Accounts Payable Fraud Prevention: Protecting Your AP Team
Your accounts payable team is the #1 target for payment fraud. Invoice scams, BEC attacks, and payment redirection all funnel through AP. Here is how to protect it.
Why accounts payable is the frontline of payment fraud
Every outbound payment in your organisation flows through accounts payable. That makes AP the single most valuable target for anyone trying to steal money from your business. It is not a technology problem. It is a process problem. Attackers exploit the gap between receiving payment instructions and verifying those instructions are legitimate.
AP teams process hundreds or thousands of invoices per month. They work under pressure to meet payment deadlines. They interact with external suppliers, contractors, and partners daily. Each of those interactions is a potential entry point for fraud.
The core issue is trust. When an invoice arrives, AP staff trust that it is legitimate because it looks legitimate. When bank details change, they trust the email because it came from a known address. When an executive requests an urgent payment, they trust the authority. Fraudsters know this, and they exploit it systematically.
In 2024, payment redirection fraud cost Australians $152.6 million, a 66% increase year-on-year (NASC). The majority of these losses involved some form of AP manipulation. Whether through fake invoices, compromised emails, or redirected payments, the money left through AP.
The four AP fraud schemes every finance team must know
These are the most common attacks targeting accounts payable teams in Australia. Each exploits a different weakness in the payment process.
Invoice fraud
Fake, duplicate, or inflated invoices designed to extract payments for goods or services that were never delivered. This includes entirely fictitious suppliers, duplicate submissions of legitimate invoices, and inflated amounts on real invoices. It is the most common form of AP fraud because it exploits the volume of invoices AP teams process daily.
Learn about fake invoice scams →Business email compromise (BEC)
Attackers gain access to a supplier's email account (or convincingly spoof it) and send "updated bank details" to your AP team. Because the email looks genuine and comes from a trusted source, AP staff process the change. The next payment goes directly to the attacker. BEC cost Australian businesses $84 million in FY2023-24 alone.
Learn about BEC attacks →Payment redirection fraud
A supplier's bank details are changed in your system, either through a compromised email, a phone call, or even internal manipulation. The payment is redirected to an account the attacker controls. By the time anyone notices, the money is gone. Banks detect only 13% of scam payments, and reimburse just 2-5% of total losses (ASIC).
Learn about payment redirection →Ghost vendors
Fictitious suppliers are set up in your vendor master file, often by an internal employee or through compromised credentials. Invoices are submitted against these fake vendors, approved through normal workflows, and paid to bank accounts the fraudster controls. Ghost vendors can go undetected for months or years, especially in organisations with large vendor lists and limited review cycles.
Internal controls that work (and where they break down)
Good internal controls are the foundation of AP fraud prevention. They reduce risk, create accountability, and make fraud harder to execute. But they are not enough on their own. Every manual control has a failure mode, and attackers are designed to exploit those modes.
Segregation of duties ensures no single person can create a vendor, approve an invoice, and authorise payment. It works well in theory. In practice, small teams often share roles. Staff cover for each other during leave. Workarounds become habits. And segregation does nothing to verify whether the bank account on an invoice actually belongs to the supplier.
Three-way matching compares the purchase order, goods receipt, and invoice to ensure they align. It catches overbilling and duplicate invoices effectively. But it does not verify the payment destination. A perfectly matched invoice can still have fraudulent bank details.
Approval workflows require manager sign-off before payments are released. They add a checkpoint, but approvers rarely verify bank details independently. They check the amount, the vendor name, and the GL code. The bank account? They trust that AP has it right.
Callback verification (phoning the supplier to confirm bank details) is the gold standard for manual verification. When done properly, it works. The problem is consistency. Most businesses still rely on informal verification: a phone call, an email, or nothing at all. The percentage of callbacks drops further during busy periods like end of month and end of financial year.
The pattern is clear. Internal controls reduce the probability of fraud, but they rely on humans executing them correctly every single time. That is where automation comes in.
How automation closes the gaps manual processes leave open
Manual controls fail when people skip steps, work under pressure, or face sophisticated social engineering. Automated verification runs on every transaction, every time, without exception.
Verify the payee, not just the invoice
Manual processes verify the invoice (amount, PO, receipt). Automated verification goes further: it confirms the person or business behind the invoice actually owns the bank account you are about to pay. This is the check that catches payment redirection, BEC, and ghost vendors.
Run on every transaction without adding workload
The reason callbacks fail is not that they do not work. It is that they take time, and AP teams do not have time to call every supplier on every payment. Automated verification runs in seconds, on every transaction, with no additional effort from your team.
Detect changes before they become losses
When bank details change in your system, automated re-verification catches it immediately. The payment is held until the new details are confirmed. No reliance on someone noticing a suspicious email or remembering to make a phone call.
Create an audit trail that holds up
Every verification is logged with a timestamp, the data checked, and the result. When auditors, insurers, or regulators ask how you verified a payment, you have a tamper-proof record. Not a note in a spreadsheet or a memory of a phone call.
Want to see the difference in detail? Read our guide on manual vs automated payment verification.
How ezyshield protects your AP workflow
ezyshield sits between your AP process and your payments. Before money moves, every payee is verified. Not once, but before every pay run.
Verify the person and the business
Biometric identity verification confirms the person is who they claim to be. ABN and ASIC checks confirm the business is real, active, and matches the details on the invoice.
Confirm bank account ownership
Live Confirmation of Payee queries the receiving bank in real time to confirm the account belongs to the verified entity. Not a database lookup. A live check.
Re-verify before every pay run
Verified once is not verified forever. ezyshield automatically re-checks every payee before each pay run. If anything has changed, the payment is held until the new details are confirmed.
Tamper-proof audit trail
Every verification is logged: who was checked, what was verified, when it happened, and what the result was. Export reports for auditors, insurers, or internal compliance reviews.
Building an AP fraud prevention framework
Effective AP fraud prevention is not a single tool or a single policy. It is a layered approach that combines people, process, and technology. Here is what a strong framework looks like.
1. Vendor onboarding controls. Every new vendor should go through a verification process before they are added to your master file. This means confirming the business exists (ABN/ASIC check), verifying the contact person's identity, and validating bank account ownership. Do this once at onboarding, and you eliminate ghost vendors before they enter your system.
2. Bank detail change protocols. Any request to change bank details should trigger an independent verification process. Never update bank details based solely on an email, even if it comes from a known contact. The email account may be compromised. Use a separate channel (phone call to a known number, or automated verification) to confirm the change.
3. Segregation of duties. Ensure that the person who creates a vendor record is not the same person who approves invoices or authorises payments. This creates checkpoints that make fraud harder to execute unilaterally.
4. Regular vendor master reviews. Audit your vendor list at least quarterly. Look for vendors with no recent activity, vendors with PO Box addresses, vendors where the bank account matches another vendor or an employee, and vendors created by users who no longer work at your organisation.
5. Automated verification at the payment layer. Even with all the controls above, the final check matters most: before money leaves your account, verify that the bank account belongs to the person or business you intend to pay. This is the step that catches everything else that slips through.
For a broader look at payment fraud prevention strategies in Australia, see our guide on payment fraud prevention for Australian businesses.
The cost of getting it wrong
AP fraud losses go beyond the money that leaves your account. The full cost includes recovery efforts, regulatory exposure, and reputational damage.
Direct financial loss
The average BEC loss is $55,000 per incident (ASD, FY2023-24). For larger businesses, single incidents can exceed $1 million. Banks reimburse just 2-5% of scam losses (ASIC), meaning most of the money is gone for good.
Operational disruption
Investigating a fraud incident diverts finance and IT teams for weeks. Supplier relationships are strained. Internal trust erodes. And the business still needs to make legitimate payments while the investigation runs.
Regulatory and legal exposure
Auditors and regulators increasingly expect businesses to have payment verification controls. A fraud loss without evidence of verification measures can lead to personal liability for directors, insurance claim denials, and compliance failures.
See the full picture of payment fraud in Australia: Australian payment fraud statistics.
Frequently asked questions
Why are accounts payable teams the biggest target for payment fraud?
What is the most common type of accounts payable fraud?
Can internal controls alone prevent AP fraud?
How does ezyshield protect accounts payable workflows?
What is the difference between manual and automated payment verification?
Protect your AP team from payment fraud
ezyshield verifies every payee before money moves. Identity, business, and bank account ownership confirmed in one flow. See it in action.