What are the most common invoice fraud patterns?

The most common invoice fraud patterns include duplicate invoices, price creep (gradual price increases), split purchasing to avoid approval thresholds, shell vendor schemes, and invoice timing manipulation. Most AP tools only catch obvious duplicates while missing sophisticated patterns like cumulative fraud and vendor collusion.

How do I detect invoice fraud in accounts payable?

Detect invoice fraud by implementing automated anomaly detection that monitors price variances against historical data, flags sequential invoice numbers from the same vendor, identifies purchases split just below approval limits, and cross-references vendor bank details against known fraud databases. AI-powered systems can catch patterns that rule-based tools miss.

What is split purchase fraud?

Split purchase fraud occurs when someone deliberately breaks a large purchase into multiple smaller transactions to avoid approval thresholds. For example, splitting a $12,000 purchase into three $3,900 invoices to stay under a $4,000 approval limit. Detection requires analyzing cumulative spending patterns across vendors and time periods.

How much does invoice fraud cost businesses?

Invoice fraud costs businesses an estimated 5% of annual revenue according to the Association of Certified Fraud Examiners. For a company processing $10M in invoices annually, that represents $500,000 in potential losses. The median loss per fraud case is $117,000, with schemes often running 18 months before detection.

12 Invoice Fraud Patterns Your AP Tool Doesn't Catch

Key Takeaways

Basic duplicate detection catches only 30% of duplicate payments
12 distinct fraud patterns require layered detection approaches
Cumulative fraud (split invoicing) is the most costly and hardest to catch
Item normalization enables cross-vendor price comparison
Pure SQL detection costs $0 per check vs paid ML/API services

What is invoice fraud?

Invoice fraud occurs when businesses pay for goods or services that were never delivered, were already paid for, or were billed at inflated prices. Common patterns include duplicate invoices, shell company schemes, price creep, split invoicing to avoid approval thresholds, and PO acknowledgment manipulation. In 2024, 79% of organizations were victims of payment fraud [AFP Payments Fraud Survey 2025], with median losses of $145,000 per case [ACFE 2024].

The Association of Certified Fraud Examiners reports that organizations lose 5% of revenue to fraud annually [ACFE 2024], with billing schemes costing an average of $5,600 per month. For procurement and accounts payable, the most common schemes are billing fraud, check tampering, and expense reimbursement abuse, all of which can be detected with proper invoice validation.

Yet most AP tools only perform basic duplicate checking: "Have we seen this exact invoice number before?" That catches about 30% of duplicate payments. The other 70% slip through because fraudsters simply change the invoice number, adjust the date, or split the invoice.

The Duplicate Payment Problem

Duplicate payments represent 0.1% to 0.5% of annual disbursements [AFP 2024], while 1.29% of invoices processed are duplicates averaging $2,034 each [SAP Concur 2024]. For a company processing $50M annually, that's $50K-$250K in overpayments. Most recovery audits find that 80% of these duplicates were preventable with better detection.

The 12 Fraud Patterns

Quick answer: The 12 invoice fraud patterns are: exact duplicates, amount-based duplicates, fuzzy invoice matches, split invoicing, price outliers, quantity spikes, new vendor large orders, cross-vendor price variance, round-number invoices, weekend/holiday submissions, approval threshold gaming, and cumulative overbilling.

Modern fraud detection requires multiple detection layers, each targeting a specific attack vector. Here are the 12 patterns that comprehensive anomaly detection should catch:

Exact Invoice Number Duplicate

Critical

The most obvious fraud: submitting the exact same invoice number from the same vendor twice. This catches vendors resubmitting paid invoices months later, hoping AP won't notice. The median fraud takes 12 months to detect [ACFE 2024], giving fraudsters ample time to resubmit.

Example Vendor submits INV-2024-1234 for $47,500 in March. It gets paid. In September, they resubmit the exact same INV-2024-1234 with the same amount, hoping the AP clerk won't cross-reference historical payments.

Detection Method Case-insensitive match on invoice number + vendor ID across ALL invoices (including paid). Never restrict to recent invoices only. Fraudsters exploit time gaps.

Suspicious Amount Match

Critical

Fraudsters change the invoice number but forget to change the amount. Same vendor, same exact amount (within 0.5%), different invoice number, submitted within 30 days = highly suspicious.

Example Invoice INV-1001 for $12,847.50 gets paid on Dec 1. On Dec 15, the vendor submits INV-1002 for $12,847.50. Different invoice number, but identical amount from the same vendor in the same month.

Detection Method Match on vendor_id + amount (within 0.5% tolerance) + 30-day window. Flag even if invoice numbers are completely different. Check against paid invoices.

Fuzzy Invoice Number Match

High

Catches typos, OCR errors, and intentional slight modifications: INV-1234 vs INV-I234 (letter I vs number 1), or INV-1234 vs INV1234 (missing hyphen).

Example Original invoice: "INV-2024-0847". Duplicate submitted as "INV-2024-O847" (letter O instead of zero). Human reviewers miss this. Fuzzy matching catches it with 95%+ similarity.

Detection Method PostgreSQL trigram similarity scoring (pg_trgm extension). Flag invoices with >85% similarity score AND similar amounts (within 1%). Requires both conditions to reduce false positives.

Cumulative Invoice Fraud (Split Invoicing)

Critical

Breaking a large PO into multiple smaller invoices that individually look normal but together exceed the PO total. Each invoice passes validation; the fraud is only visible when you sum them up. With median fraud losses of $145,000 per case [ACFE 2024], cumulative schemes can be devastating.

Example PO-5001 authorizes $50,000 for consulting services. Vendor submits 5 invoices over 3 months: $11,000, $12,500, $9,800, $10,200, $11,500 = $55,000 total. Each looks reasonable, but cumulative exceeds PO by $5,000 (10% overage).

Detection Method Sum all invoices against each PO, subtract any credit memos. Flag when cumulative total exceeds PO by more than 1%. Include invoice counts for context.

Statistical Price Outliers

High

Prices that deviate significantly from historical norms. Uses adaptive thresholds based on sample size: more conservative (5 sigma) with limited data, stricter (3 sigma) with robust historical data.

Example Part ABC-123 has been purchased 20 times at an average of $45.00 (std dev $3.20). New invoice shows $142.00 for the same part. That's 30 standard deviations above the mean. Either a pricing error or intentional markup.

Detection Method Calculate mean and standard deviation per part number per vendor. Apply adaptive thresholds: 5 sigma for 1 sample, 4 sigma for 2 samples, 3 sigma for 3+ samples. Handles cases with zero variance (consistent pricing) using percentage-based fallback.

Quantity Spikes

High

Ordering dramatically more than typical: 10x, 15x, or 20x the normal quantity. Could indicate theft-for-resale, phantom inventory, or simple data entry errors.

Example Typical monthly order for printer toner: 50 units. New invoice shows 750 units (15x normal). Either a legitimate bulk purchase or someone is building inventory for resale.

Detection Method Calculate historical average quantity per item per vendor. Flag if current quantity exceeds adaptive threshold: 20x for 1 sample, 15x for 2 samples, 10x for 3+ samples.

New Vendor with Large First Order

High

First-time vendors submitting unusually large orders. Classic shell company fraud: create a fake vendor, submit one large invoice, collect payment, disappear. With 79% of organizations experiencing payment fraud in 2024 [AFP Payments Fraud Survey 2025], shell companies remain a top threat vector.

Example "ABC Consulting LLC" (no transaction history) submits first invoice for $87,000. Vendor was added to the system last week. No goods or services have been received. This is the ghost vendor pattern.

Detection Method Check if vendor has zero prior transactions. If first invoice exceeds threshold ($5,000 for invoices, $1,000 for POs), flag for vendor verification. Different thresholds because POs can be caught before commitment.

Early Relationship Risk (Third Invoice Fraud)

Medium

Fraudsters often submit 1-2 small legitimate invoices to establish trust, then hit with a large fraudulent invoice. The "third invoice fraud" pattern is well-documented in procurement fraud literature.

Example Invoice #1: $2,500 (paid, legitimate)
Invoice #2: $3,800 (paid, legitimate)
Invoice #3: $47,000 (fraudulent)

Detection Method Extra scrutiny for first 5 invoices from any vendor. Graduated thresholds: flag invoices #1-2 over $10K, #3-4 over $25K, #5 over $50K. After 5 invoices with successful history, normal detection rules apply.

Split Purchase Detection

Critical

Breaking one large purchase into multiple smaller POs to stay under approval thresholds. If approval is required above $5,000, submit three POs for $4,900 each.

Example Company policy: purchases over $5,000 require manager approval. Employee creates:
PO-001: $4,800 to Vendor X (Monday)
PO-002: $4,700 to Vendor X (Wednesday)
PO-003: $4,900 to Vendor X (Friday)
Total: $14,400 in one week, zero approvals required.

Detection Method Sum all POs to the same vendor within a rolling window (7 days default). Flag if: 3+ POs, each individually below threshold, combined total exceeds 2x threshold. Includes vendor alias matching to catch name variations.

Price Creep Detection

Medium

Gradual price increases that individually seem minor but compound over time. Billing schemes lose companies $5,600 per month on average [ACFE 2024]. This is a direct comparison to the last purchase price.

Example January: Widget-A at $100
April: Widget-A at $115 (+15%)
July: Widget-A at $132 (+15%)
December: Widget-A at $152 (+15%)
Each increase "only" 15%, but price up 52% YTD.

Detection Method Compare current unit price to most recent purchase of same item from same vendor. Flag if increase exceeds threshold (default 15%). Severity escalates: 15-30% = medium, 30-50% = high, 50%+ = critical.

Cross-Vendor Price Premium

Medium

Paying significantly more than other vendors charge for the same item. Requires item normalization to compare prices across vendors who use different part numbers for identical products.

Example Your company buys HP CF294A toner cartridges from 3 vendors:
Office Depot: $89 (calls it "HP CF294A")
Staples: $92 (calls it "HP-CF294A-BLK")
New vendor: $142 (calls it "cf294a")
Item normalization links all three to the same canonical item.

Detection Method Use item_master table to normalize vendor part numbers to canonical item_id. Find lowest price paid for same item_id from any vendor. Flag if current price exceeds best price by threshold (default 20%).

Above Historical Best Price

Medium

Paying more than the best price you've ever achieved for an item. Different from cross-vendor: this tracks YOUR historical best, regardless of current vendor availability.

Example 6 months ago, you paid $80 for Widget-X from Vendor A (promotional pricing).
Today, Vendor A invoices Widget-X at $110, 37.5% above your historical best. Even if $110 is "fair market," you've demonstrated the ability to get it for $80.

Detection Method Query minimum unit_price ever paid for each item_id. Compare current price to historical best. Flag if exceeds threshold (default 25%). Include context: when, from whom, and at what price you achieved the best price.

Bonus: Quote-to-PO Mismatch

Beyond the 12 core patterns, comprehensive detection should also catch unauthorized changes between quote approval and PO issuance:

PO vs Quote Price Mismatch

High

The quote gets approved at one price, but the PO is issued at a higher price. This can be internal fraud (kickbacks to the person issuing POs) or vendor manipulation.

Example Quote QT-500 approved at $45.00/unit for 100 widgets.
PO-750 issued at $52.00/unit for 100 widgets.
Difference: $700 unauthorized price increase.

Detection Method For each PO, find the most recent quote from the same vendor. Compare line item prices. Flag if PO price exceeds quote price by more than tolerance (default 2%). Severity: 2-10% = medium, 10-20% = high, 20%+ = critical.

What Makes Detection Effective

Quick answer: Effective fraud detection requires checking paid invoices (not just pending), using multiple detection methods (exact, amount-based, and fuzzy matching), normalizing item data for cross-vendor comparison, and adaptive thresholds based on historical sample sizes.

$145K

Median fraud loss per case [ACFE 2024]

Many AP tools claim to detect fraud, but their implementations have critical gaps:

70%

Duplicates missed by invoice number matching alone

Methods needed to catch all duplicate types

Cost per check using pure SQL detection

Common Detection Gaps

Detection Requirement	Basic AP Tools	Comprehensive Detection
Checks paid invoices for duplicates	Often excludes paid	Always includes
Cross-vendor price comparison	No normalization	Item master mapping
Cumulative PO validation	Per-invoice only	Sum across all invoices
Adaptive statistical thresholds	Fixed 3 sigma	3-5 sigma based on sample size
Vendor alias detection	Exact match only	Canonical mapping
Early relationship tracking	No history awareness	First 5 invoice scrutiny

The Item Normalization Requirement

Cross-vendor price comparison only works if you can match items across vendors. This requires an item master that maps vendor-specific part numbers to canonical item IDs:

-- Same product, different vendor part numbers
vendor_part_number    | vendor_name    | item_id
---------------------|----------------|------------------
"HP CF294A"          | Office Depot   | ITEM-TONER-001
"HP-CF294A-BLK"      | Staples        | ITEM-TONER-001
"cf294a"             | ABC Office     | ITEM-TONER-001
"294A-HP-BLACK"      | Vendor Direct  | ITEM-TONER-001

-- Now we can compare prices across all vendors
SELECT vendor_name, MIN(unit_price)
FROM invoice_line_items
WHERE item_id = 'ITEM-TONER-001'
GROUP BY vendor_name;
            

Without item normalization, "HP CF294A" and "cf294a" appear as completely different products, making price comparison impossible.

Implementation Considerations

Quick answer: Implement fraud detection with sub-100ms latency per invoice using pure SQL queries with compound indexes. Use batch optimization to check all line items in a single query. Calibrate severity levels (critical, high, medium) to drive appropriate workflow actions.

Performance Requirements

Fraud detection must be fast enough to run on every invoice without creating bottlenecks:

Target latency: Under 100ms per invoice for all 12 checks combined
Batch optimization: Single query for all line items instead of N queries
Index requirements: Compound indexes on (vendor_id, company_id, item_id)
Cost: Pure SQL with no external API calls = $0 per check

Severity Calibration

Not all anomalies deserve equal attention. Severity levels should drive workflow:

Critical: Automatic payment hold. Human review required before release.
High: Flagged for review but can proceed with approval. Manager notification.
Medium: Informational. Logged for audit trail and trend analysis.

Detection vs Recovery

The goal is prevention, not recovery. Active fraud monitoring reduces detection time from 12 months to just 6 months [ACFE 2024]. Recovery audits typically retrieve 50-75% of duplicates found, but the effort costs 25-30% of recovery value. Prevention costs a fraction and catches 100% before payment.

Beyond Detection: Building Trust Scores

Individual anomaly flags are useful, but the real power comes from combining them into vendor and invoice trust scores:

New vendor with first large invoice = -20 points
Third invoice from low-history vendor = -10 points
Price 3 sigma above historical average = -15 points
Split purchase pattern detected = -25 points
100+ transactions with zero anomalies = +30 points

A composite score enables automated triage: high-trust vendors get straight-through processing; low-trust invoices get manual review. This balances fraud prevention with AP efficiency.

See All 12 Detection Patterns in Action

Upload an invoice and watch real-time anomaly detection flag potential fraud patterns. No credit card required.

Start Free Trial

References

Association of Certified Fraud Examiners. (2024). "2024 Report to the Nations" - Organizations lose 5% of revenue to fraud annually. Median loss: $145,000 per case. Billing schemes average $5,600/month. Median detection time: 12 months (reduced to 6 months with active monitoring).
AFP. (2025). "2025 AFP Payments Fraud and Control Survey" - 79% of organizations were victims of payment fraud in 2024.
AFP. (2024). "Payments Fraud Survey" - Duplicate payments represent 0.1% to 0.5% of annual disbursements.
SAP Concur. (2024). "Invoice Processing Benchmark Report" - 1.29% of invoices processed are duplicates, averaging $2,034 each.
Institute of Finance & Management, "AP Duplicate Payment Prevention Best Practices"
ACFE, "Vendor Fraud Schemes: Detection and Prevention"

Key Takeaways

What is invoice fraud?

The 12 Fraud Patterns

Bonus: Quote-to-PO Mismatch

What Makes Detection Effective

Common Detection Gaps

The Item Normalization Requirement

Implementation Considerations

Performance Requirements

Severity Calibration

Beyond Detection: Building Trust Scores

See All 12 Detection Patterns in Action

Further Reading

References