Invoice fraud takes many forms, and AP teams that cannot name the specific schemes they face are poorly positioned to defend against them. The three most prevalent types are: phantom invoice fraud (an invoice submitted for goods or services never ordered or received), vendor impersonation fraud (a criminal poses as a legitimate supplier and redirects payments to a fraudulent bank account), and business email compromise (BEC), where attackers intercept or spoof email communications to insert fraudulent payment instructions into a legitimate transaction.

Understanding the mechanics of each scheme allows you to design targeted controls. Phantom invoice fraud is best caught by three-way matching — comparing the purchase order, receiving report, and invoice before payment is approved. Vendor impersonation fraud is stopped by robust bank account change verification procedures. BEC is mitigated by out-of-band verification for any payment instruction received by email, regardless of how legitimate the sender appears. Knowing which scheme you are defending against makes every subsequent control more effective.

The vendor master file is the single most targeted asset in an AP department. It contains the bank account details, contact information, and payment terms for every supplier your business pays. A fraudster who can add a fictitious vendor, or modify the bank account of a legitimate one, can redirect payments indefinitely without triggering any transactional controls.

Effective vendor master file governance requires three things: restricted access (only a designated vendor master administrator should be able to create or modify vendor records, and this person should never be the same individual who approves invoices or initiates payments), a documented change process (every new vendor or bank account change must be supported by written authorisation from a manager and verified against source documents), and regular audits (at least quarterly, review the vendor master file for duplicate bank accounts, recently changed bank details, vendors with no recent activity, and vendors whose addresses match employee addresses). These three controls together eliminate the vast majority of vendor master fraud risk.

Segregation of duties (SoD) is the foundational internal control for fraud prevention. The principle is simple: no single person should be able to initiate, approve, and record a payment. When one person controls the entire payment cycle, fraud becomes trivially easy — they can create a fictitious vendor, approve a phantom invoice, and authorise the payment with no independent check at any stage.

In a well-segregated AP function, the person who enters invoices into the accounting system is different from the person who approves them for payment, who is different again from the person who initiates the bank transfer. In small businesses where headcount makes full segregation difficult, compensating controls — such as requiring the business owner to review and approve all payments above a threshold, or using dual-authorisation for bank transfers — can provide equivalent protection. Documenting your SoD matrix and reviewing it whenever staff change roles is essential to maintaining this control over time.

Three-way matching — comparing the purchase order, the goods receipt note, and the supplier invoice before approving payment — is the most effective transactional control against phantom invoice fraud. A phantom invoice, by definition, has no corresponding purchase order or receiving report. If your AP process requires all three documents to match before a payment can be approved, phantom invoices are caught automatically.

The challenge for most small businesses is that three-way matching is time-consuming when done manually. Each match requires pulling three separate documents, comparing quantities, unit prices, and totals, and investigating any discrepancies. Automating this process with a tool that extracts structured data from PDF invoices can reduce matching time from minutes to seconds. Our guide to three-way matching in accounts payable explains how to implement this control in detail, including how to handle partial deliveries and price variances within agreed tolerances.

One of the most effective and underused fraud prevention controls is the out-of-band verification call. Whenever a supplier requests a change to their bank account details — regardless of whether the request arrives by email, letter, or even on company letterhead — your AP team should call the supplier on a phone number sourced independently (from your vendor master file or the supplier's official website, not from the request itself) to confirm the change before it is processed.

This single control stops the vast majority of vendor impersonation and BEC attacks. Fraudsters rely on the fact that most AP teams will process a bank account change request without verification, especially if it appears to come from a known supplier's email address. A phone call to a verified number takes less than two minutes and makes the attack economically unviable. Document every verification call — who called, who they spoke to, what was confirmed, and when — as evidence of your due diligence in the event of a dispute.

Manual fraud detection relies on AP staff noticing something unusual about an invoice — an unfamiliar vendor name, an odd amount, a slightly different bank account number. Human attention is inconsistent and easily overwhelmed by volume. AI-powered anomaly detection applies consistent rules to every invoice, flagging exceptions for human review regardless of how many invoices are processed.

Effective anomaly detection rules include: invoices from vendors not in the approved vendor master file, invoices with amounts just below approval thresholds, duplicate invoice numbers from the same vendor, and invoices submitted shortly after a vendor bank account change. When you use Pedfs to extract structured data from PDF invoices, these rules can be applied automatically as part of the extraction workflow, creating a systematic fraud detection layer that operates at the speed of your invoice volume.

Periodic AP audits are the feedback mechanism that tells you whether your fraud prevention controls are working. An audit does not need to be a comprehensive forensic exercise — a targeted review of high-risk areas conducted quarterly provides substantial assurance at a manageable cost. Key areas to review include: payments to vendors added in the last 90 days, payments made outside normal business hours or on weekends, payments to vendors with addresses that match employee addresses or PO boxes, and any manual journal entries that bypass the normal AP workflow.

The audit should also test whether your controls are actually being followed. Pull a sample of invoices processed in the quarter and verify that each one has a matching PO and receiving report, that the approver is not the same person as the invoice processor, and that any bank account changes were verified by phone. Controls that exist on paper but are not consistently applied provide no real protection. Documenting your audit findings and tracking remediation of any gaps closes the loop on your fraud prevention programme.

Technology and process controls are only as effective as the people implementing them. AP staff who understand fraud schemes and know what to look for are your most valuable fraud prevention asset. Regular training — at minimum annually, and whenever a new fraud scheme emerges — should cover the specific red flags relevant to your business: invoices from unfamiliar vendors, requests to change payment details, pressure to process a payment urgently, and any communication that asks you to bypass normal procedures.

Training should be practical, not theoretical. Use real examples of fraud attempts (anonymised if necessary) to illustrate what a suspicious invoice or email looks like. Role-play scenarios where staff must decide whether to process or escalate a payment. Create a clear escalation path so that when a team member is uncertain about a payment, they know exactly who to contact and feel empowered to raise concerns without fear of being seen as obstructive. A culture where fraud awareness is valued and rewarded is the ultimate defence against schemes that no technology can fully anticipate.