this one control. The accompanying digital layer is beneficiary screening: The new bank account cross checked against sanctions lists, fraud databases and beneficial ownership records before the change is enacted.

Three-way match:

Each invoice is verified against the purchase order, the goods received note or delivery confirmation and the contract terms. If any one element doesn’t match, the invoice is flagged for manual review, rather than auto paid. Automated three way matching is the gold standard for AP fraud prevention. It entirely neutralizes the fake invoice typology: If there is no PO and no delivery confirmation, then no fake invoice can be paid, no matter who submitted it or how convincingly.

Vendor screening and KYB:

Before adding any vendor to the master file: Check the company’s registration, identify the ultimate beneficial owners, screen against sanctions, PEP and adverse media lists, verify bank account ownership and confirm the vendor’s operational substance (address, employees, web presence).

Vendor master file reviews:

A quarterly review that flags specific high risk patterns: Vendors who share a bank account or address with an employee; dormant vendors who suddenly start submitting invoices; vendors who are added and paid in the same week; vendors who have no purchase orders or contracts. They are visible to a structured audit even when invisible day to day.

Invoice pattern transaction surveillance:

A configurable rule engine that runs scenarios tuned for vendor fraud, including round number payments, payments just under dual approval limits, the new vendor immediate high value pattern, unusual payment frequency by vendor, and payments to jurisdictions inconsistent with the vendor’s stated location. This is where the traditional AP controls morph into a financial crime monitoring layer.

Operational Checklist for AP and Compliance Leads:

☐ Implementation of separation of duties (vendor ≠ approver of payment)

☐ Mandatory callback policy for change of bank details

☐ Three way match for each payment (PO + receipt + invoice)

☐ Screening of all new vendors (sanctions, PEP, adverse media, UBO): KYB

☐ Vendor master file audit, quarterly

☐ Rules for transaction monitoring tailored to invoice fraud patterns

☐ High value payments dual approval threshold adjusted to vendor base

☐ Employee education on invoice fraud warning signs and reporting channels

☐ Incident response plan documented for suspected vendor fraud

☐ Confirmed fraud SAR/STR filing procedures

The Connection Between Money Laundering and Invoice Fraud

Invoice fraud is more than just money theft. It produces profits and profits need laundering. The usual route begins with a payment entering a fraudulent vendor account, then usually moves through mule networks or shell company accounts, layers through a number of institutions, is converted into cryptocurrency or moved across borders and finally emerges as cash, luxury goods or further payments to the controlling network. The laundering and the fraud are not separate problems worked by separate teams. They're the same money at different stages.

The same mechanism that drives small scale invoice fraud, manipulated invoices, also operates at industrial scale as trade based money laundering (TBML). The U.S. Government Accountability Office has identified TBML as a common but hard-to-detect method used by criminal organizations to launder proceeds of crime. The fundamental techniques involve the mis-invoicing of goods and services by over and under invoicing. Estimates of the share of global illicit financial flows that TBML constitutes vary widely across studies and methodologies, but the consistent finding across regulator, academic, and industry sources is that TBML accounts for a substantial portion and that the mis-invoicing technique at its core is the same one that drives invoice fraud, scaled up.

For institutions, this means that a credible defense against vendor and invoice fraud is, by construction, also a defense against an entire class of laundering risk. The KYB identifies shell companies before they get into the vendor master file. Transaction monitoring detects the invoice manipulation patterns whether they are used for fraud or laundering. Sanctions screening is the screening of payments to designated entities or to shell networks associated with such entities. Same controls, same data, same monitoring layer, applied to two problems that are actually one.

How Sanction Scanner Can Help You

Sanction Scanner fights vendor and invoice fraud with three integrated capabilities, intended to work as a single layer rather than three separate tools.

Know Your Business vendor screening on onboarding against sanctions, PEP and adverse media lists, as well as company registration verification and UBO identification. The goal is to keep fraudulent and shell company vendors from ever getting on the master file in the first place, which is the cheapest way to defend against AP fraud in the entire stack.

Transaction Monitoring and Fraud Detection involve a configurable rule engine optimized for invoice fraud patterns (round number anomalies, threshold testing, new vendor immediate high value, payment frequency deviations, banking detail change events). The AML screening layer shares cross module signal sharing so a fraud alert raises the customer’s risk score and an AML pattern tightens fraud thresholds, so the institution runs one risk surface across both disciplines via the Fusion platform.

Sanctions screening involves real time screening of payment beneficiaries against OFAC, EU, UN and other sanctions lists, with the granularity to identify payments to designated entities or to shell companies associated with sanctioned networks.

The architectural point is the same one that runs through this article: Vendor and invoice fraud is a payment process problem that impacts onboarding, monitoring, screening, and case management all at once.

Good programs handle this by thinking of those layers as one defense, not four.

Support 20260707094659 5521