AP fraud doesn’t typically exploit obvious human error. It exploits process gaps - moments in the workflow where a legitimate-looking document is reviewed with insufficient information or under time pressure. Finance teams that have reduced their fraud exposure have done so by structuring the workflow to verify automatically at the moments that matter, rather than by relying on individual vigilance to catch anomalies that may not be visible in the invoice itself. For a deeper look at the structural weaknesses in Australian AP processes, the guide to accounts payable fraud vulnerability maps the most common exposure points.
Where does fraud enter the AP workflow?
The three most common entry points share a common characteristic: they exploit checks that exist only as manual steps.
Payment redirection via bank detail substitution is the highest-cost fraud type in Australian AP. A fraudulent invoice arrives with the supplier’s correct letterhead, address, ABN, and invoice history - but with a different bank account number. The accounts team processes it using the bank details on the invoice rather than verifying against the historical record. Payment redirection scams cost Australian businesses AU$152.6 million in 2024, a 66% increase from the prior year, according to the ACCC National Anti-Scam Centre.
Duplicate invoice payment happens through either a re-submission from an attacker who has intercepted the original or through manual data entry error at high volume. The duplicate passes through because the approval step has no visibility into the prior invoice, and the approver has no reason to query an invoice that otherwise looks correct.
False billing from fabricated suppliers exploits the new-supplier onboarding step. A supplier is created in the system and invoices are submitted for services never performed. Without a structured new-supplier verification step, the fabricated supplier is processed alongside legitimate ones.
The Geelong manufacturing near-miss
A financial controller at a manufacturing business in Geelong caught a fraudulent invoice by chance during a routine review. An invoice had arrived from a long-standing materials supplier with slightly different payment details - an account number that differed by two digits from the one on file. She happened to be reviewing the supplier’s payment history for an unrelated reason and noticed the discrepancy before the invoice reached the payment stage.
The investigation confirmed the supplier’s email had been compromised. The invoice was a case of vendor impersonation and BEC. The fraud failed because of an incidental human check, not a structural control.
The near-miss led directly to a workflow review and the addition of automated bank detail validation: every incoming invoice from a known supplier is now compared against the historical payment record before it reaches the approval queue. The control that would have caught the fraudulent invoice before human review now runs automatically on every invoice, not only on the ones someone happens to notice.
What do good controls look like before the approval step?
Automated comparison of supplier bank details against the historical record is the specific control that addresses the payment redirection risk. It needs to happen before the invoice reaches the approver, because an approver reviewing for authorisation is assessing whether the invoice is legitimate and appropriately valued - not reviewing bank account accuracy. A changed bank number in a document that otherwise looks correct is not reliably caught by that review.
Duplicate detection at intake - comparing incoming invoices against the historical bill register by supplier, amount, reference number, and date - catches the re-submission attack before the approver sees the invoice. Catching a duplicate at intake allows simple rejection. Catching it after payment requires reversals, supplier communications, and potentially bank recovery proceedings.
New supplier verification as a distinct step before first payment - confirming ABN, physical address, and banking details independently of the invoice - removes the fabricated supplier route. Formalising the delegation of authority structure ensures that new supplier onboarding always routes to the appropriate authority level. The verification should be documented in the audit trail so the control is visible not just to the people performing it but to anyone reviewing the process retrospectively.
What the audit trail needs to record
A structured audit trail for AP fraud prevention records more than who approved which invoice. It records what was checked before the approval: whether the bank details were validated, whether any exceptions were flagged, whether a duplicate check was run, and whether the invoice was from a supplier whose details had been verified.
An audit trail that shows “approved by J. Smith on 14 March” is evidence that an approval occurred. An audit trail that shows what J. Smith was presented with - which checks had been performed, which flags were visible, what historical data was displayed - is evidence that a controlled approval occurred. The difference matters when a payment is disputed, a fraud investigation begins, or an auditor asks what the approval process verified rather than merely what it recorded.
Sources: ACCC - Targeting Scams Report 2024 · Australian Federal Police - Business Email Compromise
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026