What is vendor fraud in small business?

Vendor fraud is any scheme where a supplier, employee, or external party exploits the accounts payable process to steal money from a business. Common types include phantom vendors, invoice manipulation, duplicate billing, and kickback arrangements.

How common is vendor fraud in Australia?

Nearly one in five (18%) Australian small businesses have been victims of invoice fraud, according to Xero research. The ACFE's 2024 report found billing schemes are the second most common fraud type in organisations with fewer than 100 employees, with a median loss of $141,000.

What are the warning signs of vendor fraud?

Red flags include vendors with no physical address or ABN, invoices with round-number amounts, sudden changes to supplier bank details, a single employee controlling the entire vendor payment process, and suppliers that only accept payment to personal bank accounts.

How can small businesses prevent vendor fraud in Xero?

Key controls include separating vendor creation from payment approval, auditing your Xero contact list for ghost suppliers, requiring dual approval for payments above a threshold, verifying supplier bank details independently, and using automated monitoring tools to flag suspicious changes.

What is a phantom vendor scheme?

A phantom vendor scheme involves creating a fictitious supplier in the accounting system and submitting fake invoices for goods or services that were never delivered. An insider then approves the invoices and diverts payments to an account they control.

Vendor Fraud in Australian Small Businesses: The Silent Problem Costing Billions

Australians reported $334.8 million in scam losses to Scamwatch in 2025 alone — a figure that increased even as the total number of reports declined. But that headline number only captures what gets reported. The real damage from vendor fraud in small businesses is far larger, far quieter, and often discovered months or years after the money has gone.

The Association of Certified Fraud Examiners (ACFE) found in its 2024 Report to the Nations that organisations with fewer than 100 employees suffered a median fraud loss of $141,000 per incident — and billing schemes were the second most common type of fraud in small organisations. More than half of all cases were linked to a lack of internal controls or management override of existing controls.

For Australian SMBs running lean finance teams, vendor fraud isn't a theoretical risk. It's a structural vulnerability.

In this article:

What Vendor Fraud Actually Looks Like
The Five Most Common Vendor Fraud Schemes
Why Small Businesses Are Disproportionately Hit
Warning Signs Your Business Should Watch For
Building a Vendor Fraud Defence That Works
What to Do If You Suspect Vendor Fraud
Related Reading

What Vendor Fraud Actually Looks Like

Vendor fraud is any scheme that exploits the accounts payable process to extract money from a business. Unlike external cyberattacks that grab headlines, vendor fraud is typically quiet, methodical, and perpetrated by people who already have access — employees, trusted suppliers, or external actors who have compromised a supplier's communications.

The common thread across all vendor fraud schemes is that they exploit trust. A finance team trusts that a supplier is real. They trust that an invoice reflects actual goods or services. They trust that bank details haven't been tampered with.

When that trust isn't backed by verification, money disappears.

Xero's own research found that nearly one in five (18%) Australian small businesses have fallen victim to invoice fraud, with average losses of $15,500 for sole traders and micro businesses, and $25,370 for businesses with five to 19 employees. The survey also revealed that only 42% of small business respondents were confident they could identify a fraudulent invoice.

The Five Most Common Vendor Fraud Schemes

Understanding the mechanics of each scheme is the first step to building effective defences.

1. Phantom Vendor Schemes

A phantom vendor is a fictitious supplier created in your accounting system. The fraudster — typically an employee with access to the vendor master file — sets up a fake contact in Xero, submits invoices for goods or services that were never delivered, approves them, and routes the payment to a bank account they control.

Phantom vendor schemes thrive where one person handles both vendor creation and payment approval. The invoices often look legitimate because the fraudster understands exactly what the business buys and at what price points.

The tell-tale signs: the vendor has no ABN on the Australian Business Register, their address is a PO Box or residential property, and they only ever submit invoices — never contracts, purchase orders, or delivery receipts.

2. Invoice Manipulation

A real supplier sends a legitimate invoice. Somewhere between receipt and payment, the details get changed. The bank account number is altered to redirect payment. The amount is inflated. Additional line items appear.

This can happen externally through business email compromise, where a fraudster intercepts or spoofs supplier emails. It can also happen internally, where an AP team member modifies invoice details before processing.

Invoice manipulation is particularly dangerous because the underlying transaction is real. The business did receive goods or services, which makes the invoice harder to question during approval.

3. Duplicate Billing

A supplier submits the same invoice twice — sometimes intentionally, sometimes through genuinely poor processes. When the duplicate payment goes undetected, the supplier pockets both payments.

Deliberate duplicate billing is harder to prove than other fraud types because the supplier can always claim it was a system error. That plausible deniability is what makes it attractive.

The ACFE found that billing schemes are particularly prevalent in small organisations where AP processes rely heavily on manual checks and individual judgment rather than systematic controls.

4. Kickback Arrangements

An employee steers business to a preferred supplier in exchange for personal payments. The supplier wins contracts or receives favourable terms they wouldn't get in a competitive process. The employee benefits personally while the business pays inflated prices.

Kickbacks are one of the hardest vendor fraud schemes to detect because both parties benefit from keeping it hidden. The invoices are real, the goods are delivered, and the amounts look plausible — they're just higher than market rate.

Warning signs include a single employee who insists on using a specific supplier despite cheaper alternatives, resistance to vendor audits, and a supplier relationship where the employee and vendor contact seem unusually close.

5. Bank Detail Fraud (Payment Redirect)

A fraudster contacts your business — either by compromising a supplier's email or impersonating them directly — and requests a change to the supplier's bank account details. The next payment goes to the fraudster's account instead of the real supplier.

This is one of the fastest-growing fraud types in Australia. The Australian Cyber Security Centre has repeatedly warned businesses about payment redirect fraud, which can result in six-figure losses from a single compromised payment.

The danger is amplified by Australia's New Payments Platform (NPP), which processes payments in real time with no recall window. Once the money moves, it's gone.

Why Small Businesses Are Disproportionately Hit

Large enterprises invest in dedicated fraud teams, automated controls, and multi-layered approval workflows. Small businesses don't have that luxury — and fraudsters know it.

Limited separation of duties. In a three-person finance team, the person who creates vendors in Xero might also be the person who approves invoices and processes payments. That concentration of control is exactly what fraud schemes exploit.

Trust-based processes. Small teams rely on personal relationships and trust rather than formal verification procedures. "I know our suppliers" works until it doesn't — and by the time it fails, the damage is done.

Under-investment in controls. Xero research found that nearly three in ten (28%) small businesses don't spend any money on cyber security protection or education. The focus is on running the business, not on the controls that protect it.

Manual, ad-hoc AP workflows. Without automated matching of purchase orders, delivery receipts, and invoices, each payment relies on human judgment. Humans get busy, take shortcuts, and miss patterns that systems would catch.

The "it won't happen to us" mindset. Small business owners often believe fraud is something that happens to bigger companies. The ACFE data tells a different story — small organisations experience fraud at the same rate as large ones, but with proportionally greater impact.

The ACFE's 2024 report found that more than half of all fraud cases were correlated with either a lack of internal controls or management override of existing controls. For small businesses, these two factors are practically the default operating environment.

Warning Signs Your Business Should Watch For

No single red flag confirms vendor fraud on its own. But patterns of red flags should trigger investigation.

Vendor red flags:

Suppliers with no ABN or an ABN that doesn't match the Australian Business Register
Vendor addresses that are PO Boxes, residential addresses, or match employee addresses
Suppliers that only accept payment to personal bank accounts (not business accounts)
New vendors with unusually large first invoices
Vendors that share phone numbers, email domains, or bank details with other vendors or employees

Invoice red flags:

Round-number invoices ($5,000.00 exactly, $10,000.00 exactly) — real invoices almost always have odd amounts
Invoices just below approval thresholds (if your limit is $10,000, watch for repeated $9,900 invoices)
Sequential invoice numbers from a supplier who should have other clients
Invoices without purchase orders or delivery documentation
Sudden increases in invoice frequency or amounts from established suppliers

Process red flags:

One person controls the entire vendor-to-payment process without oversight
Resistance to vendor audits or changes to AP procedures
An employee who never takes leave (afraid that a replacement will discover the scheme)
Missing or incomplete vendor onboarding documentation
Supplier bank detail changes that arrive via email without phone verification

Financial red flags:

Expenses consistently trending above budget without clear explanation
Cost-per-unit increases that don't align with market conditions
Supplier payments that spike around month-end or quarter-end
Payments to vendors that don't appear in any operational records or purchase orders

Building a Vendor Fraud Defence That Works

You don't need an enterprise fraud department. You need layered controls that make vendor fraud harder to commit and easier to detect.

Separate Vendor Creation from Payment Approval

The single most impactful control for small businesses. The person who adds a new supplier to Xero should not be the same person who approves payments to that supplier. Even in a two-person team, this separation dramatically reduces the risk of phantom vendor schemes.

In Xero, use the user permissions system to restrict who can create and modify contacts. It's not a perfect control, but it creates an additional barrier.

Verify Every New Vendor

Before any new supplier is added to your system, verify them independently:

Check their ABN on the Australian Business Register (abr.business.gov.au)
Confirm their physical address exists (Google Maps is a quick first check)
Call them on a phone number you find independently — not one from their invoice
Request and verify their banking details through a separate channel from how you received the invoice

This takes 10 minutes per vendor. For a business that adds a few new suppliers per month, it's a trivial investment against a potentially catastrophic loss.

Implement Dual Approval for Payments

No payment above a defined threshold should go out with a single approval. The threshold depends on your business, but for most SMBs, anything over $5,000 warrants a second set of eyes.

Make this a hard rule, not a guideline. Fraudsters study your processes and will structure their schemes to exploit any flexibility.

Audit Your Vendor List Quarterly

Export your Xero contacts list every quarter and review it systematically:

Are there vendors you don't recognise?
Are there duplicate entries for the same supplier?
Do any vendor bank details match employee bank details?
Are there vendors that haven't been paid in over 12 months? (Archive them.)
Do any vendors share addresses, phone numbers, or email domains?

OutflowGuard's free tier includes a ghost supplier detection scan that automates much of this analysis against your Xero data.

Monitor for Suspicious Changes

Vendor fraud often involves changing existing supplier records — particularly bank account details. Manual monitoring of these changes is unreliable because they happen silently in the background.

Automated monitoring tools that track changes to supplier records in real time close this gap. When a supplier's bank details change in Xero, you should know about it immediately — not when you reconcile at month-end.

Match Invoices to Purchase Orders and Receipts

Three-way matching — comparing the invoice to both the original purchase order and the delivery receipt — is the standard enterprise control for preventing billing fraud. Small businesses rarely implement it formally, but even an informal version helps.

Before approving an invoice, ask: did we order this? Did we receive it? Does the amount match what we agreed? If any answer is uncertain, pause and verify.

What to Do If You Suspect Vendor Fraud

Discovery is just the beginning. How you respond determines whether you recover losses and prevent recurrence.

Preserve the evidence. Don't confront the suspected fraudster or alter any records. Screenshot emails, export the relevant Xero history, and document the timeline. Xero's History & Notes feature provides an audit trail of changes to contacts and transactions.

Engage professional help. For suspected internal fraud above a few thousand dollars, consider engaging a forensic accountant. They'll know how to investigate without alerting the perpetrator and can quantify total losses.

Report it. Report to your local police and to Scamwatch (scamwatch.gov.au). If the fraud involved email compromise, report to the Australian Cyber Security Centre (ReportCyber). These reports contribute to national intelligence on fraud patterns and may assist in fund recovery.

Review and strengthen controls. Every fraud is a lesson. Identify specifically which control failed or was absent, and implement changes to prevent the same scheme from working again.

Notify your bank. If payments were redirected to fraudulent accounts, contact your bank immediately. Early notification improves the chances of freezing funds before they're withdrawn.

Protecting Your Business Going Forward

Vendor fraud succeeds because it exploits the gap between how much businesses trust their processes and how reliable those processes actually are. For Australian SMBs using Xero, the combination of lean teams, manual workflows, and trust-based relationships creates an environment where fraud can operate undetected for months.

The solution isn't paranoia — it's practical controls layered at the points where fraud enters the system. Verify vendors before they're created. Separate duties where possible. Require dual approval for significant payments. Audit your vendor list regularly. Monitor for changes automatically.

OutflowGuard helps Xero-based businesses close these gaps with automated supplier monitoring, ghost vendor detection, and real-time alerts when supplier bank details change. The free tier scans your existing data for vulnerabilities, giving you a clear starting point for strengthening your defences.

The businesses that avoid vendor fraud aren't the ones with the biggest budgets. They're the ones that stopped assuming their processes were enough — and built controls to match the reality of the threat.