Supplier Invoice Verification: Detect Fraud and Errors in the US
Guide to supplier invoice verification in the United States: FinCEN, BSA, IRS Form 8300, SAR requirements, and automated fraud detection for AP teams in 2026.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokSupplier invoice verification is the mandatory pre-payment control process that confirms an invoice corresponds to a legitimate purchase order, that the vendor is authentic, and that all financial data is accurate. In the United States, Business Email Compromise (BEC) โ the primary vehicle for invoice fraud โ cost American businesses $2.9 billion in reported losses in 2023 alone, according to the FBI Internet Crime Complaint Center (IC3) 2023 Report. The FBI ranked BEC as the highest-loss cybercrime category for the fourth consecutive year.
Paying a fraudulent invoice does not cancel the obligation to the real vendor โ the company pays twice. For regulated US entities, failure to detect invoice fraud schemes that intersect with money laundering can also trigger obligations under the Bank Secrecy Act (BSA) and FinCEN reporting requirements.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
Common Types of Supplier Invoice Fraud in the US
Invoice fraud in the US accounts payable context exploits four primary weaknesses: understaffed AP departments, weak internal controls, manual approval processes, and insufficient vendor onboarding.
Ghost vendors are fictitious suppliers created within a company's payment system โ often by an internal employee who then approves payments to themselves or accomplices. The FBI notes these schemes frequently surface during internal audits when AP staff turns over. Phantom vendors may carry legitimate-looking EINs (Employer Identification Numbers) obtained fraudulently.
Duplicate invoicing involves submitting the same invoice multiple times with slightly modified invoice numbers, exploiting AP backlogs and the assumption that a previous submission was an error. A vendor may resubmit an invoice from months prior, claiming non-payment.
Business Email Compromise involves cybercriminals hacking or spoofing business email accounts to redirect payments. They may impersonate executives demanding urgent wire transfers, or vendors notifying of updated ACH routing numbers. BEC losses in the US have totaled over $51 billion globally since 2013 (FBI IC3 Public Service Announcement, March 2023).
ACH and wire fraud via vendor master manipulation is uniquely prevalent in the US context: fraudsters target the vendor master file to change routing numbers and account numbers, routing legitimate payments to controlled accounts before the fraud is detected.
| Fraud type | Mechanism | Primary red flag |
|---|---|---|
| Ghost vendor | Fictitious EIN in AP system | No verifiable business history or W-9 |
| Duplicate invoice | Slightly altered invoice number | Same amount, same vendor, close dates |
| BEC / wire redirect | Spoofed executive or vendor email | Urgent wire request outside normal process |
| ACH routing change | Vendor master file manipulation | Sudden request to update routing/account number |
Red Flags: How to Identify a Suspicious Invoice
Any invoice displaying one or more of the following indicators should be held pending deeper verification before payment is authorized.
Unexpected ACH routing or bank account changes: any request to update routing numbers or account numbers received by email, without independent telephone verification via a number already on file, is a high-risk signal. The US Treasury Department Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2022-A002 explicitly warns that phone verification to a pre-established number is the most effective single control against payment diversion fraud.
Unjustified urgency: an invoice accompanied by threats of service suspension, penalty clauses, or demands for same-day wire transfers deviates from normal commercial practice. Fraudsters deliberately create urgency to bypass standard approval workflows.
Documentary inconsistencies: an invalid EIN, an address that does not match IRS records, unusual formatting, or an amount not corresponding to any open purchase order.
Unverifiable or newly registered vendor: in the US, businesses can be verified through Secretary of State business entity searches and cross-referenced against IRS TIN matching. A vendor registered within the last 90 days submitting a high-value invoice warrants enhanced due diligence.
Tax and regulatory exposure: Under the Internal Revenue Code ยง 162, deductions for business expenses paid to ghost vendors are disallowable. If the fraudulent transaction involves $10,000 or more in cash, the company may have unreported obligations under IRS Form 8300.
US Regulatory Framework: BSA, FinCEN, and SAR Obligations
The Bank Secrecy Act (31 USC ยง 5311 et seq.) requires certain financial institutions and businesses to file reports with FinCEN when transactions may involve money laundering or financial crime (FinCEN โ Bank Secrecy Act).
For AP fraud that intersects with money laundering schemes, the following reporting obligations apply:
Suspicious Activity Reports (SARs): Financial institutions and Money Services Businesses (MSBs) must file a FinCEN Form 111 (SAR) for transactions of $2,000 or more that are known, suspected, or have reason to be suspicious. A fraudulent invoice scheme used to move illicit funds triggers SAR filing obligations.
Currency Transaction Reports (CTRs): Transactions involving cash payments exceeding $10,000 in a single business day must be reported via FinCEN Form 112 (CTR). Cash invoices above this threshold require mandatory reporting.
IRS Form 8300: Any trade or business that receives more than $10,000 in cash in a single transaction or related transactions must file Form 8300 with the IRS within 15 days. This applies directly to invoice fraud schemes involving cash.
| Requirement | Form | Threshold | Filing entity |
|---|---|---|---|
| Suspicious Activity Report | FinCEN Form 111 | $2,000+ suspicious | Financial institutions, MSBs |
| Currency Transaction Report | FinCEN Form 112 | $10,000+ cash | Financial institutions |
| Cash Payment Report | IRS Form 8300 | $10,000+ cash | Any trade/business |
| AML Program | Internal policy | All covered entities | Financial institutions |
The Three-Step Verification Process
Effective invoice verification in the US follows three sequential controls: formal, substantive, and financial.
Formal Check: Invoice Requirements and W-9 Validation
Every vendor should provide a completed IRS Form W-9 before the first payment, confirming their legal name, address, and Taxpayer Identification Number (TIN). The TIN should be validated against IRS records using the IRS TIN Matching Program (available to authorized payers). Discrepancies between the W-9 TIN and the name/EIN as registered with the IRS are a strong fraud indicator.
US invoices should include: vendor legal name and address matching the W-9, unique sequential invoice number, invoice date, description of goods or services, applicable payment terms, net amount, any applicable taxes (state sales tax varies by jurisdiction), and total amount due.
Three-Way Matching
Three-way matching systematically compares:
- The purchase order (PO) โ what was ordered and at what price
- The receiving report (goods receipt) โ what was actually delivered
- The invoice โ what is being billed
Any mismatch blocks payment pending resolution. Standard US ERP systems (SAP, Oracle, NetSuite, Microsoft Dynamics) automate this comparison, detecting duplicates, quantity discrepancies, and invoices without corresponding POs. According to ICAEW research cited by the Association of Certified Fraud Examiners (ACFE), organizations with automated three-way matching detect duplicate and fraudulent invoices 60% faster than those relying on manual review.
Independent Bank Detail Verification
Before any first ACH or wire payment, or after receiving notification of a routing number change: verify the account and routing number by calling the vendor using a telephone number already documented in your vendor master file โ never the number provided in the change request. This single control, recommended by both the FBI's IC3 and the Association for Financial Professionals (AFP) Payments Fraud Survey 2024, prevents the majority of payment diversion fraud.
CheckFile's document verification platform integrates this check into the payment workflow, cross-referencing every new routing number and account number against bank verification databases in real time.
Automating Supplier Invoice Verification
Automation removes the human bottleneck โ the primary reason fraudulent invoices succeed is AP team overload, not the absence of formal controls. US AP departments processing hundreds of invoices weekly cannot perform manual three-way matching on every document without automation.
Modern invoice verification platforms apply simultaneous controls:
- OCR extraction and structuring: invoice data (amounts, routing numbers, EIN, invoice number) is extracted automatically and compared against vendor master data.
- AI-powered anomaly detection: algorithms flag unusual patterns โ unknown vendor, amounts outside normal range, PDF metadata showing modification after the stated issue date.
- Automated cross-referencing: every invoice is matched against open POs and receiving reports before reaching the approver queue.
- Real-time alerts: any discrepancy triggers a hold and escalation, with structured approval requests for high-risk cases before payment is released.
CheckFile integrates document verification controls directly into your existing approval workflow without replacing your ERP. For a comprehensive overview of verification automation, see the complete guide to verification automation. For AP-specific implementation, see the guide on invoice processing automation.
Internal Controls and Segregation of Duties
The COSO Internal Control Framework โ the standard referenced by the SEC and PCAOB for US public companies โ requires that the person who sets up a vendor cannot also approve that vendor's invoices, and that neither of these individuals should authorize payments. This three-way segregation eliminates the opportunity for ghost vendor schemes.
For organizations subject to Sarbanes-Oxley (SOX), Section 404 requires management to assess and document internal controls over financial reporting, including AP controls. External auditors will test these controls annually. Weak AP segregation of duties is one of the most commonly cited SOX control deficiencies.
Building a Culture of Invoice Vigilance
Finance professionals in US accounting forums (r/Accounting, r/InternalAudit on Reddit, AFP community) consistently identify two practical failure points: pressure to approve invoices quickly to avoid late payment penalties, and the absence of formalized procedures for vendor bank detail changes. Both are the vulnerabilities most exploited by fraudsters.
Written, binding procedures: every bank detail change must follow a formalized process โ written confirmation plus telephone verification via a pre-established number plus sign-off by a manager other than the one receiving the request.
Segregation of duties: enforced both by policy and by ERP system permissions โ the system should prevent a single user from creating a vendor and approving that vendor's invoices.
Regular training: AP teams need biannual training covering current BEC tactics, synthetic identity fraud targeting vendor onboarding, and AI-generated invoice schemes. The ACFE Fraud Awareness Training is widely used in US corporate environments.
Explore anti-fraud best practices for document processing teams for implementation templates and training frameworks applicable to US organizations.
FAQ
How do I verify a US supplier before making payment?
Obtain a completed IRS Form W-9 and validate the TIN through the IRS TIN Matching Program. Verify the business entity registration through the applicable Secretary of State database. If bank details have changed, call the vendor using a telephone number already documented in your system โ never the contact information from the change request.
When must a US company file a SAR related to invoice fraud?
Financial institutions and MSBs must file a SAR (FinCEN Form 111) for transactions of $2,000 or more that are known or suspected to involve illegal activity, including fraudulent invoice schemes used to launder money. The SAR must be filed within 30 days of the date the institution becomes aware of the suspicious activity, with a 60-day extension available when no suspect is identified.
What is three-way matching and why is it required?
Three-way matching compares the purchase order (what was ordered), the receiving report (what was delivered), and the invoice (what is billed) before authorizing payment. Any mismatch blocks the invoice. For SOX-compliant organizations, documented three-way matching is a required control over financial reporting. The ACFE reports that organizations using automated three-way matching reduce AP fraud losses by an average of 54%.
What should I do if a vendor requests an ACH routing number change?
Never update payment details based on a single email or phone call. Call the vendor using the number already documented in your vendor master file. Document the verbal confirmation and obtain written sign-off from a second authorized individual before making the change. Report suspected fraud to the FBI's IC3 and notify your bank immediately to attempt a payment recall if funds have already been transferred.
Does the US have mandatory e-invoicing requirements for B2B transactions?
Unlike the EU, the US does not have a federal mandate for B2B e-invoicing as of 2026. However, certain federal government procurement requires compliance with FinCEN BSA reporting and the Federal Acquisition Regulation (FAR). State-level e-invoicing mandates exist for some government contractors. Private sector adoption of structured e-invoicing (via networks like PEPPOL or direct EDI) is growing and significantly reduces manipulation risk compared to PDF invoices.