13 Types of Vendor Fraud and How to Prevent Them

Every day, finance teams process thousands of vendor payment requests with practiced efficiency. From receiving invoices to obtaining approvals and authorizing payments, these steps are so routine that they often feel automatic.

But cybercriminals have learned that the most effective attacks don't target systems; instead, they target trust. The most devastating evolution of this approach is vendor email compromise (VEC), where attackers infiltrate the sacred trust between vendors and their clients.

Hijacked or spoofed vendor email accounts seamlessly reroute legitimate payments unless you verify every banking detail change. VEC attackers patiently study correspondence, slip convincing requests into existing threads, and monitor funds as they flow to offshore accounts.

According to Abnormal, employees at the most prominent organizations (those with 50,000 or more staff) showed the highest rate of second-step engagement with VEC attacks. After reading a malicious vendor message, they took further action 72.3% of the time.

Most VEC schemes show signs before money moves. Common red flags include unexpected requests to change payment details, look-alike domains (such as "invoicing-acme.com" instead of "acme.com"), and emails sent outside regular business hours.

Fraudsters create fake vendors within ERP systems to steal money through invoices for non-existent goods or services. In 2018, Save the Children lost nearly $1 million to a bogus supplier created through a compromised employee account, with the fraud remaining undetected until funds disappeared overseas.

Phantom vendors reveal themselves through specific patterns: P.O. box addresses, missing tax identification numbers, recently created vendor profiles approved by the same employee, or multiple vendors sharing identical bank accounts. These anomalies indicate failed onboarding controls that fraudsters exploit.

Strict vendor onboarding procedures close this vulnerability through third-party data validation and segregation of duties, preventing any single user from creating, approving, and paying a vendor. Automated cross-checks against external business registries eliminate ghost suppliers before they enter your system.

Duplicate invoice payments drain cash through identical or near-identical invoices that slip past manual reviews. Fraudsters resubmit legitimate invoices with minor alterations such as different dates, slightly modified purchase order numbers, or alternative routing information, then redirect the second payment to accounts under their control.

Finance teams encounter this frequently because the tactic exploits high-volume transaction environments where exact matches are flagged, but near-matches are allowed to slide through. A duplicate can be an exact copy or a strategic near-match with tweaks designed to bypass standard detection systems.

Red flags include identical amounts appearing on consecutive days, purchase order numbers differing by a single character, invoices manually entered instead of system-generated, and vendors submitting PDFs rather than using your procurement portal. These patterns indicate potential manipulation.

Overbilling attacks drain budgets by hiding inflated prices or phantom quantities inside legitimate invoices. Attackers manipulate unit costs, pad hours, or bill for goods that never arrive, knowing high transaction volumes will bury the discrepancies. In bulk-purchase environments, vendors routinely slip inflated line items past busy AP teams, a pattern that fraud analyses show thrives when thousands of SKUs flow through systems each month.

Recognize these warning signs when pricing schemes emerge: sudden spikes in unit cost without corresponding market shifts, vague descriptions such as "consulting services," and invoices that consistently land just below secondary-approval thresholds. When insiders collude with suppliers, these red flags typically appear alongside consistent approvals by the same employee.

Bid rigging occurs when vendors secretly work together, often with help from an insider, to decide who will win a contract. This coordination pushes prices above fair market value. Common tactics include submitting fake bids, rotating winners, or dividing up markets to create the illusion of competition. Public-sector contracts, especially in defense and infrastructure, are frequent targets and can be inflated by tens of millions of dollars.

Signs of bid rigging often appear early. These include identical language in proposals, matching metadata, nearly identical pricing, predictable winning patterns, and a small group of repeat bidders. Procurement professionals should monitor these red flags closely.

Kickbacks and illegal rebates involve vendors bribing employees through hidden payments, such as consulting fees, profit-sharing arrangements, or direct cash, to secure contracts or inflate invoices. Recent analysis documents an accounts payable manager who funneled millions in spending to favored suppliers while collecting secret commissions. This insider collusion inflated procurement costs for years before external auditors exposed the scheme.

The warning signs of kickback schemes include sudden lifestyle upgrades such as luxury travel or high-end vehicles that salary alone cannot justify, invoices with vague descriptors like "services rendered" or "consulting" accompanied by round-number charges, and split or sequential payments just below approval thresholds. These patterns indicate potential collusion between employees and suppliers.

Price-fixing cartels cost organizations millions by eliminating actual competition among suppliers. When vendors collude to align prices instead of competing for your business, you pay artificially high, uniform rates that bear no relation to market reality. Cartels often surface in industries with only a handful of qualified suppliers, making collusion easier to mask.

Detect the scheme by monitoring for near-identical quotes arriving within minutes of one another, parallel price increases across different vendors, or a complete lack of meaningful negotiation when you request discounts. These incidents suggest that bidders are coordinating behind the scenes rather than competing.

Quality substitution occurs when vendors deliberately ship inferior goods or partial deliveries while billing for contracted specifications. A spike in customer complaints, missing certificates of analysis, or sudden changes in supplier manufacturing locations can signal potential issues. Another critical indicator is employees quietly approving substitute products labeled as "functionally equivalent" without proper documentation in the purchase order.

Check and payment tampering diverts funds through altered checks or last-minute banking changes, exploiting finance processes that rely on paper checks or manual ACH modifications. A classic case demonstrates the simplicity of this scheme: an accounts-payable clerk printed legitimate vendor checks, erased the payee names, and deposited them into a personal account. The scheme remained undetected until routine reconciliation revealed missing check numbers in the ledger.

Several red flags signal potential tampering: gaps or duplicates in sequential check numbers, alterations in payee names or amounts visible on cleared check images, sudden requests to update vendor bank accounts without supporting documentation, and checks cashed at unfamiliar locations or outside regular business hours.

Advance-payment schemes occur when suppliers demand substantial upfront fees and fail to deliver, leaving organizations without products or recourse. Fraudsters exploit the urgency of the supply chain and procurement pressure to bypass weak controls.

The payment requests reveal clear warning signs. Demands for more than 50 percent of contract value from newly onboarded or minimally vetted vendors fall outside standard spending patterns and trigger significant signs of anomaly.. Additional indicators include vendors refusing escrow arrangements, demanding same-day wire transfers, or providing vague delivery timelines.

Shell company schemes involve employees creating or partnering with fraudulent entities to submit invoices and divert payments for goods or services never delivered. Fraudsters impersonating a legitimate charity vendor convinced Save the Children to wire nearly $1 million to a phantom account, traced to a fabricated shell company with stolen credentials and polished documents derived from public templates.

These schemes are revealed through specific patterns, including multiple vendors sharing identical addresses or bank accounts, minimal web presence, recently registered LLCs, or invoices consistently approved by the same employee. Generative AI now reduces the effort required to create convincing websites and tax forms, making surface-level verification ineffective.

Attackers steal millions by impersonating trusted suppliers and convincing finance teams to update banking details. For instance, one approved change request can redirect an entire payment run. These schemes typically appear as polished email chains that mimic legitimate correspondence, with subtle domain spoofing or wire instructions directing users to suspicious locations.

Vendors pad freight and handling fees to exploit the logistics blind spot in your expense oversight. Fraudulent suppliers tack on "fuel surcharges," mysterious accessorials, or mileage rates well above market averages, costs that quietly erode margins across hundreds of shipments.

You'll spot this scheme when a single carrier suddenly invoices far more than competitors for comparable routes, or when shipping charges on identical items swing wildly between invoices. Generic line-item descriptions that resist verification signal another red flag.

Abnormal's behavioral AI shuts down VEC at the inbox, stopping fraudulent payment requests before they ever reach accounts payable. You see every legitimate vendor message, while the platform silently discards those engineered to divert funds.

Unlike secure email gateways that rely on static rules, Abnormal analyzes 45,000+ behavioral signals to surface subtle anomalies. For more information on how Abnormal can help bypass or prevent vendor fraud, book a demo now!