AP Fraud Prevention: Stopping APP Fraud and Invoice Redirection at Source

Why accounts payable is the soft target

AP fraud is asymmetric. The attacker only has to be right once. The finance team has to be right every single payment, every single day, often under time pressure and across hundreds of suppliers they will never meet.

The structural weakness is the same across every loss: critical data (who the supplier is, where their bank account lives, whether the invoice is real) is held in email, spreadsheets, and one company's accounting system. Attackers exploit the gap between the buyer's view and the supplier's actual reality.

The core problem: AP fraud isn't a tech failure. It's an information failure. The information needed to catch the fraud exists; it just doesn't sit anywhere it can be checked at payment time.

What is AP fraud?

AP fraud is any deception that causes a finance team to send a legitimate-looking payment to the wrong recipient. It is distinct from cyber fraud that breaches systems: the payment is authorised by the victim, who believes they are doing something normal.

The dominant categories today are:

• Authorised push payment (APP) fraud: the victim is tricked into authorising a payment to a fraudulent account.
• Invoice redirection: a real supplier's bank detail is "updated" by an attacker, redirecting future payments.
• Supplier impersonation: a fake supplier with a real-looking name and invoice is added to the AP system.
• Business email compromise (BEC): a compromised email account is used to instruct a bank change or new payment.
• Internal fraud: a staff member sets up a ghost supplier or alters payment data.

The five patterns that cause most losses

1. The bank-country mismatch

A UK-incorporated supplier suddenly registers a bank account in a country the business has never operated in. This is the single highest-signal red flag, and the one most easily missed when the change arrives by email.

2. The look-alike domain

An invoice arrives from finance@accountinglinks.co instead of accountinglinks.com. AP processes the invoice on autopilot.

3. The bank change at quarter-end

Attackers time bank-detail change requests to coincide with high-volume payment runs, betting that exception checks will be skipped under pressure.

4. The dormant supplier reactivation

A supplier dormant for 18 months suddenly submits an invoice with new bank details. The supplier was real once. The invoice is not.

5. The internal ghost supplier

A new supplier is added with a plausible name, an address, and bank details controlled by an insider. Small invoices, paid on time, for years.

How a network changes the defence

1. Identity is attested, not assumed

Every supplier on the network has a verified profile. A new supplier added to your AP system that doesn't exist on the network (or exists with different details) is a flag, not a routine record.

2. Bank changes become events, not emails

A supplier changing bank details on the network triggers verification, country checks, and a dated event visible to every buyer. There's nowhere for the email-forgery pattern to live.

3. Behavioural anomalies are visible across the network

A supplier showing unusual patterns (sudden bank churn, conflicting profile updates, irregular invoice cadence) gets flagged across all connected buyers, not just the one that happens to notice.

4. The attacker's economics break

Most AP fraud relies on attacking one finance team at a time. A shared verification layer turns a one-shot exploit into a flag the whole network sees.