Invoice fraud is, in volume terms, one of the most common forms of financial fraud affecting UK businesses. It is also one of the most consistently underestimated — not because organisations are unaware that it exists, but because the individual transactions involved often look entirely routine. An invoice arrives. It is formatted correctly. It references a real supplier name or a plausible service description. It passes through the approval process and is paid. The fraud is not in the sophistication of the deception. It is in the confidence that no one is looking closely enough to question it.
In my experience, the accounts payable function is where a disproportionate amount of financial fraud enters and exits an organisation. It processes high volumes of transactions under time pressure, the approval process is frequently compressed or delegated, and the individuals involved are often working from the assumption that the invoices they are reviewing are genuine until proven otherwise. That assumption is reasonable for the vast majority of what passes through the function. It is also what invoice fraud depends on.
This article sets out what invoice fraud looks like in practice — the schemes, the warning signs, and how investigations proceed when a concern is raised — along with the practical measures that make an accounts payable function a harder target.
What Is Invoice Fraud?
Invoice fraud is the use of false, altered, or fabricated invoices to obtain payment from an organisation. It encompasses a broad range of conduct: a supplier submitting invoices for goods or services not provided, an employee creating fictitious invoices to divert funds to an account they control, an external fraudster intercepting a legitimate payment through a forged document, or a combination of internal and external actors working together.
Under the Fraud Act 2006, invoice fraud constitutes fraud by false representation and, in most cases, fraud by failing to disclose information. Where it involves the misuse of a position of trust — an employee abusing their authority over the accounts payable function — it may also constitute fraud by abuse of position. The practical consequence is that those responsible, whether employees or external parties, face criminal exposure as well as civil liability.
What makes invoice fraud distinctive as a category is its reach. It can originate externally, from parties the organisation has never dealt with. It can originate internally, from employees with system access and payment authority. And it can involve the collusion of both, which is the variant I find most difficult to detect from the inside and most significant in terms of the losses it produces.
Common Invoice Fraud Schemes
Mandate Fraud
Mandate fraud involves convincing an organisation to update the bank account details held for a genuine supplier, so that a legitimate future payment is redirected to a fraudulent account. It is typically operated through impersonation: a fraudster poses as the supplier, contacts the finance or accounts payable team by email or phone, and requests that payment details be updated ahead of an upcoming invoice.
The request is often timed to coincide with a known payment cycle, a contract renewal, or a period when the regular contact at the supplier might plausibly be unavailable. The social engineering involved can be convincing, and the consequences are immediate: the next legitimate payment is redirected and, once processed, is extremely difficult to recover.
I have seen mandate fraud succeed against organisations with formal payment mandate processes in place, because the process was not followed consistently — a busy period, a request that seemed credible, a verification step that was skipped once. That single exception was all it took. The payment was significant, and the funds were dispersed before the error was identified.
Fictitious Invoice Fraud
Fictitious invoice fraud involves the submission of invoices for goods or services that were never provided. The invoices may be entirely fabricated or may use the details of a genuine supplier to create a veneer of legitimacy. In the internal variant, an employee creates and approves invoices from a vendor they control, directing the payments to an account they benefit from. In the external variant, an unknown party submits invoices for plausible-sounding services — directory listings, regulatory compliance support, trademark renewal — hoping that they will be processed without verification.
The external version of this scheme tends to involve smaller amounts and relies on the volume of invoices an organisation processes making individual scrutiny impractical. The internal version tends to involve larger amounts and longer durations, sustained by the perpetrator’s control over the approval process. Both are detectable through systematic data analysis; neither is typically caught through the normal approval workflow.
Duplicate Invoice Fraud
Duplicate invoicing — submitting the same invoice more than once, either through identical resubmission or through minor variations in invoice number, date, or description — is one of the most straightforward invoice fraud schemes and one of the most reliably successful in organisations that process invoices manually or across multiple systems. The duplication may be deliberate, by a supplier or an internal actor, or may represent an opportunistic test of whether the accounts payable process has any automated duplicate detection.
In the cases I have investigated, duplicate invoice fraud often operates alongside another scheme — a supplier who is also overbilling, or an employee who is submitting fictitious invoices as well as duplicating genuine ones. The duplicate element is sometimes what surfaces the broader fraud, because it is the most straightforward anomaly to identify once someone is looking at the data systematically.
Overbilling and Invoice Inflation
Invoice inflation involves the submission of invoices that exceed the agreed contract price, overstate the quantity of goods or services provided, or include items that were not part of the original scope. It is most common in relationships where the pricing is not fixed — time-and-materials contracts, variable service arrangements, or construction and maintenance work where scope changes are routine and documentation is often informal.
The challenge with overbilling is that it is frequently invisible to the approval process. The invoice is for a real supplier, for services that were genuinely provided, at an amount that is plausible. The inflation is in the detail: the extra hours that were not worked, the materials that were not used, the variation that was not agreed. Identifying it requires a comparison between the invoice and independent operational records, which is rarely part of the routine approval process.
Invoice Fraud Warning Signs
The indicators below are drawn from the invoice fraud investigations I have conducted and from the data patterns that consistently precede a confirmed case. As with all fraud indicators, no single signal is conclusive. It is the combination and persistence of these patterns — particularly where they cluster around the same supplier, the same approver, or the same period — that warrants serious attention.
- Invoices that arrive without a corresponding purchase order, or where the purchase order was raised after the invoice rather than before.
- Invoice amounts that consistently sit just below approval thresholds — a pattern that suggests deliberate structuring rather than coincidence.
- Supplier bank account details that have been recently changed, particularly where the change was communicated by email rather than through a formal process and was not independently verified.
- Invoices from suppliers that cannot be verified as registered businesses, or whose registered address corresponds to a residential property, a mail forwarding service, or a location with no obvious commercial presence.
- Duplicate invoice numbers, or invoice numbers that follow an unusual sequence — gaps, resets, or patterns inconsistent with the volume of business the supplier is supposed to be conducting.
- Invoices for vaguely described services — consultancy, advisory support, project management — where the nature of the work cannot be confirmed against any internal record of delivery.
- A single employee who both approves invoices from a specific supplier and manages the relationship with that supplier, without independent oversight at any stage.
- An unusual concentration of invoices from a small number of suppliers in a specific period, particularly coinciding with budget year-end, a management change, or a period of reduced oversight.
- Invoices that appear to have been produced using generic templates rather than the supplier’s standard documentation, or where formatting, typography, or branding is inconsistent with other correspondence from the same vendor.
- Payment requests received by phone or email from individuals claiming to represent a known supplier, asking for urgent processing outside the normal approval workflow.
The urgency request is one I want to highlight specifically. A significant proportion of the mandate fraud cases I have seen succeeded because the request was framed as time-sensitive: a payment needed to clear by end of day, a supplier threatening to pause delivery, a new bank account active from Monday. That pressure is manufactured. It is designed to compress the time available for verification. When a payment request arrives with urgency attached, the appropriate response is not to act faster. It is to verify more carefully.
Investigating Invoice Fraud
When an invoice fraud concern is referred to us, the investigation follows a structure that is now familiar across the series of fraud cases I have described in these articles — but invoice fraud has some specific characteristics that shape how that structure is applied.
The most important of these is speed. Invoice fraud investigations are time-sensitive in a way that some other internal fraud enquiries are not. Where a mandate fraud has occurred and funds have been redirected, early engagement with the receiving bank — through the organisation’s own bank and, where appropriate, with law enforcement — can in some cases result in the freezing or recovery of funds before they are further dispersed. That window closes quickly, typically within hours to days of the payment being made. Legal advice should be sought immediately in any case involving a recent payment redirection.
Accounts payable data analysis: a systematic review of the full invoice ledger for the relevant period, applying duplicate detection, threshold analysis, vendor verification, and pattern analysis across approver activity, payment dates, and cost codes. This is always the starting point, and it consistently produces a defined set of transactions that require explanation.
Vendor verification: a detailed check of every flagged supplier against Companies House records, beneficial ownership data, registered address verification, and bank account confirmation. In a significant proportion of invoice fraud investigations, this exercise reveals that the invoicing entity either does not exist as a legitimate trading business or has an undisclosed connection to an employee.
Email and communications review: in mandate fraud cases, the communications trail — the emails, phone records, or other correspondence through which the fraudulent bank account change was requested and authorised — is frequently the most direct evidence of how the fraud was operated. Where digital forensics is required to recover deleted communications, it is instructed at this stage.
Approver access log review: accounting and ERP systems maintain logs of who approved what, when, and from which device or login. In internal invoice fraud cases, the access logs establish which individual was responsible for creating, approving, or processing the fraudulent invoices, and whether those actions were consistent with their normal activity patterns.
Bank account tracing: where funds have been redirected to a fraudulent account, the investigation includes an attempt to trace the destination account to its beneficial owner and, where appropriate, to support the organisation’s legal advisers in pursuing a freezing injunction or civil recovery claim.
Witness and subject interviews: structured interviews with finance and accounts payable staff before the primary subject, building the evidential picture from the outside in. Where the fraud involved external impersonation, witness accounts from the individuals who received and acted on the fraudulent communications are a central part of the evidence.
Preventing Invoice Fraud
Every invoice fraud investigation I conclude with a client ends in the same conversation: what do we change? The answer is almost always a combination of process improvements that are individually straightforward and collectively effective. The reason they were not already in place is usually not that they were unknown — it is that the accounts payable function was operating under time pressure, or was assumed to be adequately controlled, or had never been the subject of a proper fraud risk assessment.
The controls that make the most practical difference are:
- Implement automated duplicate invoice detection as a standard feature of the accounts payable process. Modern finance systems support this natively. Where they do not, a simple matching exercise run before each payment run removes one of the most reliable routes for invoice fraud.
- Establish and enforce a formal payment mandate change process. Any request to update supplier bank account details should require written confirmation from a contact independently sourced — not the number or email address provided in the change request — before the change is activated.
- Require a valid purchase order for every invoice above a de minimis threshold, and make retrospective purchase orders a flagged exception rather than a routine accommodation.
- Enforce segregation of duties in the accounts payable function: the person who approves an invoice should not be the same person who processes the payment, and neither should be the person who manages the supplier relationship.
- Conduct periodic reconciliations between invoiced activity and independent delivery or completion records for high-value or variable-scope contracts. The invoice should be verifiable against something other than itself.
- Train accounts payable and finance staff to recognise the specific social engineering techniques used in mandate fraud and urgency-based payment fraud. The pressure to act quickly is a manufactured condition. Staff who understand that are significantly harder to deceive.
- Include accounts payable fraud in the organisation’s internal audit programme, with specific attention to threshold structuring, sole-approver relationships, and the consistency with which the payment mandate change process is actually followed.
Invoice fraud succeeds when the accounts payable function is processing volume rather than exercising scrutiny. The controls above do not slow the function down materially. What they do is introduce friction at precisely the points where fraud most consistently enters: the unverified bank account change, the invoice without a purchase order, the duplicate that passed through twice because no one was checking. Friction at those points is the most direct investment an organisation can make in reducing its exposure.
Concerned about invoice fraud or accounts payable irregularities? Speak to our corporate fraud investigations team.
Related Services
For organisations dealing with broader fraud concerns, the following pages may be relevant: