Invoice Verification and Fraud Prevention Checklist
Invoice fraud costs businesses billions annually. This checklist helps you prevent the most common fraud schemes targeting accounts payable.
Understanding Invoice Fraud Types
External Fraud
Fake Invoice Scam Scammers send invoices for goods/services never ordered or received, hoping they’ll be paid without verification.
Vendor Impersonation Fraudsters impersonate legitimate vendors, sending invoices that look authentic but direct payment to their accounts.
Business Email Compromise (BEC) Criminals spoof or hack email accounts to request banking changes or urgent payments.
Overbilling Schemes Vendors intentionally inflate prices, quantities, or add unauthorized charges.
Internal Fraud
Ghost Vendor Employee creates fictitious vendor and submits invoices for payment to themselves.
Kickback Schemes Employee colludes with vendor—approves inflated invoices in exchange for personal payment.
Check Tampering Employee alters checks, creates unauthorized checks, or steals signed checks.
Complete Fraud Prevention Checklist
Vendor Onboarding Controls
- [ ] Written vendor approval process documented
- [ ] New vendor requests require business justification
- [ ] Vendor legitimacy verified (state registration, web presence)
- [ ] Physical address verified (not vacant lot or mail drop)
- [ ] W-9 collected and TIN verified
- [ ] Banking information verified via callback
- [ ] Vendor addresses compared to employee addresses
- [ ] Reference checks for significant vendors
- [ ] Approval required from someone other than requester
- [ ] Audit trail of vendor setup maintained
Vendor Change Controls
- [ ] Banking change process documented
- [ ] Banking changes require dual approval
- [ ] Verification callback required for ALL banking changes
- [ ] Call-back uses independently sourced phone number (not from email)
- [ ] Written confirmation obtained from vendor
- [ ] Waiting period before activating new banking (24-48 hours)
- [ ] Test payment for significant vendors
- [ ] Audit trail of all vendor changes
Invoice Verification Controls
- [ ] Invoices matched to approved POs
- [ ] Three-way match (PO, receipt, invoice) required
- [ ] Invoices without PO require additional approval
- [ ] Invoice descriptions verified for specificity
- [ ] Pricing compared to contracts/agreements
- [ ] Duplicate invoice detection enabled
- [ ] Invoice numbers checked for consistency
- [ ] Vendor information verified against master file
- [ ] Round dollar amounts flagged for review
- [ ] Unusual vendors or amounts escalated
Payment Controls
- [ ] Payments only processed from approved invoices
- [ ] Dual signature/approval above threshold
- [ ] Positive pay implemented with bank
- [ ] Check stock secured with limited access
- [ ] Voided checks retained and defaced
- [ ] No payments to new vendors without extra verification
- [ ] Wire transfers require dual authorization
- [ ] Rush payment requests require escalated approval
- [ ] Payments to foreign accounts reviewed carefully
- [ ] Virtual card usage monitored and reconciled
Segregation of Duties
- [ ] Vendor setup separated from payment processing
- [ ] Invoice approval separated from vendor setup
- [ ] Payment creation separated from payment release
- [ ] Bank reconciliation performed by non-AP staff
- [ ] Check signing separated from check preparation
- [ ] No single person controls entire P2P cycle
Email Security
- [ ] Staff trained on BEC/phishing recognition
- [ ] Email domain verification for vendor communication
- [ ] Urgent payment requests verified independently
- [ ] Reply-to addresses checked against sender
- [ ] Links not clicked in unexpected emails
- [ ] Attachments scanned before opening
- [ ] CFO/executive impersonation alerts in place
- [ ] Out-of-band verification for unusual requests
Monitoring and Detection
- [ ] Regular review of vendor master changes
- [ ] Analysis of new vendors receiving quick payments
- [ ] Review of vendors paid without POs
- [ ] Monitoring of payments just under approval thresholds
- [ ] Review of sequential invoice numbers from same vendor
- [ ] Analysis of weekend/holiday payment activity
- [ ] Vendor spend analytics for anomalies
- [ ] Employee address matching to vendor addresses
- [ ] Duplicate payment analysis
System Controls
- [ ] User access limited to job requirements
- [ ] Unique user IDs (no shared accounts)
- [ ] Access rights reviewed regularly
- [ ] Terminated employee access removed promptly
- [ ] System audit trail enabled and monitored
- [ ] Sensitive transactions logged
- [ ] Failed login monitoring
- [ ] Regular security updates applied
Red Flags to Watch For
Invoice Red Flags
| Red Flag | Why It Matters |
|---|---|
| Round dollar amounts | Real invoices usually have specific amounts |
| Vague descriptions | Legitimate vendors describe what they provided |
| No PO reference | May be unauthorized purchase |
| Invoice number format changed | Could be different (fake) vendor |
| Vendor name slightly different | Impersonation attempt |
| Different remit-to address | Payment diversion |
| First-time vendor, large amount | Higher risk transaction |
| Rush request with urgency | Pressure to bypass controls |
Vendor Red Flags
| Red Flag | Why It Matters |
|---|---|
| PO Box only address | Harder to verify legitimacy |
| Personal email domain | May not be legitimate business |
| No online presence | Business may not exist |
| Address matches employee | Internal fraud scheme |
| Banking in personal name | Should match business |
| Refuses to provide W-9 | Tax compliance or fraud concern |
| New vendor, old invoices | May be catching up on fake billings |
Behavioral Red Flags
| Red Flag | Why It Matters |
|---|---|
| Employee won’t take vacation | Doesn’t want scheme discovered |
| Defensive about certain vendors | Protecting fraudulent relationship |
| Living beyond means | May be receiving kickbacks |
| Handles certain vendors exclusively | Could be hiding fraud |
| Resists process changes | Changes might expose scheme |
| Works unusual hours alone | Opportunity for fraud |
Fraud Prevention Best Practices
Training
- [ ] Annual fraud awareness training for all AP staff
- [ ] Phishing simulation exercises
- [ ] Updates on new fraud schemes
- [ ] Clear reporting channels for concerns
- [ ] Protection for whistleblowers
Verification Procedures
For Banking Changes: 1. Receive change request 2. Do NOT use contact info from the request 3. Look up vendor contact from existing records 4. Call to verify the change 5. Get written confirmation 6. Implement waiting period 7. Send test payment 8. Document all verification steps
For New Vendors: 1. Verify business registration 2. Confirm physical address 3. Check for online presence 4. Verify W-9 information 5. Confirm banking 6. Get references (significant vendors) 7. Document verification
Regular Reviews
- [ ] Monthly vendor master audit
- [ ] Quarterly payment analytics review
- [ ] Annual control effectiveness testing
- [ ] Surprise audits of AP processes
- [ ] Periodic vendor confirmation mailings
Response Procedures
If You Suspect Fraud
Immediate Steps: 1. Stop any pending payments to the vendor 2. Do not alert the suspected fraudster 3. Preserve all documentation 4. Document your observations 5. Report to appropriate authority
Reporting Channels: - Direct supervisor (unless involved) - Internal audit - Ethics hotline - HR - Legal counsel - Law enforcement (for significant fraud)
If You’ve Been Defrauded
For Payment Diversion: 1. Contact your bank immediately 2. Request wire recall (time-critical) 3. File police report 4. Report to FBI IC3 (ic3.gov) 5. Notify your insurance carrier 6. Document everything
For Check Fraud: 1. Contact bank about check 2. Implement positive pay if not already 3. Review and void compromised check stock 4. File police report 5. Notify affected vendors
Key Takeaways
- Prevention is far cheaper than recovery
- Verification callbacks are your best defense against BEC
- Segregation of duties prevents internal fraud
- Trust but verify—even with known vendors
- Train staff to recognize red flags
- Regular monitoring catches fraud faster
- Document everything for investigations
Related Reading
- Three-Way Matching - PO-receipt-invoice verification
- Positive Pay - Bank check fraud prevention
- AP Internal Controls - Complete controls framework
Want to control who can submit invoices to your company? See how BillerPlus creates a secure vendor submission portal →