Finance for Growing Companies | Cash Flow Desk
Vendor Fraud: 7 Common Schemes and How to Prevent Them
Finance for Founders

Vendor Fraud: 7 Common Schemes and How to Prevent Them

Brian from Cash Flow Desk
Brian from Cash Flow Desk

March 23, 2026

Your AP team processes hundreds of invoices every month. One of them is from a vendor that doesn't exist, submitted by an employee who created the account, approved the payment, and routed the funds to a personal bank account. The invoice looked normal because it was designed by someone who knows what normal looks like from the inside.

This guide covers the seven most common vendor fraud schemes, how to detect them through invoice and payment pattern analysis, the prevention controls that actually work for growing companies, and what to do when you discover fraud has already occurred.

What is vendor fraud?

Vendor fraud is the deliberate exploitation of accounts payable processes to steal money from a company. It shows up as fake invoices from fictional companies, inflated bills from real vendors, payments redirected to fraudulent accounts, and kickback arrangements between employees and suppliers. Every scheme targets a gap in how your company sets up vendors, approves invoices, executes payments, or reconciles accounts.

These schemes split into two categories. Internal fraud involves employees who create fake vendors, approve inflated invoices, or steer contracts to suppliers who pay them under the table. External fraud comes from outside parties, including vendors who overbill or criminals who impersonate legitimate suppliers. The most damaging cases involve collusion between insiders and outsiders, where an employee provides access and a third party exploits it.

Why these schemes succeed

Most vendor fraud doesn't require sophisticated hacking or elaborate deception. The ACFE estimates that organizations lose 5% of revenue to occupational fraud each year, and vendor schemes account for a significant share of those losses. These schemes exploit structural weaknesses that exist in nearly every growing company's AP workflow.

  • Manual processes and weak onboarding: When your company doesn't verify Tax IDs, check business registrations, or cross-reference vendor addresses against employee records, shell companies can enter your system unchallenged.
  • Weak segregation of duties: A single person controlling vendor setup through payment execution eliminates every checkpoint that would catch a fraudulent transaction before money leaves the account.
  • High invoice volume: Teams processing hundreds of invoices per week spend less time scrutinizing individual transactions and are more likely to miss bookkeeping errors and fraudulent entries.

Seven common vendor fraud schemes

These seven patterns account for the vast majority of vendor fraud losses.

Ghost vendors

An employee creates a fictitious company in your payment system, submits invoices under that company's name, and routes payments to a bank account they control. Ghost vendor schemes often use P.O. boxes or virtual office addresses that are hard to verify through casual review. They persist because the person submitting the invoice is often the same person approving it.

Invoice overbilling

A real vendor inflates prices or quantities on legitimate invoices, sometimes with the cooperation of an internal employee who approves the inflated amount in exchange for a kickback. Overbilling is harder to catch than ghost vendors because the vendor relationship is genuine. Catching it requires comparing invoice amounts against purchase order records and receiving documents.

Duplicate invoicing

A fraudster submits the same invoice twice, or submits a slightly altered version with a different invoice number. The second payment gets diverted to a personal account. Duplicate schemes exploit high-volume AP environments where manual comparison is impractical.

Vendor impersonation

Criminals pose as an existing vendor by spoofing email addresses and replicating invoice formatting. They send updated banking details and request that future payments go to a new account. This scheme mirrors the business email compromise tactics used in wire fraud and targets the trust companies place in ongoing vendor relationships.

Kickbacks and collusion

An employee steers contracts to a preferred vendor in exchange for personal benefits. The vendor inflates invoices to cover the cost of the kickback, and the employee approves the inflated amounts. These arrangements can run for years because both parties benefit from keeping the scheme hidden.

Check tampering

Employees with access to blank checks forge signatures or alter payee information. Check tampering has declined as more companies move to electronic payments, but checks remain the payment method most targeted by fraud and it remains a risk for businesses that still rely on paper checks for vendor payments or disbursement processes.

Bid rigging

Competing vendors coordinate to manipulate bidding processes. They submit intentionally high bids, abstain from bidding entirely, or rotate who submits the winning bid. The FTC classifies bid rigging as a violation of antitrust law, and the DOJ's Procurement Collusion Strike Force actively prosecutes these schemes. Bid rigging undermines sound procurement by eliminating genuine competition and inflating costs.

How to detect vendor fraud

Early detection limits financial damage and strengthens your position for recovery. Three categories of red flags signal that fraud may be occurring.

Invoice red flags

Invoices from fraudulent vendors often contain subtle formatting problems that distinguish them from legitimate documents. These patterns show up most often:

  • Poor production quality: Blurry logos, inconsistent fonts, misaligned columns, and formatting errors suggest an invoice was created outside of standard accounting software.
  • Personal email domains: Invoices from Gmail, Yahoo, or other free email providers for what should be an established business warrant immediate verification.
  • Round dollar amounts: Legitimate invoices almost always include cents. Consistently round numbers suggest the amounts were invented.
  • Just-below-threshold amounts: Invoices that consistently land just under your approval threshold indicate someone who knows your internal controls and is working around them.

Any of these patterns in isolation could be coincidence, but two or more appearing on the same vendor's invoices should trigger a deeper review.

Vendor file anomalies

Your vendor master file contains patterns that point to fraud when you know where to look. Cross-reference vendor data against employee records quarterly and flag address overlaps where a vendor's address matches an employee's home or mailing address, shared phone numbers appearing on multiple vendor accounts or matching an employee's personal phone, duplicate Tax IDs where two or more vendors are registered under the same number, and suspicious profiles with P.O. box addresses, no phone number on file, or business names that closely resemble existing vendors.

One flag on its own may have a legitimate explanation. Multiple flags on the same vendor record should move that vendor to the top of your audit queue.

Payment pattern analysis

Transaction data reveals fraud patterns that individual invoices cannot. Monitor for these warning signs:

  • Duplicate invoice numbers across vendors: The same invoice number appearing under different vendor accounts suggests a fraudster is reusing templates or submitting the same charge through multiple channels.
  • Repeated identical amounts: The same dollar figure billed to the same vendor on different dates, especially round numbers, points to fabricated invoices rather than genuine transactions.
  • Sudden spend spikes: A vendor with stable billing history that shows a sharp increase in charges deserves immediate review of the underlying purchase orders and receiving documents.

Flagging ACH fraud patterns in your payment data is equally important since vendor impersonation schemes often target electronic payment channels.

Prevention controls that work

Prevention is cheaper than investigation and recovery. These controls work together to close the gaps that make fraud possible.

Verified vendor onboarding

A structured onboarding process eliminates most ghost vendor schemes before they start. Require W-9 forms before any first payment, and build a verification checklist that includes the following steps:

  • Tax ID verification: Confirm the vendor's legal name and Tax ID through IRS TIN Matching before entering them into your system.
  • Business registration confirmation: Verify the vendor's registration through their state Secretary of State database.
  • Exclusion screening: Run the vendor through SAM.gov exclusion records and OFAC databases to check for debarment or sanctions.
  • Employee cross-referencing: Compare vendor addresses, phone numbers, and bank account details against employee records to catch ghost vendor attempts.

This process takes 15 to 20 minutes per vendor and closes the majority of exploitation gaps.

Segregation of duties

Separate vendor setup, invoice approval, payment execution, and bank reconciliation among different people. No single employee should control the full lifecycle of a vendor relationship from creation through payment. This is the single most effective control against vendor fraud because it requires collusion between multiple people to defeat.

For smaller companies where full separation isn't possible, compensating controls work. Have the owner or COO review all new vendors, banking changes, and payments above a defined threshold. Assign bank reconciliation to someone who cannot modify vendor details. Even partial separation makes fraud significantly harder to execute undetected.

Three-way matching

Match every invoice against its purchase order and receiving documents before approving payment. Three-way matching catches overbilling, duplicate invoices, phantom deliveries, and payments for goods or services that were never received. Even a manual checklist version of this process prevents many schemes that rely on invoices being approved without verification.

Employee fraud reporting

Anonymous reporting channels catch schemes that audits and automated monitoring miss. Establish a hotline or online portal with a clear non-retaliation policy, and train employees regularly on how to recognize common schemes. Training should use plain language and real examples, not abstract policy documents. The ACFE's 2024 Report to the Nations found that 43% of fraud cases were detected through tips, and organizations with hotlines experienced median losses of $100,000 compared to $200,000 at organizations without them.

Regular vendor file audits

Quarterly reviews of your vendor master file surface problems that transactional monitoring misses. Each review should check for the following:

  • Duplicate vendor names or Tax IDs: Multiple records that may represent the same entity or a ghost vendor variant.
  • Employee address matches: Vendor addresses that overlap with employee home or mailing addresses.
  • Dormant vendors with recent banking updates: A vendor that hasn't invoiced in months but suddenly changes bank details is a classic impersonation signal.
  • Routing number changes within 90 days: Frequent banking changes on any vendor account deserve verification before the next payment.

These audits take a few hours per quarter and often uncover issues that automated controls miss.

What to do when fraud is discovered

The first 48 hours after discovery determine how much you can recover and how effectively you can prevent recurrence. Move quickly through these steps:

  • Preserve evidence: Collect invoices, approval records, vendor setup documents, and communication logs without altering anything. Restrict the suspected individual's system access immediately so no records can be modified or deleted.
  • Engage legal counsel: Internal interviews conducted without legal guidance can create liability for the company or compromise a future case. Once counsel is engaged, a forensic accountant can trace losses through the payment chain and identify the scheme's full scope.
  • Notify your insurance carrier: Check your policies for employee dishonesty or commercial crime coverage and file promptly, since delayed notification is one of the most common reasons claims get denied.
  • Strengthen the specific control that failed: If a ghost vendor entered your system, tighten onboarding verification. If duplicate invoices were paid, implement three-way matching. Feed lessons learned into updated onboarding checklists, tighter approval workflows, revised audit procedures, and refreshed employee training that includes the real example your team just experienced.

Frequently asked questions about vendor fraud

What is the most common type of vendor fraud?

Ghost vendor schemes are among the most frequently reported types. Billing schemes account for 22% of asset misappropriation cases, and shell companies are the most common variant. An employee creates a fake company in the payment system, submits invoices under that company's name, and routes payment to an account they control. These schemes thrive when one person handles both vendor setup and invoice approval without independent oversight.

How do you verify a vendor is legitimate?

Collect a W-9 before processing any first payment. Verify the Tax ID through IRS TIN Matching, confirm business registration through the state Secretary of State database, screen against SAM and OFAC exclusion lists, and cross-check addresses and phone numbers against employee records. The full process takes 15 to 20 minutes per vendor.

Can automation prevent vendor fraud?

AP automation tools flag duplicate invoices, enforce approval workflows, verify vendor data, and block payments that don't match purchase orders. These controls reduce exposure significantly, but they can't eliminate fraud entirely. If a single person controls the process from vendor creation through payment execution, automated workflows can be overridden or bypassed. Automation works best when paired with segregation of duties and regular vendor file audits.

How often should companies audit their vendor files?

Quarterly audits are the standard recommendation. Each review should check for duplicate vendor names or Tax IDs, matches between vendor and employee addresses, dormant vendors with recent banking or contact updates, and unexplained routing number changes. Companies with higher transaction volumes or recent fraud incidents should consider monthly reviews until controls stabilize.

What is the difference between internal and external vendor fraud?

Internal vendor fraud involves employees who exploit their access to company systems. They create ghost vendors or approve inflated invoices for kickbacks. External vendor fraud comes from outside parties, including vendors who overbill or criminals who impersonate legitimate suppliers. The most damaging cases involve collusion between insiders and outsiders, where an employee provides system access and a third party exploits it.