Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Automation9 min read

Supplier Invoice Verification: Detect Fraud and Errors

Complete guide to supplier invoice verification in the UK: fraud types, red flags, three-way matching, and automation tools to protect payments in 2026.

Sarah Chen, Document Verification Specialist
Sarah Chen, Document Verification Specialistยท
Illustration for Supplier Invoice Verification: Detect Fraud and Errors โ€” Automation

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Supplier invoice verification is the process of confirming, before payment, that an invoice corresponds to a genuine order, that the supplier is legitimate, and that all financial data is accurate. According to the Home Office's 2024 economic crime survey, one in four UK businesses with employees was a victim of fraud in the preceding 12 months โ€” and fake invoice fraud affected 11% of businesses directly. The financial and operational consequences extend beyond the immediate loss: paying a fraudulent invoice does not cancel the debt owed to the real supplier.

A structured verification process โ€” ideally automated โ€” is the only reliable defence against this growing threat.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

Common Types of Supplier Invoice Fraud

Invoice fraud exploits four main weaknesses: overloaded accounts payable teams, weak internal controls, manual processes, and insufficient supplier onboarding.

Ghost vendors are entirely fictitious suppliers created within a company's payment system, often by an internal employee who then approves payments to themselves or an accomplice. These phantom entities appear in accounting systems with complete documentation but no actual business operations behind them.

Duplicate invoicing occurs when the same invoice is submitted multiple times with slightly modified reference numbers, exploiting AP backlogs and the assumption that the previous submission was an error. A vendor may resubmit an invoice from months prior, claiming it was unpaid.

Business Email Compromise (BEC) involves cybercriminals hacking or spoofing business email accounts to redirect payments. They may impersonate executives requesting urgent transfers, or suppliers notifying of account changes. BEC attacks have cost businesses over $43 billion globally since 2016 (FBI IC3 2024 Annual Report).

Bank detail substitution is the most operationally damaging variant in the UK: fraudsters intercept a genuine invoice and replace the sort code and account number with their own โ€” often so subtly that a visual check misses it entirely.

Fraud type Mechanism Primary red flag
Ghost vendor Fictitious supplier in system No verifiable trading history
Duplicate invoice Slightly altered reference number Same amount, same supplier, close dates
BEC / impersonation Spoofed executive or supplier email Urgent payment request outside normal process
Bank detail substitution Modified sort code / IBAN on genuine invoice Sudden request to update payment details

Red Flags: How to Spot a Suspicious Invoice

Any invoice displaying one or more of the following indicators should be held pending deeper verification before payment is authorised.

Unexpected bank detail changes: any request to update sort codes or account numbers received by email, without independent telephone confirmation via a known number already on file, is a high-risk signal. The National Cyber Security Centre (NCSC) explicitly warns that verifying bank changes via a trusted number โ€” not the one on the incoming communication โ€” is the single most effective prevention step.

Unjustified urgency: invoices accompanied by threats of service suspension, penalty clauses, or demands for same-day settlement deviate from normal commercial practice. Fraudsters create urgency precisely to bypass standard approval workflows.

Documentary inconsistencies: an invalid VAT registration number, an address differing from the one on file, an unusual format, or a total amount not corresponding to any existing purchase order.

Unverifiable or newly created supplier: in the UK, every registered company can be verified free of charge at Companies House. A supplier incorporated within the last six months presenting a high-value invoice warrants enhanced due diligence.

Calculation errors: a net amount plus VAT not matching the gross total indicates document manipulation, or potentially a VAT fraud scheme. Under HMRC's joint and several liability provisions, a business that should have known it was receiving a fraudulent invoice may be held jointly liable for the VAT.

The Three-Step Verification Process

Effective invoice verification follows three sequential checks: formal, substantive, and financial.

Formal Check: Mandatory Invoice Fields

Every UK VAT invoice must include the fields required under HMRC VAT Notice 700 (HMRC VAT Notice 700): supplier's name and VAT registration number, invoice date and unique sequential number, description of goods or services, net amount, VAT rate and amount, and gross total. A missing field is grounds to reject the invoice pending correction โ€” and a potential indicator of fraud.

Three-Way Matching

Three-way matching systematically compares:

  1. The purchase order (PO) โ€” what was ordered
  2. The goods receipt note (GRN) โ€” what was received
  3. The invoice โ€” what is being claimed

Any mismatch between these three documents blocks payment until resolved. Standard ERP systems (SAP, Oracle, Microsoft Dynamics) automate this comparison, detecting duplicates, quantity discrepancies, and invoices with no corresponding order. Manual three-way matching is error-prone at scale โ€” according to ICAEW, it is "often overlooked when manually matching invoices because it is so time-consuming and prone to error" (ICAEW, February 2026).

Independent Bank Detail Verification

Before any first payment or following a bank detail change request, verify the sort code and account number directly with the supplier using a telephone number already held on record โ€” never the number provided in the request itself. This single control, recommended by both the NCSC and the Chartered Institute of Internal Auditors (CIIA), eliminates the majority of bank detail substitution fraud.

Automated IBAN and sort code verification integrates this check into the payment workflow, cross-referencing every new IBAN against SEPA registers and supplier master data in real time.

Automating Supplier Invoice Verification

Automation removes the human bottleneck โ€” the primary reason fraudulent invoices get through is not malice but overload. AP teams approving hundreds of invoices weekly cannot perform manual three-way matching on every document.

Modern invoice verification platforms apply multiple simultaneous controls:

  • OCR extraction and structuring: invoice data (amounts, IBAN/sort code, VAT number, company registration) is extracted automatically and compared against supplier master data.
  • AI-powered anomaly detection: algorithms identify unusual patterns โ€” unknown supplier, amounts outside normal range, PDF metadata showing modification after the stated issue date.
  • Automated cross-referencing: every invoice is matched against open POs and GRNs in the ERP before reaching the approver queue.
  • Real-time alerts: any discrepancy triggers a hold and escalation before payment, with a structured approval request for high-risk cases.

CheckFile's document verification platform integrates these controls directly into your existing approval workflow, without replacing your ERP. Detection rates for anomalies exceed 99% across deployed configurations, reducing manual review to genuinely ambiguous edge cases. For a comprehensive view of automated verification workflows, see the complete guide to verification automation.

For a broader view of how automation changes accounts payable processes, the guide on invoice processing automation covers implementation steps and ROI benchmarks.

Building a Culture of Invoice Vigilance

Finance forums and internal auditors consistently identify two practical failures: pressure to approve invoices quickly to maintain supplier relationships, and the absence of a formal procedure for bank detail changes. Both are exploited by fraudsters.

Effective mitigation requires three organisational controls:

Written, binding procedures: every bank detail change must follow a formalised process โ€” written confirmation plus telephone call via a known number plus sign-off from a different manager than the one receiving the request.

Segregation of duties: the person who sets up a supplier in the system must not be the same person who approves that supplier's invoices, or who authorises payments. This principle is mandated for financial controls under the FRC UK Corporate Governance Code 2024.

Regular staff training: fraud techniques evolve rapidly. Accounts payable teams need at least biannual training covering current BEC tactics, AI-generated invoices, and synthetic identity fraud targeting supplier onboarding.

Explore anti-fraud best practices for document processing teams for implementation templates and training frameworks.

FAQ

How do I verify that a supplier invoice is genuine?

Cross-reference the invoice against the purchase order and goods receipt note (three-way matching). Verify the supplier's company registration at Companies House and their VAT number via the HMRC VAT checker. If the bank details have changed, call the supplier on a known number โ€” not the one on the invoice โ€” before updating your records.

What mandatory fields must a UK VAT invoice include?

Under HMRC VAT Notice 700, a valid UK VAT invoice requires: supplier name and VAT registration number, unique sequential invoice number, invoice date, description of goods or services, net amount, applicable VAT rate and VAT amount, and gross total. Simplified invoices (for amounts under ยฃ250 including VAT) have a reduced field set. Missing fields give grounds to withhold payment and request a corrected invoice.

What is three-way matching and why does it matter?

Three-way matching compares the purchase order (what was ordered), the goods receipt note (what was delivered), and the invoice (what is claimed) before authorising payment. Any mismatch blocks the invoice. It is the most reliable operational control against duplicate invoicing, ghost vendors, and inflated billing โ€” and it is most effective when automated within an ERP system.

What should I do if a supplier asks to change their bank details?

Never update bank details based on a single email or phone call. Call the supplier using the number already held in your supplier master data โ€” not the contact details on the incoming request. Document the verbal confirmation and obtain written sign-off from a second authorised person before making the change. Report suspected fraud attempts to Action Fraud (0300 123 2040).

Does the UK's Making Tax Digital programme reduce invoice fraud?

Making Tax Digital (MTD) for VAT, fully in force since April 2022 under HMRC's MTD requirements, digitises VAT submissions and reduces some manipulation opportunities. However, it addresses tax compliance, not supplier fraud directly. Three-way matching, bank detail verification, and segregation of duties remain essential complementary controls.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Automation8 min

AI Document Classification: Automated Sorting, Routing and Processing

How AI document classification works, its business ROI, and how UK enterprises use it for automated sorting, routing, and FCA-compliant document workflows.

Read
Automation8 min

Document Workflow Automation: From Manual to Automated Pipelines

How to move from manual document processes to fully automated pipelines: practical steps, tools, ROI data, and FCA compliance requirements for UK businesses.

Read
Automation7 min

Legal Document Automation: Streamlining Contracts and Legal Workflows

Learn how legal document automation cuts contract drafting time by up to 90%, reduces compliance risk under FCA and MLR 2017, and transforms legal workflows with AI.

Read