What are the most common suspicious payment patterns?

The most common patterns include round-number payments, weekend or after-hours transactions, just-below-threshold amounts, new vendors with large first payments, and duplicate invoice numbers with different amounts.

How do round number payments indicate potential fraud?

Round numbers like $5,000 or $10,000 occur naturally only 2-3% of the time. When over 30% of payments are round numbers, it often signals fictitious invoices or manipulated amounts designed to avoid scrutiny.

Why are weekend payments considered suspicious?

Weekend payments are suspicious because legitimate business transactions typically occur during business hours. Weekend activity often indicates unauthorised access, compromised credentials, or employees circumventing controls when oversight is minimal.

What percentage of payment fraud involves patterns detectable through monitoring?

Research shows that 68% of payment fraud cases involve at least one detectable pattern, and businesses using automated pattern detection reduce fraud losses by 60-70% compared to manual review alone.

How quickly should suspicious payment patterns be investigated?

Suspicious patterns should be investigated within 24-48 hours of detection. Australian banks have limited recall windows for fraudulent payments, especially with real-time NPP transfers, making rapid response critical.

7 Suspicious Payment Patterns Every CFO Should Monitor

Australian businesses lost $3.1 billion to payment fraud in 2023, with the average business email compromise (BEC) scam costing $175,000 according to the ACCC's latest Scamwatch data. Yet research shows that 68% of these fraudulent payments exhibited detectable warning patterns before funds were lost.

The difference between catching fraud and becoming a statistic often comes down to recognising these patterns early. Whether you're managing a finance team of three or thirty, understanding what to look for — and having systems to detect it — can mean the difference between a near-miss story and a catastrophic loss.

In this article:

Pattern 1: Round Number Payments That Don't Add Up
Pattern 2: Weekend and After-Hours Transactions
Pattern 3: Just-Below-Threshold Amounts
Pattern 4: New Vendors With Large First Invoices
Pattern 5: Duplicate Invoice Numbers With Different Details
Pattern 6: Sudden Changes in Payment Frequency or Amount
Pattern 7: Geographic and Timing Anomalies
How to Set Up Monitoring for These Patterns
Related Reading
Protecting Your Business from Payment Fraud

Pattern 1: Round Number Payments That Don't Add Up

Round numbers like $5,000, $10,000, or $25,000 appear convenient and innocent. But here's what the data tells us: legitimate invoices end in round numbers only 2-3% of the time due to item quantities, tax calculations, and service fees. When forensic accountants investigate fraud cases, they consistently find round-number concentrations exceeding 30% in fraudulent payment sets.

Why fraudsters love round numbers:

Psychological simplicity. Creating fake invoices is easier with round amounts — no need to calculate realistic line items or taxes.

Approval assumptions. Round numbers feel like estimates or pre-approved budgets, reducing scrutiny from approvers.

Manual entry habits. When creating phantom invoices, fraudsters default to typing simple figures.

The Benford's Law Connection

Benford's Law states that in naturally occurring numerical datasets, about 30% of leading digits are 1, while 9 appears as a leading digit only 4.6% of the time. Payment amounts in legitimate business transactions follow this distribution remarkably well. Fraudulent payments often violate it dramatically.

Red flags to monitor:

More than 10% of payments ending in .00
Round thousands appearing more than 5% of the time
Multiple round payments to the same vendor
Round numbers just below approval thresholds

Pattern 2: Weekend and After-Hours Transactions

The Australian Cyber Security Centre's 2025 threat report highlighted that 71% of successful payment fraud attempts occurred outside standard business hours. It makes sense — fewer people are watching, approval processes might be relaxed, and emergency payment protocols could be exploited.

Weekend payments deserve special scrutiny because legitimate business rarely happens on Saturdays and Sundays in Australia. Yes, some industries operate seven days, but their payment patterns are predictable and consistent. Sudden weekend activity from typically Monday-to-Friday vendors signals potential compromise.

Common weekend fraud scenarios:

Compromised credentials. Attackers use stolen login details when they know response will be delayed.

Insider threats. Employees process fraudulent payments when colleagues aren't around to notice.

Social engineering. "Urgent" weekend payment requests exploit reduced staff availability for verification.

Time Zone Mismatches

With remote work normalised, geographic anomalies matter less than temporal ones. But payments initiated from IP addresses in unusual time zones — especially when the user appears to be working Australian hours from Eastern Europe or West Africa — warrant immediate investigation.

Pattern 3: Just-Below-Threshold Amounts

Every organisation has approval thresholds. Amounts under $5,000 might need one signature, while anything over $50,000 requires board approval. Fraudsters know these limits and deliberately structure payments to fly under the radar.

The ACSC calls this "structuring" or "smurfing" — breaking large fraudulent amounts into smaller transactions to avoid detection. In 2024, a Melbourne construction company discovered $890,000 in fraudulent payments, all between $9,500 and $9,900, just below their $10,000 dual-approval threshold.

Threshold exploitation tactics:

Limit testing. Initial small payments to test controls, followed by maximum sub-threshold amounts.

Invoice splitting. One $50,000 service becomes five $9,999 invoices over successive weeks.

Vendor multiplication. Creating multiple vendor accounts to circumvent per-vendor limits.

Statistical Detection Methods

Look for clustering around common threshold points:

Payments between 90-99% of approval limits
Multiple payments summing to round numbers
Vendors with all invoices at similar amounts
Payment amounts that suddenly change to stay below new thresholds

Pattern 4: New Vendors With Large First Invoices

Legitimate vendor relationships typically start small. A trial project, a pilot program, or a small initial order establishes trust before larger commitments. When a brand-new vendor's first invoice is $50,000+, it's a massive red flag.

The Australian Federal Police's 2025 fraud report found that 43% of invoice fraud cases involved vendors created within 30 days of the first payment. These "phantom vendors" often have minimal documentation, generic company names, and bank accounts that don't match their supposed business location.

New vendor warning signs:

No onboarding process. Vendor appears in the system without proper vetting documentation.

Generic details. Business names like "ABC Consulting" or "Professional Services Pty Ltd".

Residential addresses. BSB codes indicating personal rather than business accounts.

Missing ABN verification. No valid Australian Business Number or one that doesn't match the company name.

The Vendor Lifecycle Test

Map your typical vendor progression:

Initial contact and quote (Week 1-2)
Small trial purchase (Week 3-4)
Gradual increase over 3-6 months
Stable recurring amounts thereafter

Vendors that skip steps 2-3 need investigation.

Pattern 5: Duplicate Invoice Numbers With Different Details

Modern accounting software catches exact duplicates, but sophisticated fraudsters create near-duplicates that slip through. Same invoice number with different amounts, dates shifted by a month, or slight vendor name variations ("Smith Industries" vs "Smith Industrial").

A 2025 study by CPA Australia found that 31% of SMBs had paid at least one duplicate invoice in the past year, with average losses of $14,000. The construction and healthcare sectors were particularly vulnerable due to complex supplier networks and high invoice volumes.

Duplicate detection strategies:

Fuzzy matching. Look for invoices within 10% of each other from the same vendor.

Sequential analysis. Invoice numbers that don't follow logical sequences (INV-1001, INV-1002, then suddenly INV-2001).

Date clustering. Multiple invoices from one vendor within days of each other for similar amounts.

Reference checking. Same PO numbers or project codes appearing on multiple invoices.

The Human Factor

Duplicates often succeed because of human psychology:

Approvers assume someone else checked it
Familiar vendor names reduce scrutiny
Month-end pressure rushes reviews
System trust ("it must be legitimate if it's in the system")

Pattern 6: Sudden Changes in Payment Frequency or Amount

Established vendors have predictable patterns. The cleaning company bills $2,400 monthly. The IT support charges $5,000 quarterly. When these patterns suddenly change — the cleaner now wants $4,800, or IT support sends weekly invoices — it signals potential account takeover or invoice manipulation.

The ACCC reported in 2026 that payment redirection scams increased by 74%, with fraudsters intercepting legitimate invoices and changing payment details. They often increase amounts slightly, betting that a 10-20% increase won't trigger scrutiny if the vendor is trusted.

Pattern changes to monitor:

Frequency shifts. Monthly vendors suddenly billing weekly, or quarterly vendors requesting advances.

Amount escalation. Gradual 5-10% increases over several months, or sudden 50%+ jumps.

Payment method changes. Vendors that accepted credit cards now demanding wire transfers only.

Bank detail modifications. Especially to overseas accounts or different states.

Pattern 7: Geographic and Timing Anomalies

Australian businesses increasingly work with international suppliers, but geographic patterns still matter. A Sydney vendor shouldn't have a Perth bank account without explanation. A supplier supposedly based in Melbourne shouldn't send invoices with Singapore timestamps.

Geographic red flags:

BSB mismatches. Bank branch locations that don't align with vendor addresses.

International transfers. Domestic vendors requesting payment to overseas accounts.

Time zone irregularities. Invoice creation times that don't match vendor location.

IP geolocation. Payment requests originating from high-risk countries.

The Real-Time Payment Risk

Australia's New Payments Platform (NPP) processes transfers in seconds. While convenient, it eliminates the recall window that banks previously offered. Geographic anomalies need immediate investigation — waiting until Monday to verify that Friday afternoon international transfer request could be too late.

How to Set Up Monitoring for These Patterns

Detecting these patterns manually is possible but exhausting. Here's a practical approach for different business sizes:

For Small Teams (1-5 finance staff):

Daily quick scans. Review all payments over $5,000 each morning — takes 10 minutes.

Weekly deep dives. Export payment data to Excel, sort by amount, vendor, and date to spot anomalies.

Monthly pattern analysis. Check for round numbers, new vendors, and threshold clustering.

Quarterly vendor audits. Review all vendors added in the past 90 days.

For Medium Teams (5-20 finance staff):

Automated alerts. Set up bank notifications for payments over certain amounts.

Exception reports. Configure your accounting software to flag unusual patterns.

Dual approval enforcement. Require two signatures for new vendors and amount changes.

Regular training. Ensure all staff know these seven patterns and check for them.

For Larger Organisations:

Dedicated monitoring tools. Invest in automated detection software that integrates with your ERP.

Machine learning models. Deploy AI that learns your normal patterns and flags deviations.

Real-time dashboards. Monitor payment flows as they happen, not after the fact.

Forensic audits. Engage external experts quarterly to validate your controls.

Technology Solutions

Modern accounting platforms like Xero offer some built-in controls, but they're often not enough. Consider implementing:

API monitoring tools that watch for payment anomalies in real-time
Bank detail verification services that validate account ownership
Automated approval workflows that enforce segregation of duties
Continuous monitoring solutions designed specifically for fraud detection

Protecting Your Business from Payment Fraud

Recognising these seven patterns is the first step in protecting your organisation from payment fraud. But recognition alone isn't enough — you need systems and processes that can detect these patterns automatically, especially as transaction volumes grow and fraudsters become more sophisticated.

The statistics are sobering: 23% of Australian businesses that experience payment fraud never fully recover. But the flip side is encouraging — businesses that implement automated pattern detection reduce fraud losses by 60-70%.

For businesses using Xero, continuous monitoring of payment patterns and supplier changes has become essential. OutflowGuard was built specifically for this challenge, providing real-time alerts when suspicious patterns emerge, automated vendor verification, and dual-approval workflows that prevent unauthorised payments before they happen. The platform monitors all seven patterns discussed here, plus additional risk indicators specific to Australian business practices.

Whether you choose manual monitoring, automated tools, or a combination, the key is to start immediately. Every day without proper payment monitoring is a day your business remains vulnerable. The patterns are clear, the tools exist, and the cost of inaction far exceeds the investment in prevention.