Home Blog Accounts payable fraud schemes: How to spot and stop them

Accounts Payable Audit & Fraud Control

Accounts payable fraud schemes: How to spot and stop them

AP fraud is rarely a single dramatic event - it's a pattern of small deceptions that compound over time. Understanding the exact schemes used against businesses is the first step to making them ineffective.

By ApprovalMax

7 min read •

April 27, 2026

Accounts payable sits at the intersection of trust and money - which makes it one of the most targeted functions in any business. Every B2B payment made under false pretences falls into the category of AP fraud, whether it's committed by an employee, a supplier, or an external scammer who has found a way into your payment process.

According to the ACFE's Report to the Nations, a typical case of occupational fraud goes undetected for around 12 months before anyone notices, and causes a median loss of $145,000. External attacks can be far more expensive: the FBI's IC3 recorded nearly $2.8 billion in business email compromise losses in 2024 alone - and that figure covers only the cases that were actually reported.

The uncomfortable truth is that AP fraud isn't just a large-company problem. Smaller businesses are targeted on the assumption that their controls are lighter - and they often are. Understanding the specific mechanics of each fraud scheme is what lets you build defences that actually match the threat.

Key stats:

12 months - median time before occupational fraud is detected (ACFE)
$117,000 - median loss per fraud case before detection
~50% - of fraud cases enabled by weak or missing internal controls (ACFE)

Internal AP fraud schemes

Internal fraud - also called occupational fraud - is carried out by employees. The ACFE reports that the most damaging incidents tend to originate in accounting, sales, operations, and executive management, precisely because those roles have access to the financial processes that make fraud possible. Nearly half of all cases are enabled by a lack of controls or the ability to override controls that do exist.

Here are the five internal AP fraud schemes finance teams encounter most often.

Billing schemes

An employee redirects payments to an account they control - directly or through a shell company. Variants include fictitious suppliers, pass-through schemes, and duplicate invoice submission. Because the payment looks routine to the system, it can pass through undetected for months.

Kickback fraud

Also known as corporate bribery. A supplier pays someone in the business to receive preferential treatment - through cash, gifts, or a share of inflated invoice profits. The buyer effectively holds a hidden financial relationship with the supplier they're meant to evaluate objectively.

Expense reimbursement fraud

Any employee who submits expenses can commit this fraud: through mischaracterized, exaggerated, fictitious, or duplicated claims. The ACFE notes it takes an average of two years to detect, partly because the amounts often appear individually unremarkable.

Check fraud

Physical forgery of checks remains one of the most lucrative AP fraud types for those with access to the payment process. A paper trail does eventually surface as evidence - but only once investigators know where to look.

ACH fraud (internal)

Employees in AP can exploit automated clearing house systems by designating themselves as payees, adding new accounts, or modifying existing payee details. Because ACH transactions often clear the same day, there is minimal time to catch the anomaly before funds move.

"82% of organizations that experienced occupational fraud increased their anti-fraud controls afterwards - the most effective step was simply strengthening management review." - ACFE Report to the Nations

External AP fraud schemes

External fraud is executed by scammers, cybercriminals, or compromised suppliers. These attacks often exploit the same trust that makes business relationships function - posing as known contacts, sending convincing invoices, or hijacking communication channels. Four schemes dominate the landscape.

Business email compromise (wire scam)

The attacker impersonates a known contact - a CEO, supplier, or colleague - and instructs the AP team to wire funds to a new account. Recent cases make the scale plain: in 2024, carbon manufacturer Orion S.A. lost $60 million after an employee was deceived into wiring funds to attacker-controlled accounts. That same year, a Connecticut business transferred $5.4 million to fraudsters who had spoofed a general contractor's email address - the switch went undetected until the real contractor chased the unpaid balance.

Phishing attacks

Email remains the primary vector, but phone calls, SMS, and fake websites are all in use. Phishing attacks are designed to appear legitimate and typically escalate: first extracting credentials, then using those credentials to initiate fraudulent payments or access sensitive systems.

Account takeover

Once a fraudster has login credentials - through data theft or phishing - they can execute payments directly, or use the compromised account to deceive others inside the organization. These attacks are difficult to detect because the activity appears to originate from a legitimate user.

External ACH fraud

Attackers gain access to the accounting system via a compromised email account, then send invoices that appear to come from a known supplier. When the attachment is opened or a link clicked, the attacker captures system access and can begin manipulating payment data.

Warning signs: the red flags finance teams must know

By the time AP fraud shows up in a reconciliation, the money is usually already gone. The warning signs below are most powerful when they're part of daily review habits rather than something dusted off for an annual audit.

Supplier red flags

The vendor list is where a surprising amount of fraud originates. Watch for newly added suppliers with addresses that match an employee's home or resemble residential streets, suppliers operating from free email providers like Gmail or Yahoo, and any vendor that was added to the system by the same person now raising purchase orders against them. Unusually high or low pricing compared to market rates and a pattern of repeat purchases from suppliers delivering consistently poor quality are also worth questioning - both can indicate a kickback arrangement where the financial relationship matters more than the service.

Invoice red flags

Fraudulent invoices are designed to pass a quick visual check, which means the tells are usually in the details. Be alert to amounts that land just below your approval threshold - this is one of the most common tactics used to avoid senior scrutiny. Rounded figures, sequential invoice numbers arriving in clusters, split invoices that together add up to a suspiciously neat total, and photocopied or unprofessional documentation all warrant a closer look. Duplicate payments to the same supplier, whether accidental or deliberate, should trigger an immediate investigation rather than a quiet reversal.

Behavioural red flags

Some of the most reliable fraud signals come from people rather than documents. Unusual payment spikes to a single supplier without a corresponding increase in goods or services received, excessive spending on client entertainment and gifts, and incomplete or missing documentation that gets waved through under time pressure are all patterns worth tracking. Tips and complaints from employees, other suppliers, or customers should never be dismissed - the ACFE consistently finds that whistleblowers are among the earliest and most reliable sources of fraud detection in organizations of every size.

The threat has changed: what AP fraud looks like in 2026

The red flags above have existed for decades. What's changed is the technology behind them. AI has industrialized fraud in a way that makes pattern recognition - the skill most finance teams rely on - significantly less reliable.

Over the last year alone, AI-enabled fraud attempts have surged by more than 1,200%. The shift isn't just in volume. It's in believability.

Deepfakes and agentic AI

The phishing email used to be easy to spot: odd phrasing, a mismatched domain, a sense of urgency that felt off. That era is ending. Agentic AI systems can now analyse months of email history to replicate a CEO's exact tone, sign-off style, and typical invoice patterns. A $20k bill that arrives with the right urgency, the right language, and a familiar supplier name is no longer obviously suspicious - it's designed not to be.

The question finance teams in 2026 are asking isn't "how do we train staff to spot phishing?" It's: "what mechanical barrier exists that doesn't depend on a human making the right call?"

AI-intercepted bank detail changes

Fraudsters are now using AI tools to intercept invoice PDFs in transit and alter bank account numbers in a way that is visually indistinguishable from the original document. By the time the payment is made and the real supplier chases the outstanding balance, the money is gone. The bank reconciliation will confirm the loss - three weeks later.

Synthetic vendor identities

Ghost vendor fraud has evolved. Rather than simply inventing a supplier, fraudsters now blend real identity data with fabricated details to create vendors that pass surface-level checks: they have a registered address, a plausible trading history, and invoices that look professionally produced. The tell is rarely in the document - it's in whether your system required a human decision-maker to approve that vendor before any money could flow to them.

Velocity testing

A growing tactic involves sending multiple small, round-number invoices - $9,500 rather than $9,487.23, for example - in rapid succession to test whether they slip through manual approval gates unnoticed. The assumption is that a busy approver will clear low-value bills without scrutiny. Five of them in a week, from a vendor who typically bills once a month, is a pattern. Manual processes rarely catch patterns in real time.

The common thread across all five threats is the same: they are specifically engineered to get past human judgement. The defence has to be structural.

What finance leaders are saying in 2026

The conversation around AP fraud has shifted. It's no longer about isolated bad luck - it's about systemic failure, AI-powered attacks, and a new wave of corporate transparency legislation that makes "I didn't know" a personal legal liability. These are the concerns we're hearing directly from finance leaders right now.

"I'm not worried about the obvious phishing emails anymore; I'm worried about the one that looks exactly like our CEO's voice and tone. If a $20k invoice arrives that fits his typical 'urgency,' my current team doesn't have a single mechanical barrier to stop them from paying it. We are essentially betting our cash reserves on our employees' ability to spot a deepfake."

- VP of Finance, US-based SaaS Startup

"Our current accounting software is just a passive mirror. It shows me that a fraud occurred three weeks ago once the bank reconciliation fails. I don't need a report that tells me I was robbed; I need a gatekeeper that prevents the vendor's bank details from being changed in the middle of an approval chain without me getting a siren on my phone."

- Group Controller, UK Engineering Firm

"In the non-profit world, fraud isn't just a financial loss; it's a total loss of mission. If a grant-funded payment is diverted because we didn't have strict Segregation of Duties, our donors won't just ask for the money back - they'll pull our funding entirely. We've realized that 'trusting our staff' is a beautiful sentiment but a terrible internal control."

- Financial Administrator, Global NGO

"We've got site managers approving five-figure bills from the dashboards of their trucks. Half the time, they aren't even looking at the bank details or the quantities - they just want the subcontractor to keep working. Without an automated check against the original Purchase Order, we are basically an open checkbook for any vendor who wants to pad their invoice."

- Operations Director, AU Construction Group

"With the 2026 failure-to-prevent-fraud mandates now in full swing, 'I didn't know' is no longer a legal defence. If I can't prove to an auditor - or a prosecutor - that we had reasonable prevention procedures like multi-factor approvals and change-logs, the liability lands directly on the board's desk. Manual AP isn't just slow; it's now a personal legal risk."

- CFO, EU-based Fintech Firm

Why manual controls fail to catch AP fraud schemes

The fundamental problem with manual AP processes is that fraud is designed to look like normal business activity. A billing scheme uses real invoice templates. A kickback involves a real supplier. External ACH fraud arrives from a trusted email address.

Manual review depends on reviewers being both vigilant and consistent - which becomes harder as invoice volumes grow. Approval limits stored in documents rather than enforced by systems can be ignored. A single person controlling submission, approval, and payment removes any possibility of independent verification. And when the audit trail lives in email threads or spreadsheets, reconstructing what actually happened is difficult even after fraud is suspected.

This is precisely why the ACFE found that 81% of victim organizations strengthened controls after experiencing fraud - not because they didn't know controls mattered, but because the gaps only became visible once they were exploited.

How automation closes the gaps

Automated AP workflows remove the conditions that make most fraud schemes viable in the first place. When approval rules are enforced by the system rather than remembered by individuals, and when every action is logged automatically, the window for undetected fraud shrinks considerably.

ApprovalMax is designed specifically to remove the structural vulnerabilities that AP fraud exploits. Here's how each feature maps to a fraud prevention need.

Automated delegation of authority Approval rules are enforced by the system - not memory or goodwill. No one can process a payment without the correct sign-off at the correct threshold. 50% of bills in ApprovalMax are approved in under one day.

Fraud detection: bypassing and post-approval changes ApprovalMax flags documents approved directly in Xero (bypassing the workflow) and any changes made after approval. Administrators receive automatic notifications for both events.

Bill-to-PO matching If a bill's total exceeds the linked purchase order, approval is blocked until the discrepancy is resolved. Delivery notes and proof of acceptance can be attached to every document for three-way matching.

Duplicate bill detection ApprovalMax cross-checks supplier, date, and amount across all bills. If two documents appear to be duplicates, approvers are notified immediately - before payment is released.

Supplier approval workflow New vendors must pass an approval process before any purchase order can be raised with them. This directly counters fake supplier schemes and kickback fraud by ensuring decision-makers vet every new contact.

Restricted Xero access Approvers in ApprovalMax only see the documents relevant to their role - they don't need (and don't get) full access to the general ledger. This limits the blast radius of any compromised account.

Audit trail and audit reports Every approval decision is logged automatically and published to Xero. Auditors can be granted read-only access to all workflows, making audit preparation straightforward rather than stressful.

2FA and auto-logout Two-factor authentication protects access to the platform. Users inactive for more than 15 minutes are automatically logged out - reducing the risk of account takeover through an unattended session.

Questions we hear on every discovery call

These are the five questions finance leaders ask most often when evaluating AP fraud controls in 2026. Here's exactly how ApprovalMax addresses each one.

"How do we know the person approving in the app is actually who they say they are, if their email could be compromised by an AI agent?"

ApprovalMax sits outside your accounting software as an independent approval layer, which means a compromised email account alone isn't enough to push a payment through. Two-factor authentication is enforced at login, and every approval action is tied to a verified user identity with a timestamped audit log. An attacker who has taken over an email account still cannot approve a bill without authenticated access to ApprovalMax itself - and any approval made outside the workflow triggers an immediate administrator alert.

"Does ApprovalMax flag if a vendor's bank details were changed between the time the PO was raised and the bill was received?"

Yes - and this is one of the most important controls in the platform. ApprovalMax's fraud detection feature notifies administrators any time a change is made to an approved document, including alterations to vendor details after the approval process has completed. Combined with the bill-to-PO matching feature, any discrepancy between what was agreed at purchase order stage and what appears on the bill will block approval until the difference is resolved or explained.

"I need to prove to my auditors that the person who created the new vendor didn't also approve the $50k payment. How does your system prevent a one-person loop?"

This is exactly what the supplier approval workflow and delegated authority rules are designed to prevent. In ApprovalMax, the role that creates a new vendor contact and the role that approves payments to that vendor are configured as separate steps, each requiring a different approver. The system enforces this - it isn't a policy someone can override by being in a hurry. The audit trail then shows, with timestamps and named approvers, that no single person controlled both steps. That's the documentation an auditor - or a prosecutor - needs to see.

"We've seen invoices from companies that look legitimate on paper but don't exist in any registry. Can you auto-verify vendor KYC details?"

ApprovalMax doesn't perform automated KYC checks against external registries natively - but it closes the gap that synthetic vendor fraud exploits. Every new vendor must pass a dedicated supplier approval workflow before a purchase order can be raised with them. That workflow routes the new contact to a named decision-maker for manual vetting - meaning no payment can reach a vendor that hasn't been explicitly approved by a human with accountability for that decision. Paired with your own KYC process, ApprovalMax ensures the verification step cannot be skipped or fast-tracked by the person requesting the new vendor.

"Can the system alert me if a vendor who usually bills us $1k suddenly sends five $9k invoices in a single week?"

ApprovalMax's duplicate bill detection cross-checks supplier, amount, and date across all incoming bills and flags anomalies for approver review before payment. For volume and velocity spikes specifically, the approval threshold rules mean that bills above a set value automatically escalate to a senior approver - so a sudden pattern of high-value invoices from an unusual source can't clear the same lightweight approval route as a routine low-value bill. You can also configure approval workflows by supplier, meaning a vendor with an unusual billing history can be routed to additional scrutiny by default.

The goal isn't to eliminate trust from financial operations - it's to make trust verifiable. When every step is recorded and every rule is enforced automatically, the conditions that enable AP fraud schemes simply don't exist in the same way. Fraud becomes harder to execute, easier to detect, and faster to prove.

If you're building or reviewing your AP controls framework, our guide to accounts payable controls walks through the full picture - from preventive controls through to detective reviews. And if segregation of duties is a specific gap, our SoD implementation guide covers how to structure roles even in small teams.