Vendor Master File Fraud: How to Detect and Prevent It
Your vendor master file is the list of every business you pay. When someone manipulates it, payments go to the wrong accounts. Up to 25% of vendor master files contain anomalous data. Here is how to fix that.
What is vendor master file fraud?
A vendor master file (VMF) is the central record of every supplier, contractor, and vendor that your organisation pays. It lives in your accounting system or ERP and contains the details your accounts payable team uses to process payments: business names, ABNs, contact details, and bank account information.
Vendor master file fraud occurs when someone manipulates these records to redirect payments. This can happen from the inside, when an employee with system access creates a fictitious vendor or alters bank details, or from the outside, when a scammer uses business email compromise or social engineering to request changes to vendor records.
The reason VMF fraud is so effective is that it targets the source of truth. Once a fraudulent entry is in the vendor master file, every payment to that entry flows to the wrong account. It bypasses invoice approval, because the invoice matches a "valid" vendor. It bypasses payment controls, because the bank details are in the system. The fraud hides in plain sight.
According to the Association of Certified Fraud Examiners (ACFE), billing schemes (which include VMF manipulation) have a median loss of $100,000 per incident and a median duration of 18 months before detection. That is 18 months of payments going to the wrong place before anyone notices.
Common types of vendor master file manipulation
VMF fraud takes several forms. Some are crude and opportunistic. Others are sophisticated and difficult to detect without automated monitoring.
Ghost vendors
A fictitious vendor is added to the master file, complete with a name, ABN (often stolen from a real but unrelated business), and a bank account controlled by the fraudster. Fake invoices are submitted against the ghost vendor, and payments are approved because the vendor "exists" in the system.
Bank detail changes
The bank details of a legitimate, active vendor are changed to a fraudulent account. This is often triggered by a phishing email or social engineering attack. The next payment run sends money to the new (fraudulent) account instead of the real supplier. This is closely linked to payment redirection fraud.
Duplicate entries
A vendor is added multiple times with slight variations in the name or details. One entry has the real bank details. The other has fraudulent details. Invoices are routed to the duplicate entry, and the payment goes to the wrong account. Duplicates also make reconciliation harder and provide cover for fraudulent transactions.
Dormant vendor reactivation
A vendor that has not been paid in months or years is reactivated with updated bank details. Because the vendor already existed in the system, the change may not trigger the same scrutiny as a new vendor setup. The fraudster submits invoices against the reactivated vendor and collects payments.
Warning signs of vendor master file fraud
These red flags do not always mean fraud, but they warrant investigation. If your vendor master file shows multiple indicators, it is time for a thorough review.
Vendors with no purchase orders, contracts, or documented business relationship
Bank details that match an employee's personal account or another vendor's account
Multiple vendors sharing the same address, phone number, or ABN
Recently changed bank details with no supporting documentation or verification trail
Vendors with PO Box addresses only and no physical business address
Round-number invoices or invoices just below approval thresholds
Dormant vendors that suddenly become active with new bank details
Vendors added by users who do not normally create vendor records
Best practices for vendor master file hygiene
Preventing VMF fraud requires a combination of access controls, verification processes, and ongoing monitoring. These practices significantly reduce your exposure.
Segregate duties
The person who creates a vendor record should not be the same person who approves invoices or processes payments for that vendor. Segregation of duties is the most basic control against internal VMF fraud. If one person controls the entire process, there is no check on their actions.
Verify before adding
Every new vendor should go through a verification process before being added to the master file. At minimum, validate the ABN, check ASIC registration (for companies), and confirm bank account ownership. Do not rely on details provided by the vendor alone. Verify through independent sources.
Require approval for changes
Any change to vendor bank details should trigger a mandatory approval workflow. The request should be verified through a channel independent of the one used to request the change. If a vendor emails new bank details, do not confirm by replying to that email. Call a number you already have on file.
Audit your master file regularly
Conduct periodic reviews of your vendor master file. Look for duplicates, dormant vendors, vendors with no recent transactions, and entries where bank details have changed without a corresponding verification record. Quarterly reviews are a reasonable starting point for most businesses.
Lock down system access
Restrict who can create, modify, and delete vendor records in your accounting system. Maintain an audit log of all changes, including who made them and when. Review access permissions regularly and remove access for employees who no longer need it.
Re-verify before every payment
Verification at onboarding is not enough. Re-check vendor details before each pay run. If bank details have changed since the last verification, block the payment until the change is confirmed through a verified channel. This catches both external fraud and internal manipulation.
How ezyshield protects your vendor data
Manual vendor master file reviews catch problems after the fact. ezyshield prevents them before payments are made by verifying every vendor and every change automatically.
Verify every vendor at onboarding
Before a vendor enters your system, ezyshield validates their ABN, checks ASIC registration, confirms the identity of the person representing the business, and verifies bank account ownership via live Confirmation of Payee. Ghost vendors cannot pass this process.
Catch every change
When vendor details change, ezyshield triggers automatic re-verification. Changed bank details are verified against the bank before any payment is processed. This stops payment redirection fraud at the point of change, not after a payment has been made.
Re-verify before every pay run
Verification is not a one-time event. ezyshield checks every vendor before every payment run. If anything has changed since the last verification, payment is held until the vendor is re-confirmed. No changes slip through between reviews.
Complete audit trail
Every vendor verification and re-verification is logged with timestamps, results, and evidence. When auditors review your vendor master file, you have proof that every entry was verified and every change was confirmed.
Frequently asked questions
What is vendor master file fraud?
How common is vendor master file fraud?
Who typically commits vendor master file fraud?
How can I detect vendor master file fraud?
How does ezyshield prevent vendor master file fraud?
Related content
Insider Threats
Internal actors are behind many vendor master file manipulation schemes.
LEARNSupplier Verification Australia
How to verify every supplier before they enter your payment system.
THREATFake Invoice Scams
Fake invoices often target manipulated or unverified vendor records.
LEARNAccounts Payable Fraud Prevention
Practical controls to protect your accounts payable process from fraud.
Protect your vendor master file
ezyshield verifies every vendor and every change before payments are made. No ghost vendors. No unauthorised changes. No gaps.