.svg)
In September 2025 alone, 83 businesses in Britain reported falling victim to invoice fraud. The average loss per victim: £47,000. The combined total: nearly £4 million. In a single month.
Those are the reported cases. According to the ICAEW, only 14% of invoice fraud incidents are ever reported to authorities. Which means the real scale of the problem is somewhere closer to £28 million lost in that same month, from a crime that most victims either do not notice or do not report because they feel the damage is already done.
Invoice fraud is the most common fraud type targeting businesses today. And it is almost entirely preventable with the right controls in place.
This guide covers what it is, how it works, and what finance teams can do to stop it before it costs them.
Invoice fraud is any scheme in which a business is manipulated into making a payment that it should not have made, typically by presenting a false or altered invoice as legitimate.
It can be as simple as a duplicate invoice submitted twice with slightly different reference numbers. It can be as sophisticated as a months-long infiltration of a supplier's email systems to intercept genuine invoices and redirect payments.
The Home Office Economic Crime Survey 2024 found that over a quarter of UK businesses with employees experienced fraud attempts in the 12 months before the survey. The ICAEW puts invoice fraud as the most common threat, affecting 1 in 10 businesses directly.
The National Crime Agency and NatWest issued a joint warning in early 2026. The NCA has since launched a dedicated campaign targeting AP professionals and finance teams, specifically because invoice fraud is growing and the controls in most businesses are not keeping up.
Construction and manufacturing account for a quarter of all invoice fraud cases, but no sector is immune. The common thread across victims is not industry. It is a process: businesses that rely heavily on manual AP workflows, email-based approvals, and limited visibility across their payables are consistently more exposed.
Large enterprises tend to have dedicated fraud teams, sophisticated ERP controls, and internal audit functions that run continuously. Small businesses process low invoice volumes where anomalies are easy to spot.
Mid-market companies sit in an uncomfortable middle ground. Invoice volumes are high enough that individual transactions do not get close scrutiny. Controls are often a mix of manual checks and basic software that was not designed with fraud detection in mind. And the finance team, typically lean and stretched at month-end, does not have the capacity to investigate every exception properly.
That combination makes mid-market businesses a consistently attractive target for invoice fraud.
Most conversations about invoice fraud focus on external threats: fraudsters impersonating suppliers, intercepting emails, submitting fake invoices. That is the more visible threat.
But internal fraud, carried out by employees or in collusion with a supplier, accounts for a significant proportion of cases. It is also harder to detect, because the person committing the fraud often has legitimate access to the systems and processes being exploited.
A robust AP process needs to defend against both.
A ghost vendor is a fictitious supplier added to the approved vendor list. Invoices are submitted in the ghost vendor's name, approved by someone with the right access and often the right motive, and paid to a bank account controlled by the fraudster.
In most cases, ghost vendor fraud requires an insider. Someone with access to the vendor master who can add a new supplier, and someone with approval rights who can authorise the payment. This is why segregation of duties in AP is not optional: the person who can add a vendor should not be the same person who can approve invoices from that vendor.
A supplier submits the same invoice twice, with minor differences in the reference number, date, or amount. In a manual AP environment where invoices arrive by email and are entered into a system by hand, duplicates slip through more often than finance teams realise.
The ICAEW notes that this is one of the most common and least detected forms of invoice fraud, precisely because it is low-drama. There is no fake supplier, no impersonation, no elaborate scheme. Just a second invoice that looks enough like the first to pass a surface-level check.
Automated duplicate detection, matching across supplier, amount, date, and reference number with tolerance logic, catches these reliably. Manual review does not.
A genuine supplier submits a real invoice, but the amount has been altered. Sometimes this is the supplier's doing. Sometimes it is an internal employee who intercepts the invoice before it enters the AP system and changes the figure.
This type of fraud is particularly hard to detect manually when the amounts involved are small enough to fall within informal approval thresholds, or when the finance team processes high volumes of invoices from the same supplier and does not check each one against the corresponding purchase order.
3-way matching, comparing every invoice against the purchase order and delivery note before approval, eliminates this risk at the point of processing.
Business email compromise, or BEC, is the most financially damaging form of invoice fraud. The fraudster gains access to a supplier's email account, monitors the relationship, and at the right moment, sends a convincing email notifying the AP team of new bank details.
The invoice looks genuine because it comes from a genuine email account. The bank detail change looks routine because supplier banking updates are common. By the time the payment is made and the real supplier follows up on their overdue invoice, the money is gone.
According to the NCA, BEC is increasingly sophisticated and difficult to detect through manual review alone. The defence is process: any change to supplier bank details should require independent verification through a phone call to a number on record, not a number provided in the email.
The newest and most concerning development in invoice fraud is the use of AI to generate convincing fake invoices, complete with accurate logos, formatting, VAT numbers, and bank details. These documents can pass visual inspection and, in some cases, automated checks that rely on pattern matching rather than semantic understanding.
The counter to deepfake invoices is not better pattern matching. It is AI-powered anomaly detection that evaluates the full context of an invoice against supplier history, payment patterns, and organisational norms, flagging deviations that a template check would not catch.
Most invoice fraud does not announce itself. It exploits the gaps that exist in every organisation: the approval threshold that is just low enough to avoid scrutiny, the new supplier that was not properly verified, the month-end rush that made someone wave through an exception that should have been investigated.
A typical BEC fraud unfolds over weeks. The fraudster monitors the email chain, learns the timing of regular payments, and identifies who in the AP team has approval authority. The bank detail change email arrives at a moment of high workload, worded in a way that sounds routine. By the time anyone questions it, the payment has cleared.
What allowed it to go undetected is almost always the same set of conditions: approval by email without independent verification, no automated check on whether the bank account is new or has recently changed, and no system-level flag that something unusual had happened.
These are not failures of intelligence. They are failures of process and tooling.
Some fraud indicators are visible to a diligent AP team:
The problem is not that these flags are invisible. It is that a busy AP team processing hundreds of invoices a month cannot reliably spot them across every transaction, every time.
Manual controls are effective when volume is low, processes are stable, and the team has time to investigate properly. None of those conditions reliably hold in a growing business.
Month-end is when fraud most often succeeds. Pressure to close the books creates a bias toward processing rather than scrutinising. That is exactly when a fraudster who has been watching the organisation will make their move.
The other consistent failure point is exception tolerance. When an AP team is overwhelmed, exceptions that should trigger investigation get approved with a note to follow up. Follow-up rarely happens. The exception becomes the payment.
AI-powered AP automation approaches fraud detection differently. Instead of relying on a human to notice a red flag, it evaluates every invoice against the full context of the supplier relationship: historical invoices, typical amounts, payment timing, bank account history, and consistency with the purchase order and delivery note.
Anomalies are flagged automatically, regardless of the volume being processed or the time of month. A bank detail change on a supplier account triggers a verification step. A duplicate submission is caught before it reaches approval. An invoice from a supplier whose account was created last week is routed for additional review.
The system does not have bad days. It does not miss things because it is tired or under pressure. That consistency is the most important property of automated fraud detection in a finance context.
The most effective fraud controls are the ones built into the process itself, not the ones that rely on someone remembering to apply them.
The single most effective structural control against fraud is ensuring that no one person can complete a fraudulent transaction alone. The person who adds a vendor should not be able to approve that vendor's invoices. The person who approves invoices should not be able to initiate payments. The person who initiates payments should not be able to modify supplier bank details.
These are not bureaucratic rules. They are the practical reason why collusion is required for most internal fraud to succeed, and collusion is significantly harder to sustain over time.
Dost's AP automation platform includes fraud detection logic built into the processing workflow. Every invoice is checked against the corresponding purchase order and delivery note, with anomalies flagged in real time. Supplier bank detail changes trigger an automatic hold. Duplicate submissions are identified through fuzzy matching across reference number, amount, supplier, and date.
The approval workflow enforces segregation of duties by design, with a complete audit trail of every action taken on every invoice.
If you want to see how this works across your own AP process, book a demo with our team.
According to the ICAEW, fake or manipulated invoice fraud is the most common type, affecting approximately 11% of businesses. Business email compromise, where fraudsters impersonate suppliers and redirect payments, is the most financially damaging. Both are significantly more common in organisations with manual or email-based AP processes and limited automated controls.
The clearest indicators are: invoice approvals that happen by email without a system of record, no automated duplicate detection, supplier bank details that can be changed without independent verification, and no audit trail of who approved what and when. If any of these describe your current process, the exposure is real. A review of your AP controls against these four areas is a practical starting point.
Both, but prevention is the more valuable function. Detection after the fact means a payment has already been made and recovery is uncertain. Prevention stops the fraudulent invoice before it reaches approval. AI-powered AP automation does both: it prevents fraud by enforcing controls at every step of the workflow, and it detects anomalies in real time so that suspicious invoices are flagged before payment is released.
Invoice fraud is not an edge case. It is a systematic, growing threat that targets the gaps in AP processes that most businesses have accepted as normal: email-based approvals, manual duplicate checks, and verification processes that depend on someone remembering to follow up.
The good news is that most invoice fraud is preventable. Not by adding more manual checks, but by building the right controls into the process itself: automated matching, systematic verification, segregation of duties, and AI-powered anomaly detection that works consistently regardless of invoice volume or time pressure.
The average loss per invoice fraud incident in the UK is £47,000. That is not a risk most finance teams can absorb quietly. And it is not one they need to.
See how Dost protects your AP process from fraud.
