Skip to main content
OutflowGuard
Back to Blog

Invoice Fraud Red Flags: 12 Checks Finance Teams Should Know

25 May 202610 min read
invoice fraudaccounts payablefraud preventionXero

Invoice fraud red flags rarely arrive with a flashing warning light. For Australian finance teams, they often look like ordinary supplier admin: a new PDF invoice, a changed BSB, a slightly urgent email, or a bill entered just before the payment run.

The risk is not theoretical. The National Anti-Scam Centre Targeting Scams Report 2025 recorded $166.8 million in payment redirection losses in 2025. The ACCC's Targeting Scams Report 2024 also reported $2.03 billion in total scam losses across combined reporting sources.

For CFOs, finance managers and bookkeepers using Xero, the practical question is simple: what should stop an invoice before it becomes a payment?

In this article:

Why invoice fraud red flags matter before payment

Invoice fraud is any attempt to trick a business into paying a false, altered, duplicate or misdirected invoice. Sometimes the invoice is completely fake. Sometimes the supplier is real, but the bank details have been changed by a criminal.

That second version is especially dangerous. A clean PDF, a familiar supplier name and a normal-looking email thread can all be present while the money is being redirected to the wrong account.

The Scamwatch statistics dashboard continues to track false billing, phishing and payment-related scam categories. Those are not abstract cyber risks. They are the same patterns that land in accounts payable inboxes as overdue notices, new supplier forms and changed banking instructions.

For small and mid-sized businesses, the weak point is usually not intent. Finance teams want to do the right thing. The weak point is time pressure, limited separation of duties and the assumption that approval in Xero means an invoice is safe to pay.

Approval is important, but it is not the whole control. A good AP process checks supplier identity, invoice legitimacy, bank details, approval history and payment timing before funds leave the account.

Finance manager reviewing invoice fraud red flags before a supplier payment

The 12 invoice fraud red flags to check

Use these invoice fraud red flags as a practical review list before approving bills or releasing a payment batch.

1. Supplier bank details have changed

A supplier bank account change is one of the highest-risk signals in accounts payable. Treat every new BSB, account number or payment instruction as a control event, not a clerical update.

Do not verify the change by replying to the same email thread. Call a known supplier contact using a number from your existing records, contract or official website.

2. The payment request is unusually urgent

Fraudsters create pressure because pressure shortens review. Watch for phrases such as “must be paid today”, “final notice”, “director approved” or “please bypass the usual process this once”.

Urgency is not proof of fraud, but it should trigger a slower process, not a faster one.

3. The supplier is new and the first invoice is large

A new supplier with a large first invoice needs extra checks. Confirm the supplier was properly onboarded, the ABN matches the trading name, the purchase was approved and the bank details were verified independently.

This matters more when the invoice is for services that are hard to confirm, such as consulting, emergency works, marketing, recruitment or IT support.

4. The invoice amount sits just below an approval threshold

A $9,850 invoice may be legitimate. But if your approval threshold is $10,000, that amount deserves attention.

Look for repeated invoices just below approval limits, split bills for the same supplier, or several smaller invoices that appear to cover one larger job.

5. The invoice number is duplicated or oddly similar

Duplicate invoice numbers are a classic accounts payable fraud indicator. They can also signal ordinary data-entry errors.

Search Xero for the invoice number, supplier name and amount before approving. Also check for minor variations such as INV-1048, INV1048 and INV-1048A.

6. The invoice does not match the purchase order or contract

A legitimate invoice should line up with the approved work. Differences in supplier entity, scope, quantity, pricing, GST treatment, bank details or payment terms should be explained before approval.

If your business does not use purchase orders for every supplier, compare the invoice against the contract, quote, email approval or prior month billing pattern.

7. Supplier email details look almost right

A small email-domain change can be easy to miss. Examples include an added hyphen, a swapped letter, a different top-level domain, or a payment address that differs from the supplier's normal contact.

Do not rely on the display name in Outlook or Gmail. Expand the sender details and compare the actual domain with known supplier records.

8. The ABN, GST or entity details are missing or inconsistent

For Australian suppliers, basic business details should make sense. Check whether the ABN, legal name, trading name, GST status and invoice format align with your records.

A missing ABN does not automatically prove fraud, but inconsistent supplier identity is a reason to pause payment.

9. The bank account does not match previous supplier records

A supplier may change banks for legitimate reasons. The issue is whether your team can prove the change is real.

Compare the invoice bank details with the Xero supplier record, the last paid invoice, onboarding documents and any saved verification notes.

10. The invoice attachment looks altered or incomplete

Visual clues still matter. Watch for blurry logos, misaligned bank details, unusual fonts, missing line items, altered payment instructions or PDFs that look different from the supplier's normal invoices.

Modern invoice fraud will not always look messy, so use this as one signal alongside workflow checks.

11. The approval path is unusual

A bill approved by someone who does not normally approve that supplier, cost centre or amount deserves a second look. The same applies when the creator, approver and payer are the same person and that is not normal for your process.

For small teams, perfect segregation of duties may not be possible. Compensating controls matter, especially for supplier changes and high-value payments.

12. The payment is outside normal timing

After-hours bill entry, weekend approval or a payment run brought forward without explanation can indicate pressure, compromise or process bypass.

Some industries operate outside standard hours, so compare the timing with your own normal pattern rather than using a generic rule.

Dashboard-style finance review showing invoice fraud signs and payment anomalies

How to detect fake invoices inside your AP workflow

Knowing how to detect fake invoices is less about spotting one bad PDF and more about checking the full payment path. A strong AP workflow makes a suspicious invoice prove itself before money moves.

Start with supplier identity. Confirm the supplier exists, the ABN and entity details match, the contact is expected and the bank details belong to the right supplier.

Then check invoice legitimacy. Ask whether the goods or services were ordered, delivered, priced correctly and approved by the right budget owner.

Next, check payment instructions. Any bank detail change, new payment method or unusual remittance request should be verified through a trusted channel.

Finally, check behaviour. Fraud often appears as a pattern: urgent timing, new supplier records, altered attachments, threshold splitting, unusual approvers or payment changes after approval.

A useful internal rule is simple: if the invoice creates a new supplier, changes a bank account, bypasses an approver or changes payment timing, it needs a second person to review it.

For a broader control framework, see our guide to accounts payable internal controls for small businesses. It explains how supplier checks, approval rules and reconciliation fit together.

Xero checks for invoice fraud red flags

Xero gives finance teams useful context, but it does not remove the need for independent verification. Treat Xero as the system of record and your controls as the evidence that records are safe to use.

Before paying a suspicious invoice, check these areas.

Supplier contact history. Has the supplier record been created, edited or reactivated recently? A supplier change close to payment is a high-risk event.

Bank detail consistency. Do the bank details in the invoice match the supplier record and prior paid invoices? If not, verify the change before payment.

Bill history. Has this supplier submitted similar invoices before? Compare amount, frequency, invoice numbering, GST treatment and attachments.

Attachments and notes. Is the original invoice attached? Are approval notes complete? Missing documentation weakens the control trail.

Approver behaviour. Was the bill approved by the usual person? Was approval unusually fast? Did the same person create and approve the bill?

Duplicate bills. Search for the invoice number, amount and supplier name before approval. Duplicates can be fraud, error or both.

Payment batch composition. Before releasing a batch, review first-time suppliers, changed bank details, round numbers, just-below-threshold invoices and urgent exceptions.

If a supplier bank detail change is involved, use the step-by-step process in How to Verify Supplier Bank Details in Australia before updating Xero or paying the invoice.

Australian finance team checking Xero supplier records before payment approval

What to do when an invoice looks suspicious

A clear response process helps staff act calmly. It also stops one person from carrying the whole decision under pressure.

  1. Pause the payment. Remove the invoice from the payment run until verification is complete.

  2. Do not reply to the suspicious thread. Use a trusted phone number, saved supplier contact or official website to verify the request.

  3. Review Xero history. Check supplier changes, bill history, attachments, approval notes and prior payments.

  4. Compare against source documents. Match the invoice to the purchase order, quote, contract, delivery record or budget approval.

  5. Require a second approval. High-risk invoices should not be cleared by the same person who entered or first approved them.

  6. Document the decision. Save who was contacted, which number was used, what was confirmed and who approved the release.

  7. Escalate if payment has already left. Contact your bank immediately, preserve emails and records, and report the incident through the appropriate Australian channels.

The important habit is consistency. Staff should not have to decide from scratch whether a red flag matters. The process should tell them what to do.

Conclusion

Invoice fraud red flags are most useful when they are tied to real finance work. A suspicious email matters, but so does a changed supplier record, an unusual approver, a duplicate invoice number or a payment that appears just below your approval threshold.

For Australian SMBs using Xero, the best defence is a repeatable AP process: verify suppliers, pause risky changes, require a second review and keep evidence before funds leave the account.

OutflowGuard helps Xero finance teams monitor supplier bank detail changes, duplicate bills, round-number invoices and other payment-risk signals. If your team relies on manual checks today, a free health check can show where invoice fraud red flags may already be hiding in your workflow.

Back to Blog

Ready to secure your payments?

Join finance teams protecting their businesses from payment redirect scams.

Start your 14-day free trial. Cancel anytime.