Invoice Fraud Prevention

How it works

Where AP fraud actually enters

Payment redirection fraud cost Australian businesses AU$152.6 million in 2024, according to the ACCC's National Anti-Scam Centre. That figure covers detected, reported losses - the actual number is higher, because fraud discovered months after the fact is often handled quietly. What the data makes clear is that these losses aren't concentrated in enterprises with complex supplier networks. They concentrate in businesses with established supplier relationships, regular invoice volumes, and manual verification processes - which describes most 15-to-50-person Australian businesses precisely.

AP fraud enters through three specific windows: when a new supplier is onboarded without verification; when an existing supplier's bank details are changed on an incoming invoice; and when a single person can approve and execute a payment without a second checkpoint. These three windows tend to coexist in the same business at the same time, because none of them look like obvious failures from the inside - they look like lean, efficient processes.

Why bank detail changes are the highest-value vector

An attacker doesn't need to create a fake supplier from scratch. They need to intercept a real invoice from a supplier the business already trusts, change the bank account number, and submit it. The business processes it as a routine invoice from a known supplier. The payment goes to the wrong account. The real supplier, unpaid, eventually queries it - sometimes weeks later, sometimes after multiple payment cycles.

The fraud works because bank detail changes are sometimes legitimate. Suppliers do change banks. Detecting the fraudulent ones requires comparing the account number on every incoming invoice against the account stored for that supplier - automatically, on every invoice, not just when someone thinks to check. A manual check is a check that gets skipped under volume. An automated comparison is a check that runs on every invoice regardless.

When the comparison catches a discrepancy, the invoice is held immediately - before it reaches the approval queue - with a specific flag explaining what changed. The resolution path is a callback to the supplier using a contact number from prior correspondence, not from the invoice that triggered the alert. That distinction is critical: the fraudster controls the email and may control the number on the invoice. They don't control your existing relationship with the supplier's finance team.

What automated controls catch that manual review misses

Manual review catches fraud when the reviewer happens to notice something unusual. Automated controls catch it on every invoice, regardless of who's reviewing and what else is on their plate.

Duplicate detection is the clearest example. At 80 invoices per month from 25 suppliers, remembering whether invoice #INV-2847 from a given supplier was already processed last month requires either excellent recall or checking the supplier's history before approving. Under deadline pressure, the check gets skipped. An automated duplicate check - cross-referencing by invoice number, amount, and date - runs in milliseconds and doesn't get tired near month-end.

ABN verification is the same pattern. Checking whether a supplier's ABN is active and matches their registered entity name is a 10-second lookup against the ATO's ABR. It should run on every invoice from every supplier. In practice, it runs when someone remembers to do it. An automated check runs without anyone needing to remember.

Frequently asked questions

Related glossary terms