Imagine discovering that one of your trusted employees had spent years editing real supplier invoices to redirect payments into their own account. That’s exactly what happened at Miami University, which lost over $2.3 million to an internal fraudster. Vendor fraud is a severe and growing threat to UK businesses. The Home Office estimates fraud cost UK businesses £5.2 billion in the year ending March 2024, while fake invoice fraud alone affected 11% of UK businesses in the same period.
In this article, learn the most common types of vendor fraud and how to fight against it with Trustpair. Request a demo to learn more!
Key Takeaways
- Vendor fraud refers to schemes in which fraudsters impersonate or compromise real suppliers to divert business payments.
- The three most common vendor fraud schemes are: phishing/BEC attacks, internal employee fraud, and invoice fraud through compromised supplier accounts.
- UK fraud cost businesses £5.2 billion in the year ending March 2024 (Home Office). Fake invoice fraud affected 11% of UK businesses (Economic Crime Survey 2024).
- Payment rails commonly targeted in the UK include Faster Payments, BACS, and CHAPS, all of which can be exploited through fraudulent bank detail changes.
- The UK’s new Authorised Push Payment (APP) fraud reimbursement rules, introduced in 2024, place greater liability on businesses to demonstrate due diligence before payments are made.
- The most effective defense is automated vendor account validation before every payment.
- Trustpair has blocked 100% of payment fraud attempts for its customers since deployment.
Phishing and Business Email Compromise (BEC)
Phishing emails involve the impersonation of a genuine third party in order to gain access to sensitive information or divert a payment. In the vendor fraud context, this is often called Business Email Compromise (BEC) or Vendor Email Compromise (VEC).
There are different levels of sophistication. Spear phishing involves detailed prior research: fraudsters identify the payment approver’s name, the company’s standard invoicing process, and the real vendor’s email format, often spoofing it convincingly. Busy procurement teams are unlikely to spot the difference.
Pharming goes further, directing victims to malicious websites designed to harvest employee login credentials and gain access to confidential company systems.
A significant and growing threat is AI-enhanced phishing. According to VIPRE’s Q2 2024 Security Report, up to 40% of BEC phishing emails were AI-generated, making them significantly more convincing in tone, context, and personalisation.
BEC attacks rose a further 15% in 2025.
These attacks rely on social engineering tactics. A typical scenario: fraudsters impersonate a known supplier mid-contract and submit a convincing invoice for legitimate-sounding services. Because the supplier relationship exists and no automated verification is in place, the payment goes through unchallenged.
Fraudsters frequently target payments made via Faster Payments and BACS, requesting account detail changes that re-route funds to mule accounts. Given the near-instant settlement of Faster Payments and the direct debit capabilities of BACS, funds can be irrecoverable within minutes. CHAPS payments for high-value transfers carry similar risk.
Internal (Employee) Fraud
Internal fraud, also known as employee fraud, is another example of vendor fraud.
In this scheme, an employee exploits their access to submit and conceal fraudulent invoices. They may siphon payments to a shell company, inflate the price of goods or services, or redirect funds to an account they control. Because the employee understands exactly how invoices are normally processed, the fraud can remain invisible for extended periods.
With hundreds or thousands of suppliers in a typical organisation, accounts payable staff are unlikely to flag an invoice that looks and behaves like all the others.
The fraud triangle explains why employees commit fraud through three converging factors:
- Motivation: financial pressure from redundancy, debt, or perceived unfair treatment
- Opportunity: authorised access to payment systems or supplier master data
- Rationalization: routing payments through a shell company makes them appear legitimate
One example of employee fraud at a British business illustrates this precisely. The financial controller, facing personal financial pressure after her partner became redundant, noticed an existing supplier had ceased trading. She edited a previous invoice, replaced the bank details with those of her own shell company, and deliberately kept each transaction below the co-authorisation threshold. The CFO, busy and trusting of a long-standing colleague, only scrutinised payments to new suppliers. The fraud went undetected, costing the business approximately £20,000.
Under the PSR’s APP fraud reimbursement rules, which came into force in October 2024, banks and payment service providers must reimburse victims of authorised push payment fraud up to £85,000. While this applies primarily to personal accounts, it is increasing scrutiny on corporate payment controls and reinforcing the need for businesses to demonstrate pre-payment due diligence.
Invoice Fraud
Invoice fraud is a third attack vector. Here, the communication genuinely appears to come from a real supplier, because that supplier’s email or systems have been hacked.
The attacker, operating from inside the compromised supplier account, requests a change in bank account details. They may also submit invoices for goods or services never delivered. These attacks are particularly dangerous because businesses are far less suspicious of established supplier relationships, typically concentrating verification efforts on new vendors only.
According to the Home Office’s Economic Crime Survey 2024, mandate fraud (where fraudsters trick a business into changing bank details to divert payments) affected 7% of UK businesses in the preceding 12 months.
Sade Telecom, an electrical network company, fell victim to this type of fraud before partnering with Trustpair. Their accounts payable team received a payment detail change request from what appeared to be an existing supplier. Without an automated verification system, they processed the change and sent subsequent payments to the fraudulent account. It was only when the genuine vendor issued a late-payment notice that the fraud was discovered.
Following the incident, Sade Telecom implemented Trustpair to automatically validate payment details before every transaction. The result: 100% of subsequent fraud attempts were blocked, with the solution live within 72 hours.
For UK organisations, mandate fraud most commonly targets BACS Direct Credit and Faster Payment instructions. Because Faster Payments settle in seconds, early detection before payment authorisation is the only reliable defence. Trustpair’s pre-payment validation integrates directly into your payment workflow to prevent fraud at source.
Vendor Account Validation: The Ultimate Defence Against Vendor Fraud
Vendor account validation is the most effective way to prevent all three types of vendor fraud and detect vendor fraud red flags before a payment is ever released.
The process involves cross-checking the details on a supplier invoice against international and domestic databases, verifying:
- Bank account details: account holder name, sort code, and account number
- Company identity: registered name, ultimate beneficial ownership, sanctions and watchlist screening
By automating this validation across every payment cycle, UK finance teams can confirm they are paying who they believe they are paying, not fraudsters who have intercepted the relationship.
Manual checks are slow, inconsistent, and easily circumvented. Automated vendor account validation removes human error and scales to match the size of your supplier base, whether you have 200 or 200,000 vendors.
In Summary
The three most common vendor fraud schemes are:
- Phishing/BEC: fraudsters impersonate suppliers using social engineering, and increasingly AI-generated communications, to divert payments
- Employee (internal) fraud: insiders create shell companies or manipulate existing invoices to siphon funds
- Invoice fraud: real supplier accounts are compromised to request fraudulent payment detail changes
Protect your business by validating supplier accounts against verified databases in real time, before every payment. With Trustpair, you can demonstrate the due diligence required under current UK payment regulations while blocking 100% of fraud attempts.