Articles
Managing Vendors to Prevent Fraud
- By Anne Shultz
- Published: 1/29/2025

No matter how sophisticated fraud solutions become, payments fraud still runs rampant in the business world. The 2024 AFP® Payments Fraud and Control Survey Report found that 80% of organizations experienced actual or attempted fraud in 2023 — an increase of 15 percentage points since the previous year. Thirty percent of those organizations were unable to recover the funds they lost.
One of the most prevalent types of fraud is vendor fraud, in which a supplier or vendor — or someone impersonating one — deliberately manipulates payment or vendor information to steal money through the procurement process. According to accounts payable (AP) automation provider Medius, U.S. companies lose an average of $300,000 per year to vendor fraud. While these losses do not usually bankrupt companies, operations are interrupted, suppliers go unpaid and reputations are damaged.
Types of vendor fraud
Vendor fraud can be committed by employees, external actors or both working together. It can take several forms:
- Fictitious vendor or “shell company.” An invoice or payment request is submitted for a non-existent vendor or for goods that were not provided. The shell company may use false information that makes it look like a trusted supplier, such as fabricated bank account numbers, tax identification numbers, contact information, vendor numbers or company names.
- Duplicate invoices. An employee duplicates a legitimate vendor’s invoice to route payment to another account, often by changing the details of the original invoice and reprocessing it.
- Overbilling. A vendor inflates an invoice by charging for supplies or extra line items that were never delivered, or by charging more than the agreed-upon prices.
- Bid rigging and price fixing. A vendor bribes an employee to help the vendor win a contract or obtain a payment, or two or more vendors collude to raise their prices to secure a contract at an inflated price.
- Check tampering. An employee steals company checks used for vendor payments or alters a legitimate vendor check — usually by changing the payee or amount — to divert the money to their own account.
- Business email compromise (BEC). A scammer impersonates a vendor, sends a fraudulent invoice and tricks an employee into sending payment.
How to spot vendor fraud
Vendor fraud can easily fly under the radar, sometimes for years. Accounting and advisory firm EisnerAmper says that it takes an average of 18 months to detect this type of fraud scheme.
The best way to address vendor fraud is to spot the red flags before it happens:
- Multiple invoices are paid to the same vendor on the same date or within the same payment cycle.
- Invoices are approved for payment at times outside of normal operating hours.
- The vendor’s prices are well below market.
- Two invoices have nearly identical invoice numbers.
- The vendor lacks a verifiable tax identification number.
- The vendor lacks standard contact information.
- Orders repeatedly fall below thresholds for reporting or approval.
- Invoices and transactions are for whole-dollar amounts.
- Invoice numbers deviate from the vendor’s usual numbering conventions.
- The payment and delivery addresses are different.
- Payment to a known vendor is far above the typical invoice total.
- The vendor’s address or contact information suddenly and unexpectedly changes.
Best practices to prevent and detect vendor fraud
One of the best ways to prevent vendor fraud is to stop using checks and digitize payments. AFP’s 2024 Payments Fraud and Control Survey found that 65% of respondents’ organizations had experienced check fraud.
Bank services, like debit blocks, can be particularly effective. “We work closely with our bank and ensure we do everything possible on our bank account — debit blocks, controlled disbursement and debit filters. We evaluate anything they suggest and usually incorporate it,” Larry Tolep, Vice President and Treasurer of Volkswagen Group of America, says.
Beyond digitizing payments and using available bank services, companies of all sizes can deploy several best practices to avoid fraud:
Vendor management
- Establish a formal vendor onboarding process. Use a security questionnaire to create a risk profile, and use a checklist that verifies the vendor’s tax ID, confirms the business name matches that ID, and considers the vendor’s track record.
- Audit vendors regularly, and update their information. Beginning with vendor master files, verify bank account information, tax identification numbers, addresses and other contact information, and update accordingly.
- Use preferred vendors only. Create a list of verified, approved vendors for use by the company.
- Maintain ongoing communication with vendors. When a business has a strong relationship with a supplier, it can discuss security and fraud issues freely and regularly.
- Maintain and enforce consistent vendor policies. Create written vendor policies and enforce them. Avoid exception processes whenever possible.
AP processes
- Use a multi-step, multi-level payment approval process. More than one employee — preferably employees from different departments and management tiers — should scrutinize invoices before they are approved for payment.
- Automate AP. Automated AP solutions replace many manual processes that open avenues for fraud. They can match invoices, monitor transactions and flag suspicious activity.
- Perform regular audits of transactions and risk assessments of processes. Maintain a comprehensive audit of all transactions so that red flags and mistakes come to light. Conduct a risk assessment to ensure that AP processes are secure.
Employee management
- Move employees around. Employees who perpetrate fraud are most likely to work in procurement or AP. When possible, move employees to various departments or rotate their duties.
- Conduct background checks on employees regularly. Examine not only the employee’s past behaviors but also their social and familial connections. Often an employee who commits fraud is married or somehow linked to the dishonest or nonexistent vendor.
- Train employees to detect and prevent fraud. Educate staff about fraud and the red flags to watch for.
- Create a way for employees to anonymously report suspected fraud. This step can prevent fraud altogether by discouraging employees from attempting it.
The best of best practices: AI-enabled AP automation
AI-enabled solutions for AP automation can detect duplicate or fictitious accounts, false identities and bots. They can even conduct anti-money laundering (AML) and know your customer (KYC) processes and credit checks. AI models even “learn” over time, so their accuracy continuously improves.
As Lee-Ann Perkins, Assistant Treasurer at Ankura Consulting Group, notes, “AI is the great equalizer that lets us fight fraud with live technology. We can bring in automated fraud verification tools, machine learning for fraud detection and prevention, and GenAI chatbots that can handle vendor inquiries securely. […] The good thing is that [AI-enabled tools] are not the most expensive technology out there, and they’re coming down in price.”
Employees: From weakest link to strongest weapon
Employees are often considered to be “the weakest link” when it comes to fraud. But companies can make employees into their strongest mode of defense; they simply need to build a culture that makes employees part of the fraud conversation.
Brad Deflin, CEO and Founder of Total Digital Security, advises, “Adjust the culture by presenting fraud issues in a way that can be internalized by individuals, so that they understand that [fraud prevention] is a life skill in this new era of digital technology and AI. These life skills are needed to succeed in this digital world because the risks are still there when we leave the office.” He recommends using real-life case studies to drive these points home with employees.
How to respond to a fraud attack
When fraud is suspected or detected, the pertinent vendor should be contacted immediately to make sure the apparent fraud is not simply a mistake. Payments to that vendor should be paused if the vendor cannot be reached. Report the incident to banks, AP departments and law enforcement.
Then, conduct an internal investigation. For internal fraud, collect all evidence, find potential witnesses, block the employee’s access to company information and consult an attorney. For external fraud, gather documentation and other evidence and contact the Federal Trade Commission. Work with the business’s banks and cybersecurity insurance company to attempt to recover funds. Update policies to fill the security gaps that allowed the fraud to happen.
Recovery
Vendor fraud — attempted or successful — is almost inevitable. “Every industry, every person is a target,” Deflin notes.
Fraud steals not just funds but also resources, time, productivity and efficiency. It can damage a company’s reputation with customers, suppliers and the public. Even so, most businesses will recover. Fraud can be a valuable lesson learned — and allow a business to avoid an even bigger loss the next time.
Copyright © 2025 Association for Financial Professionals, Inc.
All rights reserved.