.svg)
93% of UK companies experienced vendor fraud in 2024. Not attempted fraud. Actual incidents, confirmed by a survey of 150 senior finance, treasury, and AP executives conducted by Trustpair and OpinionWay. Of those affected, 42% experienced at least two successful attacks. And 21% of fraud victims report average losses of £500,000 per incident.
These are not numbers from a marginal or poorly controlled sector. They reflect the current state of AP processes across British businesses of all sizes. And the most uncomfortable part of the data is this: most of that fraud entered through the vendor master.
A fraudulent supplier that gets added to the approved vendor list can submit invoices for months before anyone notices. This guide covers how it happens, what a proper verification process looks like, and how to build controls that stop fraudulent suppliers before the first payment goes out.
A ghost vendor is a fictitious supplier added to the approved vendor list for the purpose of submitting fraudulent invoices. It sounds like an elaborate scheme. In practice, it is often surprisingly straightforward.
In most mid-market businesses, the vendor master is not well governed. Adding a new supplier is a low-friction process, sometimes requiring nothing more than a name, a bank account, and an email address. There is no automatic verification that the bank account belongs to a real business. There is no check against existing suppliers for similarities that might indicate a duplicate or a fraudulent variation. And the person adding the supplier is sometimes the same person who can approve invoices from that supplier.
That combination is all that ghost vendor fraud requires. The rest is patience and a willingness to submit invoices that look routine enough not to attract attention.
The Association for Financial Professionals' 2025 Payments Fraud and Control Survey found that 45% of companies were targets of vendor imposter fraud in 2024, up from 34% the previous year. Three conditions consistently appear in the organisations where fraud persists longest:
No segregation of duties in AP. The same person can add a vendor and approve that vendor's invoices. Trustpair's research found that only 45% of companies have proper segregation of duties across payment-related functions.
No systematic verification at onboarding. New suppliers are added based on a request rather than a process. Bank details are accepted as provided, without independent confirmation.
No ongoing monitoring. Even when initial onboarding is handled properly, vendor records are rarely reviewed after the fact. Bank detail changes go unnoticed. Dormant suppliers with no invoice history are never cleaned up.
External vendor fraud is carried out by fraudsters posing as suppliers or compromising real supplier accounts. It is more visible and more commonly discussed.
Internal vendor fraud involves employees, either acting alone or in collusion with a supplier. It is harder to detect because the perpetrator has legitimate system access and understands the controls well enough to work around them. The ACFE estimates that most internal fraud schemes remain undetected for 12 months, generating average losses of $9,900 per month before discovery.
Both threats require controls, but different ones. External fraud is primarily defended against through verification at onboarding and monitoring of bank detail changes. Internal fraud is primarily defended against through segregation of duties, system access controls, and regular audit of the vendor master.
Vendor onboarding is the point where most fraud prevention controls need to be embedded. A supplier that clears a rigorous onboarding process is significantly less likely to be a fraud vector than one added informally through email.
A secure onboarding process covers four stages:
Identity verification. Confirm the supplier is a real, registered business. For UK suppliers, this means checking Companies House registration, VAT number, and trading address. For international suppliers, the equivalent local registry.
Bank account verification. Confirm that the bank account provided belongs to the company, not to an individual or an unrelated entity. This step is skipped far more often than it should be. It is also the step that would stop the majority of payment diversion fraud before it starts.
Relationship authorisation. Who in the business has approved this supplier relationship? There should be a documented business reason for adding any new supplier, authorised by someone other than the person submitting the request.
Duplicate check. Before the supplier is added, the vendor master should be checked for existing records that match on name, bank account, address, or contact details. Duplicate vendors are one of the most common and least detected sources of fraud.
At minimum, a new supplier should provide:
None of these checks are expensive or time-consuming. They are simply not standard practice in most businesses that have not experienced a fraud incident yet.
Changing a supplier's bank details is the final step in the most common payment diversion schemes. A fraudster, having compromised a supplier's email account or impersonating the supplier convincingly, sends a notification of new bank details. The AP team updates the record. The next payment goes to the fraudster's account.
According to UK Finance's 2025 Annual Fraud Report, UK businesses lost £49 million to invoice and mandate fraud in 2024, with 78% of those losses hitting business accounts rather than personal ones.
The defence is straightforward but requires discipline: any change to a supplier's bank details must be verified through an independent channel. That means calling a phone number already on record for the supplier, not the number provided in the email requesting the change. If no phone number is on record, the change should not be processed until one is obtained through a verifiable source.
This single control, applied consistently, would prevent the majority of payment diversion fraud.
Most vendor masters in mid-market businesses contain inactive records, potential duplicates, and suppliers who were added years ago without proper documentation. A vendor master audit is not a one-time project. It is a recurring control.
The indicators that warrant further investigation in any vendor master:
None of these alone proves fraud. All of them warrant verification.
Duplicate vendor entries are sometimes genuine errors: the same supplier added twice under slightly different names. They are also sometimes deliberate: a fraudster adding a variation of a real supplier's name to capture misdirected payments.
Automated duplicate detection should check across multiple fields simultaneously: supplier name (including near-matches and common variations), bank account number, sort code, VAT number, and registered address. A manual review of a large vendor master will miss variations that automated matching catches reliably.
Fiscaltec's 2026 guidance on invoice fraud prevention recommends removing duplicate vendor records and suppliers that have submitted no invoices in the last 18 months on a monthly basis. The vendor master is a live document, not a historical archive. Treating it as the latter creates the gaps that fraud exploits.
The most effective structural control against vendor fraud is also the most frequently absent. The person who can add a vendor to the approved list should not be the same person who can approve invoices from that vendor. The person who can approve invoices should not be the same person who can initiate payments.
This is not a complex control to implement technically. It is a matter of configuring your AP automation platform and ERP to enforce these separations at the system level, not through informal convention. Informal conventions break down under pressure. System-level controls do not.
Every change to a supplier record, bank account, address, contact name, email address, should trigger an automatic alert and a mandatory review step before the change takes effect. This applies even when the change request appears to come from a legitimate source.
Under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), the "failure to prevent fraud" offence came into force on 1 September 2025, making large organisations criminally liable if they fail to have reasonable fraud prevention procedures in place. Change management alerts are a basic element of what "reasonable procedures" looks like in an AP context.
Not all invoices carry the same risk. A first invoice from a recently added supplier, an invoice with an amount significantly above historical averages for that supplier, or an invoice requesting payment to a bank account that differs from the one on record: each of these should trigger additional verification before approval, regardless of whether the amount falls within the standard approval threshold.
Well-designed approval workflows embed these rules automatically, surfacing the relevant context to the approver rather than relying on them to notice anomalies independently.
Manual fraud detection depends on individuals noticing something unusual. That works at low invoice volumes. At 500 or 1,000 invoices a month, it does not. The pattern recognition required to identify a ghost vendor or a compromised supplier account across a full transaction history is not something a human team can do reliably at scale.
AI-powered AP automation approaches this differently. Every invoice is evaluated against the supplier's full history: typical amounts, invoice frequency, payment patterns, and document characteristics. Deviations from established patterns are flagged automatically, regardless of whether they fall below a manual review threshold.
A supplier that has historically submitted invoices of £2,000 to £4,000 monthly suddenly submitting an invoice for £18,000 is flagged. A supplier whose bank account changes the week before a large payment is due is flagged. A new vendor with no invoice history submitting an invoice on the day they are added is flagged. These flags do not require anyone to be paying close attention. The system is always paying attention.
Dost's AP automation platform includes vendor verification controls built into the workflow. Bank detail changes trigger an automatic hold and a verification step before any invoice from that supplier can proceed. New vendor invoices are routed for additional review regardless of amount. Duplicate supplier detection runs automatically against the full vendor master on every new addition.
The approval workflow enforces segregation of duties by design: the system prevents the same user from adding a vendor and approving that vendor's invoices. And the complete audit trail records every action on every supplier record, so any unusual activity is visible and attributable.
Book a demo to see how Dost's vendor controls work in practice.
Ghost vendors are usually added by an internal employee who has both the system access to create a vendor record and the approval authority to process invoices from that vendor. The record is typically designed to look plausible: a real-sounding company name, a bank account in that name, and contact details that route back to the fraudster. The most effective prevention is removing the single-person access to both functions. If adding a vendor requires one person and approving invoices from that vendor requires a different person, the ghost vendor scheme requires collusion, which is significantly harder to sustain.
The most reliable indicator is a bank account that does not match the company's registered details, or a bank account that matches closely (but not exactly) with another supplier already in the system. Other consistent indicators are: a personal email domain rather than a business domain, a PO box as the primary address, and a pattern of invoices that are either always round numbers or that cluster just below approval thresholds. Any one of these warrants verification. A combination of two or more warrants a full review of the supplier record and invoice history.
At minimum, quarterly. Fiscaltec recommends monthly for businesses with high supplier volumes or recent fraud incidents. The audit should cover: duplicate detection across name, account, and address; review of suppliers with no invoice activity in the last 18 months; verification of bank account details for suppliers with recent changes; and a segregation of duties check to confirm no single user has both add-vendor and approve-invoice permissions. Businesses using automated AP platforms can run most of these checks continuously rather than periodically, which is significantly more effective.
Vendor fraud is not a peripheral risk. With 93% of UK companies experiencing it in 2024 and average losses reaching £500,000 per incident among those hit hardest, it is one of the most significant financial risks facing AP teams today.
The controls that prevent it are not technically complex. A rigorous onboarding process, independent bank detail verification, segregation of duties, and regular vendor master audits eliminate the conditions that most vendor fraud relies on. What makes these controls hard to maintain is not their design but their consistent application at scale, which is exactly what automation handles.
A finance team that has embedded these controls into its AP platform does not need to rely on individuals noticing anomalies. The system notices them, flags them, and holds payment until they are resolved.
See how Dost's vendor controls work across your AP process.
