Australian businesses lost AU$152.6 million to payment redirection scams in 2024, according to ACCC Scamwatch data. That number only covers reported losses. The real figure is higher.
Most AP teams still rely on manual checks to catch fraud. Someone eyeballs the bank details. Someone remembers the last invoice amount. Someone assumes the supplier is legitimate because they have been for years. These checks break down under volume pressure, staff turnover, and end-of-month deadlines — and the breakdown is most acute in 10-to-50-person businesses where per-invoice fraud exposure peaks.
Invoice fraud detection software automates the checks that humans skip. It flags duplicate invoices, validates vendor bank details against historical records, verifies ABNs, and surfaces amount anomalies before an invoice reaches the approval queue. The market in Australia is small. Your realistic options are a full AP automation platform with fraud controls built in, a standalone bank verification tool, or an approval routing layer with segregation of duties. Each covers different fraud types. None covers all of them alone.
Here is what is available, what each tool catches, and where the gaps are.
Types of invoice fraud this software catches
Invoice fraud is not one thing. It is five distinct fraud types, each exploiting a different weakness in the AP process. The detection method differs for each.
Duplicate invoices are the same invoice submitted twice, either by a supplier resending after a payment query or by a fraudulent actor resubmitting a previously paid invoice with minor modifications. Detection requires matching invoice number, supplier, amount, and date against historical records. For a detailed breakdown of how detection workflows operate, see the guide on implementing duplicate invoice detection workflows in practice.
Payment redirection is the highest-value fraud type. An attacker compromises a supplier’s email or impersonates them and sends an invoice with altered bank details. The invoice looks legitimate in every respect except the account number. Detection requires comparing the bank details on each incoming invoice against the supplier’s stored payment details. Any change triggers a hold and manual verification through an independent channel. This fraud type accounts for the bulk of the AU$152.6 million in reported losses.
Fake vendor invoices come from suppliers that do not exist or have no legitimate relationship with the business. The Australian Federal Police classifies invoice fraud as a significant category of business-related fraud. A fraudulent entity is created in the vendor master, invoices are submitted for services never rendered, and if no one verifies the vendor’s legitimacy, the invoices get paid. Detection starts at supplier onboarding with ABN validation, contact verification, and a separate approval step for adding new vendors.
Inflated invoices carry correct supplier details and legitimate line items but with amounts higher than what was agreed or delivered. Detection depends on purchase order matching. If the business raised a PO for $4,200 and the invoice says $5,800, the variance should be flagged. Without a PO to compare against, inflated amounts are difficult to catch automatically. The role of purchase orders in preventing AP fraud is covered separately.
Ghost employee or internal collusion fraud involves someone inside the business creating fictitious supplier records and approving payments to accounts they control. This is not detectable by invoice-level software alone. It requires segregation of duties: the person who creates a vendor should not be the person who approves invoices from that vendor.
Pulsify
Pulsify is an AP automation platform built for Australian industrial businesses running Xero or MYOB. Its fraud detection controls operate at the invoice intake stage, before invoices reach the approval queue.
What it catches:
- Vendor bank detail changes. When an invoice arrives with bank details that differ from the supplier’s stored account, Pulsify flags the invoice and holds it from the approval queue. The reviewer sees exactly what changed and must verify through an independent channel before the invoice can proceed.
- Duplicate invoices at intake. Pulsify checks incoming invoices against historical records and the current approval queue, matching on invoice number, supplier name, amount, and date window. Near-matches are flagged rather than auto-rejected, because some legitimate invoices share characteristics with prior submissions.
- ABN validation. New suppliers are verified against the ATO’s ABN Lookup before their invoices enter the workflow. Cancelled or suspended ABNs are flagged immediately.
- Approval thresholds. Configurable approval routing ensures invoices above set dollar values require sign-off from designated approvers. A $500 invoice from an office supplier follows a different approval path than a $45,000 subcontractor claim.
- Audit trail. Every action on every invoice is logged: who received it, who coded it, who approved it, when, and from which device. This trail is accessible to auditors and financial controllers without requiring a separate reporting tool.
What it does not catch:
Pulsify does not maintain a third-party registry of verified bank accounts. Its bank detail validation works by comparing incoming details against the supplier’s own history within the platform. If a supplier is onboarded with fraudulent bank details from day one, the platform has no external reference point to flag the discrepancy. For first-invoice verification, a separate check against a bank account registry or a manual callback to the supplier is still required.
Pulsify also does not replace a proper delegation of authority framework. It enforces the rules you configure, but the rules themselves need to reflect your organisation’s risk tolerance and reporting structure.
For a broader look at where automation creates and closes fraud exposure, see accounts payable invoice automation and the fraud gap.
Eftsure
Eftsure is a bank account verification platform based in Sydney. Its core function is checking vendor bank details against a proprietary registry of verified Australian bank accounts before payment is released.
What it catches:
- Payment redirection. This is Eftsure’s primary use case. Before a payment run, it compares each payee’s bank details against its verification database. If the account number does not match a verified record for that supplier, the payment is flagged. This catches the specific fraud type that cost Australian businesses $152.6 million in 2024.
- New vendor verification. Eftsure can validate whether a bank account belongs to the entity claiming to own it, providing a check at supplier onboarding that goes beyond ABN validation.
What it does not catch:
Eftsure is not an AP automation platform. It does not capture invoices, code them, route them for approval, or detect duplicates. It does not check invoice amounts against purchase orders. It does not enforce approval thresholds or segregation of duties.
Eftsure operates at the payment execution stage, not the invoice intake stage. A duplicate invoice or an inflated amount will pass through a business’s entire AP process and only encounter Eftsure at the moment of payment, and only for bank detail verification. The invoice-level fraud types - duplicates, inflated amounts, ghost vendors - are outside its scope.
Businesses that use Eftsure typically pair it with a separate AP platform or manual process for the rest of the invoice lifecycle. The tool solves one problem well but does not replace an AP controls stack.
ApprovalMax
ApprovalMax is a financial controls platform that adds structured approval workflows on top of Xero and QuickBooks Online. It does not integrate with MYOB.
What it catches:
- Unauthorised approvals. ApprovalMax enforces who can approve which invoices at which dollar thresholds. It prevents a junior staff member from approving a $50,000 invoice that should require a financial controller’s sign-off.
- Segregation of duties. By requiring multiple approvers in sequence or parallel, ApprovalMax makes it harder for a single person to push a fraudulent invoice through to payment. This is the primary control against internal collusion fraud.
- Audit trail. Every approval action is logged with timestamp, user, and decision. This is useful for compliance and for investigating anomalies after the fact.
What it does not catch:
ApprovalMax does not capture invoices. It does not detect duplicate invoices. It does not validate vendor bank details. It does not verify ABNs.
An invoice must already be in Xero - captured, coded, and verified - before ApprovalMax can route it. If a fraudulent invoice with altered bank details enters the Xero bill queue through Dext or manual entry, it reaches the ApprovalMax approval queue looking identical to a legitimate invoice. The approver reviewing it is checking for authorisation, not conducting a bank detail audit.
ApprovalMax also does not integrate with MYOB. Australian businesses on MYOB AccountRight or Essentials cannot use it without changing accounting platforms. For a detailed comparison of ApprovalMax’s scope versus full AP automation, see ApprovalMax vs Pulsify.
Xero and MYOB native controls
Both Xero and MYOB include basic controls, but neither is designed as a fraud detection platform.
What they offer:
- User permissions. Both platforms allow businesses to restrict who can create bills, approve payments, and access bank feeds. This is the most basic form of segregation of duties.
- Audit log. Xero maintains a history of changes to each transaction. MYOB logs user actions. Both are viewable by administrators but neither generates alerts or flags suspicious patterns.
- Bill approval (Xero). Xero has a basic approval queue where bills can be held for review before posting. It does not support threshold-based routing, multi-step approval, or role-based access.
What they miss:
Neither Xero nor MYOB checks for duplicate invoices at intake. Neither monitors vendor bank details for changes. Neither validates ABNs against the ATO register. Neither flags amount anomalies or unusual invoice frequency.
The audit logs are retrospective. They show what happened but do not prevent anything. A financial controller reviewing the audit log discovers fraud after payment, not before.
For businesses processing fewer than 10 invoices per month with a small number of known suppliers, native controls combined with manual verification may be sufficient. For any business with meaningful invoice volume or supplier count, the native controls leave the fraud gap wide open.
Comparison table
| Feature | Pulsify | Eftsure | ApprovalMax | Xero/MYOB Native |
|---|---|---|---|---|
| Duplicate invoice detection | Yes, at intake | No | No | No |
| Vendor bank detail validation | Yes, against supplier history | Yes, against verified registry | No | No |
| ABN verification | Yes | Limited | No | No |
| Approval routing with thresholds | Yes | No | Yes | Basic (Xero only) |
| Segregation of duties enforcement | Yes | No | Yes | Manual configuration |
| Invoice capture and coding | Yes | No | No | Manual entry |
| PO matching | Yes | No | No | No |
| Audit trail | Yes | Yes | Yes | Basic |
| MYOB integration | Yes | Yes | No | N/A |
| Xero integration | Yes | Yes | Yes | N/A |
| External bank account registry | No | Yes | No | No |
No single column is all green. That is the point. Each tool covers a different segment of the fraud surface.
What actually prevents invoice fraud
It is not one tool. It is a layered control framework where each layer catches what the others miss. The businesses that avoid invoice fraud are not the ones with the best single product. They are the ones that have controls at every stage of the AP cycle.
Layer 1: Supplier onboarding verification. Before a vendor sends their first invoice, their ABN is validated, their contact details are verified through an independent channel, and their bank details are confirmed directly. The onboarding step has its own approval, separate from invoice approval. A supplier onboarding form formalises this process so it is repeatable and auditable.
Layer 2: Invoice validation at intake. Every incoming invoice is checked against historical records before it enters the approval queue. Duplicate detection runs on invoice number, amount, supplier, and date. Bank details are compared against stored records. ABN status is confirmed. Anomalies in amount or frequency are flagged. Invoices that fail any check are held for review, not passed through.
Layer 3: Approval routing with thresholds. Invoices are routed to the correct approver based on amount, supplier category, cost centre, or entity. No single person can approve and pay the same invoice. High-value invoices require senior sign-off. The approval path is enforced by software, not by policy documents that may or may not be followed.
Layer 4: Bank detail verification before payment. Before the payment run executes, vendor bank details are verified one final time. This catches any changes that occurred between invoice approval and payment execution. For businesses with high payment redirection risk, a registry-based verification tool adds an external validation layer that internal data alone cannot provide.
Each layer operates independently. If one fails, the next catches the gap. A duplicate invoice that somehow passes intake validation still hits an approval threshold. A payment redirection attempt that survives approval still faces bank detail verification at payment.
The businesses most exposed to invoice fraud are the ones where all four functions sit with one person, checked manually, under time pressure. The three moments when AP is most vulnerable map directly to gaps in this layered framework.
For a complete view of how these layers interact in an Australian AP context, the AP controls stack page maps each control to the specific fraud type it addresses.
Choosing the right combination
For businesses processing fewer than 20 invoices per month with a handful of trusted suppliers, manual checks with native Xero or MYOB controls may be adequate, provided someone is actually performing those checks consistently.
For businesses processing 50 or more invoices monthly across multiple suppliers, a platform that handles invoice capture, validation, and approval routing in a single workflow removes the gaps between separate tools. Pulsify covers layers 1 through 3 in a single platform with direct Xero and MYOB integration.
For businesses in industries with high payment redirection risk - construction, real estate, professional services - adding registry-based bank verification at the payment stage provides an external validation layer. Eftsure operates here.
For businesses that already have an invoice capture tool and want approval governance without replacing their existing stack, ApprovalMax adds layer 3 on top of Xero.
The worst option is no option. Manual checks that depend on one person remembering to verify bank details on a Friday afternoon before a long weekend are not controls. They are hopes. And hopes do not show up in an audit trail.
Frequently asked questions
The FAQ answers are in the frontmatter above and will render via the site’s FAQ schema component.
Sources: ACCC Scamwatch Targeting Scams Report · Australian Federal Police: Fraud · ATO ABN Lookup · ATO Record-Keeping for Business
Also comparing: Dext vs Pulsify · Best AP Automation Software Australia 2026 · ApprovalMax vs Pulsify
Further reading: Accounts Payable Fraud Vulnerability Australia · How Finance Teams Reduce Fraud Risk with Structured Approval Workflows · Purchase Orders Prevent AP Fraud Australia