Invoice Fraud: 7 Red Flags Every Bookkeeper Should Catch
Invoice fraud is not a back-page risk. Between October 2013 and December 2023, the FBI's Internet Crime Complaint Center recorded over 305,000 business email compromise incidents with exposed losses exceeding $55 billion globally. A significant portion of those losses started with a single fraudulent invoice that slipped past a busy bookkeeper.
The good news: most fraudulent invoices share recognizable patterns. If you know what to look for, you can catch them before they reach the payment queue. This checklist covers the seven red flags that show up most often, and the controls that stop them.
In this guide
- 1. First-time vendor with no purchase order
- 2. Round-number amounts
- 3. Mismatched or missing VAT details
- 4. Duplicate invoice numbers
- 5. Sudden change to bank details
- 6. Invoice just below the approval threshold
- 7. Pressure to pay urgently
- Building a system that catches fraud by default
- The checklist
- Invoice fraud FAQ
1. First-time vendor with no purchase order
A new supplier name appearing on an invoice that nobody remembers ordering from is the most basic fraud signal. Internal fraud schemes often involve fake vendors created by employees with AP access. External attackers use the same approach: they send professional-looking invoices for generic services (consulting, cleaning supplies, IT support) hoping someone will process them without checking.
What to check:
- Does the vendor exist in your approved vendor master list?
- Is there a purchase order on file for this invoice?
- Can you independently verify the vendor's business registration, phone number, and address?
A three-way matching control catches this automatically. When an invoice arrives without a corresponding purchase order and goods receipt, it gets flagged before anyone approves it.
2. Round-number amounts
Real invoices for goods and services rarely land on perfectly round numbers. An invoice for exactly $5,000.00 or £10,000.00 with no line items is unusual. Fraudsters use round numbers because they are making up figures, not calculating them from actual quantities and unit prices.
What to check:
- Does the invoice include a line-item breakdown with quantities and unit prices?
- Do those line items multiply out to the stated subtotal and total?
- Is the amount consistent with what you typically pay this vendor?
When line items are present but the maths does not add up, that is an even stronger signal. Totals that do not match their own line items suggest the document was edited after the fact.
3. Mismatched or missing VAT details
A legitimate supplier charges VAT at the correct rate for their jurisdiction and includes a valid VAT registration number. Fraudulent invoices often get VAT wrong because the person creating the invoice does not know (or does not care about) the correct rate, or they fabricate a registration number that does not pass validation.
What to check:
- Is the VAT registration number present and formatted correctly for the supplier's country?
- Does the VAT rate match the expected rate for that product or service category?
- Does the VAT amount actually equal the subtotal multiplied by the stated rate?
Arithmetic mismatches between subtotal, VAT, and total are one of the easiest anomalies to detect, and one of the most commonly overlooked in manual processing. Zerentry's AI extraction pulls subtotal, VAT amount and rate, and total from each document and returns a confidence score for every field, so mismatches surface immediately rather than hiding until reconciliation.
4. Duplicate invoice numbers
Submitting the same invoice twice is the simplest form of invoice fraud. Sometimes it is intentional. Sometimes a supplier genuinely re-sends an invoice because they have not received payment. Either way, paying it twice costs real money.
What to check:
- Has this exact invoice number from this vendor appeared before?
- Is the amount identical to a recent payment to the same vendor?
- Are there invoices from different vendors with suspiciously similar invoice numbers?
Manual duplicate detection is unreliable once you process more than a few dozen invoices per month. Automated systems that extract and store invoice numbers as structured data can flag duplicates before they enter the approval queue. Zerentry's extraction pipeline captures invoice numbers alongside vendor names and amounts, making duplicate detection a matter of a simple lookup rather than a memory test.
5. Sudden change to bank details
This is the signature move of business email compromise. An attacker sends an email that appears to come from a known supplier, notifying you that their bank details have changed. The next payment goes to the attacker's account.
Between December 2022 and December 2023 alone, the FBI's IC3 reported a 9% increase in global exposed BEC losses, with fraudulent transfers reaching financial institutions in over 140 countries.
What to check:
- Did the bank detail change come through a verified channel (not just email)?
- Can you call the supplier on a known phone number (not the one in the email) to confirm?
- Does the new bank account match the supplier's country and business profile?
No amount of OCR or automation replaces a phone call here. This is a procedural control: any request to change payment details should trigger a manual verification step outside of email, every single time.
6. Invoice just below the approval threshold
If your approval policy requires sign-off from a senior manager for invoices above $5,000, watch for a pattern of invoices landing at $4,950 or $4,999. Fraudsters, including internal ones, learn the threshold and stay just under it.
What to check:
- Are multiple invoices from the same vendor clustering just below a round approval limit?
- Has a single large order been split into several smaller invoices to avoid the threshold?
- Are there sequential invoice numbers from the same vendor within the same week, each just under the limit?
This pattern is difficult to spot on a per-invoice basis. It only becomes visible when you look at vendor payment history over time. Automated AP workflows that aggregate vendor spend make threshold-splitting visible at a glance.
7. Pressure to pay urgently
“Payment is overdue.” “Your account will be suspended.” “This must be settled by end of day.” Urgency is a social engineering tactic. Legitimate suppliers follow standard payment terms. They do not threaten service suspension over a single invoice with no prior communication.
What to check:
- Does the payment urgency match the agreed payment terms (net-30, net-60)?
- Has there been any prior communication about this invoice being overdue?
- Is the sender using emotional language designed to bypass your normal review process?
When someone pushes you to skip your process, that is exactly when you should follow it more carefully.
Building a system that catches fraud by default
Spotting these red flags manually is possible when you process 20 invoices a month. At 200 or 2,000, you need controls baked into the workflow rather than relying on individual vigilance.
A strong invoice fraud prevention system combines three layers:
Layer 1
Structured extraction
Every invoice field — vendor, amount, VAT, invoice number, PO reference, bank details — should be captured as structured data the moment the document arrives. This makes anomalies searchable and comparable. Zerentry's AI document processing extracts these fields using large language models that run coherence checks and anomaly detection, flagging duplicate amounts, mismatched totals, and unusual vendors automatically.
Layer 2
Three-way matching
Every invoice should be matched against the purchase order and goods receipt before payment is approved. No PO, no payment. This single control eliminates phantom invoices and over-billing. Read the full breakdown in our three-way matching guide.
Layer 3
Approval routing with spend visibility
Route invoices to the right approver based on amount, department, and vendor category. Aggregate vendor spend so threshold-splitting patterns surface before the fifth invoice lands, not after the fifteenth. Our AP automation guide walks through setting this up end to end.
The checklist
Use this as a quick reference during invoice review:
| Red flag | What to look for | Control |
|---|---|---|
| Unknown vendor | No PO, not in vendor master | Three-way matching, vendor onboarding |
| Round amounts | No line items, suspiciously even totals | Line-item verification |
| VAT errors | Wrong rate, bad registration number, arithmetic mismatch | Automated field extraction and cross-check |
| Duplicate invoice number | Same number from same vendor, identical amount | Structured data with duplicate detection |
| Changed bank details | Email-only notification, new country | Out-of-band phone verification |
| Just under threshold | Clustering near approval limit, split orders | Vendor spend aggregation |
| Urgency pressure | Threats, short deadlines, emotional language | Stick to standard payment terms |
None of these red flags guarantee fraud on their own. A round-number invoice from a known vendor with a valid PO is probably fine. But when two or three flags appear on the same document, that invoice deserves a closer look before it gets anywhere near the payment queue.
Invoice fraud FAQ
What are the most common invoice fraud red flags?
The seven most reliable signals are: a first-time vendor with no purchase order, round-number invoice amounts with no line items, mismatched or missing VAT details, duplicate invoice numbers, sudden changes to bank account details, invoice amounts that cluster just below your approval threshold, and pressure to pay urgently outside of normal payment terms.
What is business email compromise (BEC) in accounts payable?
Business email compromise is when an attacker sends an email that appears to come from a known supplier, typically requesting a change to bank payment details. Between December 2022 and December 2023, the FBI's IC3 reported a 9% increase in global BEC losses, with fraudulent transfers reaching financial institutions in over 140 countries. The control is simple: verify any payment detail change by calling the supplier on a known number, outside of email.
How does three-way matching prevent invoice fraud?
Three-way matching compares an invoice against the original purchase order and the goods receipt note before approving payment. A fraudulent invoice typically lacks a corresponding PO or GRN, so it fails the match and is flagged for review instead of flowing to payment. This single control eliminates phantom invoices and significantly reduces over-billing.
What is threshold splitting and how do I detect it?
Threshold splitting is when a fraudster submits multiple invoices that each fall just below your approval threshold — for example, several invoices at $4,950 when your manager sign-off limit is $5,000. It is invisible on a per-invoice basis but visible in vendor payment history. Automated AP workflows that aggregate vendor spend by period surface this pattern before the fifth invoice arrives.
How can I detect duplicate invoices automatically?
Automated duplicate detection stores invoice numbers, vendor names, and amounts as structured data and runs a lookup on every new invoice before it enters the approval queue. Advanced systems use vector similarity to catch duplicates even when the file name or document layout has changed between submissions. Manual detection is reliable for a few dozen invoices per month but breaks down at volume.
Start catching anomalies automatically
Zerentry extracts every field from every invoice in 5 to 15 seconds, flags low-confidence values, and surfaces anomalies before they reach your accounting software. Free for 30 invoices/month — no credit card required.
Start free →