The invoice looked legitimate. Professional letterhead, correct supplier details, reasonable amount for the type of work described. It followed the usual path through accounts payable and was paid on schedule. Only months later, during a reconciliation exercise, did anyone realise that the work described had never been performed, the supplier didn't exist, and £35,000 had been stolen.

Invoice fraud takes many forms, but the outcome is consistent: money leaves your organisation and doesn't come back. Understanding the common patterns and implementing appropriate controls is essential for any organisation processing significant invoice volumes.

The Landscape of Invoice Fraud

Invoice fraud isn't a single threat—it's a category of threats with different characteristics and different controls.

Fictitious supplier fraud involves creating fake vendors and submitting invoices for goods or services never provided. This may involve external criminals who somehow inject invoices into your process, or internal fraudsters who create suppliers and approve payments to themselves.

Genuine supplier impersonation hijacks real supplier relationships. Criminals monitor your supplier communications, then send convincing messages requesting bank detail changes. Future payments go to the criminals instead of the legitimate supplier. The supplier gets nothing; the fraudster gets everything.

Internal collusion involves employees working with external parties to defraud the organisation. A purchasing manager approves inflated invoices in exchange for kickbacks. A warehouse worker confirms receipt of goods that never arrived. The collusion creates false paper trails that conceal the fraud.

Duplicate payment fraud may be opportunistic or deliberate. Suppliers submit the same invoice twice, hoping inattention will result in double payment. Or internal actors deliberately process payments twice, redirecting the duplicate.

Overcharging may be subtle or blatant. Prices drift upward from contracted rates. Quantities are inflated. Administrative fees appear that were never agreed. Without verification, these overcharges simply get paid.

Red Flags and Warning Signs

Fraudulent invoices often exhibit patterns that distinguish them from legitimate transactions.

Invoices without purchase orders warrant scrutiny. Legitimate suppliers know they need purchase orders to get paid. Invoices arriving without corresponding orders may indicate either poor process compliance or attempted fraud.

Round number amounts are statistically unusual for genuine invoices. Real transactions usually result in odd figures—£4,327.18, not £5,000.00. Suspiciously round numbers deserve investigation.

New suppliers with immediate large invoices present higher risk. Legitimate new relationships typically start smaller. A brand-new vendor immediately billing large amounts should trigger verification.

Invoices just below approval thresholds may indicate knowledge of your controls. If your threshold for additional approval is £10,000, invoices consistently arriving at £9,800 suggest someone is deliberately staying under the radar.

Post office box addresses rather than physical locations can indicate shell companies. Legitimate businesses typically have real addresses.

Pressure for rapid payment is a common fraud indicator. Criminals want money before anyone asks questions. Legitimate suppliers generally understand normal payment cycles.

Prevention Controls

Effective fraud prevention requires multiple layers. No single control stops all fraud; the combination creates resilience.

Supplier verification at onboarding confirms that new suppliers are legitimate businesses. Company registration checks, site visits for significant relationships, and reference verification all contribute to confidence that you're dealing with real entities.

Three-way matching compares invoices against purchase orders and receiving documents. Invoices without orders get flagged. Invoices for goods not received get caught. This basic control prevents a wide range of fraud and error.

Segregation of duties ensures no single person controls the entire payment process. The person who creates suppliers shouldn't approve payments. The person who approves invoices shouldn't execute payments. Distributing responsibilities creates checks and balances.

Payment verification requires confirmation before significant payments are released. A phone call to a known contact at the supplier confirming that the invoice is genuine and the bank details are correct. This specifically addresses impersonation fraud.

Exception monitoring identifies unusual patterns. Payments to new bank accounts, payments significantly larger than historical norms, unusual timing patterns—all warrant investigation.

Detection Mechanisms

Despite prevention efforts, some fraud will occur. Detection mechanisms limit damage and enable recovery.

Data analytics can identify suspicious patterns across transaction populations. Benford's Law analysis flags unusual digit distributions. Duplicate detection finds repeated payments. Vendor similarity analysis identifies potential shell companies. Analytics catches what individual transaction review might miss.

Reconciliation processes compare what should have happened against what did happen. Supplier statement reconciliation identifies payments you made that the supplier didn't receive—a clear indicator that money went somewhere else. Bank reconciliation catches irregularities in payment execution.

Tip lines and whistleblower programmes surface fraud that analytical methods miss. People see things that systems don't. Anonymous reporting mechanisms encourage disclosure of concerns.

Audit testing specifically targets fraud scenarios. Internal audit should test controls periodically and conduct substantive testing for indicators of fraud. External audit provides another layer of scrutiny.

Response and Recovery

When fraud is detected, response should be swift and methodical.

Immediate containment stops further loss. Freeze payments to suspected accounts. Suspend access for suspected individuals. Secure relevant documentation before it can be altered or destroyed.

Investigation determines what happened, how much was lost, who was involved, and how controls failed. Internal investigation may be supplemented by forensic accountants or specialist fraud investigators depending on scale and complexity.

Reporting to authorities should occur promptly. Action Fraud is the UK's national reporting centre for fraud. Police involvement may be appropriate for significant cases. Some industries have sector-specific reporting obligations.

Recovery efforts pursue stolen funds. Banks may be able to freeze or recover money if notified quickly. Insurance may cover some losses. Legal action against perpetrators may eventually recover value, though rarely the full amount.

Control improvement addresses the failures that enabled the fraud. What control gaps were exploited? What warning signs were missed? The fraud's success identifies weaknesses that must be remediated.

The Human Factor

Technology and process matter, but people remain central to both fraud commission and fraud prevention.

Training ensures staff recognise fraud indicators and understand their role in prevention. Awareness of common schemes, permission to question unusual requests, and knowledge of reporting channels all contribute to human defence.

Culture determines whether prevention is priority or afterthought. Organisations that treat fraud prevention seriously—that resource it, measure it, and hold people accountable—suffer less fraud than those that treat it as compliance overhead.

Scepticism should be encouraged. Staff who question unusual requests, verify unexpected communications, and escalate concerns prevent frauds that would otherwise succeed. This scepticism needs to be cultivated and supported.

The Cost-Benefit Reality

Fraud prevention has costs. Verification takes time. Controls create friction. Investigation consumes resources. Is it worth it?

The answer depends on fraud exposure, which is often underestimated. Industry surveys suggest organisations lose 5% of expenditure to fraud and error annually. For an organisation spending £100 million with suppliers, that's £5 million at risk.

Even if you recover half and prevent half through controls, the investment in prevention typically pays for itself many times over. The organisations that treat fraud prevention as unnecessary overhead are typically those who haven't yet discovered how much they're losing.