Internal Payment Fraud Risks

The Most Familiar Fraud — and the Most Underestimated

When organizations think about payment fraud, their attention has increasingly turned outward — to the BEC attacker crafting a convincing wire request, the vendor impersonator with a forged bank letter, the cybercriminal monitoring an email thread for the right moment to redirect a payment. These external threats are real, well-documented, and rightly treated with urgency. But the fraud that has historically caused the most consistent damage to organizations is not the attack that arrives by email from a foreign IP address. It is the scheme assembled slowly and quietly by someone who already has the keys.

Occupational fraud — fraud committed by employees against the organizations that employ them — is the largest and most enduring form of financial crime in the world. The ACFE's Occupational Fraud 2024: A Report to the Nationsestimates that the average organization loses 5% of its annual revenue to fraud, a figure the ACFE considers conservative because many cases go undetected or unreported, and indirect losses — reduced productivity, reputational harm, future business loss — are often impossible to fully quantify.

The 2024 report analyzed 1,921 cases across 138 countries, representing total losses of more than $3.1 billion, with an average loss per case of $1.7 million. These are not theoretical losses. They are documented, investigated, confirmed cases — and each one represents an organization that trusted someone who exploited that trust.

This article addresses internal payment fraud in the accounts payable and disbursement context: the specific schemes through which employees misuse their access to payment systems for personal gain, the organizational conditions that enable them, the behavioral and transactional indicators that surface them, and the structural controls that are the most effective defense. It is a longer treatment because the subject warrants it. Internal fraud is not a single scheme; it is a family of schemes, each with its own mechanics, each exploiting a specific gap in the control environment, and each capable of operating undetected for months or years if that gap remains open.

The ACFE Fraud Tree: A Taxonomy for AP Leaders

The ACFE organizes occupational fraud into three primary categories: asset misappropriation, corruption, and financial statement fraud. For AP and disbursement functions, the most relevant category is asset misappropriation — the direct theft or misuse of an organization's resources — and within it, the billing, check and payment tampering, and expense reimbursement sub-schemes that target cash outflows specifically.

For AP and disbursement functions, the most relevant category is asset misappropriation — the direct theft or misuse of an organization's resources — schemes that target cash outflows specifically.

The ACFE's heat map of asset misappropriation sub-schemes places check and payment tampering, billing schemes, and theft of noncash assets in the highest-risk zone when frequency and median loss are considered together. These are not incidental categories. They are the dominant forms of internal fraud in organizations that process regular disbursements — which is to say, nearly every organization.

Corruption — which encompasses kickbacks, bid rigging, conflicts of interest, and procurement fraud — is addressed separately in this article because, while its mechanics differ from direct asset misappropriation, it flows through the same payment channels and causes comparable financial damage.

The five specific scheme categories addressed below — billing fraud and ghost vendors, check and payment tampering, expense reimbursement fraud, payroll schemes, and procurement corruption — are not exhaustive. They are the categories most directly relevant to the disbursements control function and the ones that, taken together, account for the largest share of internal payment fraud losses.

Scheme One: Billing Fraud and Ghost Vendors

Billing fraud is the dominant internal payment fraud scheme in AP functions. It is the category that combines the highest frequency with some of the largest individual losses, and it is the scheme most directly enabled by gaps in the vendor management process.

In its most common form, a billing scheme involves an employee creating a fictitious vendor — a ghost vendor — in the organization's vendor master file and submitting fraudulent invoices for goods or services that were never delivered. The employee either controls the approval process themselves or exploits insufficient oversight to push the invoices through. The payments go to a bank account the employee controls, typically set up in the name of a shell company or a variation of a legitimate vendor's name.

Ghost vendor fraud exploits vulnerabilities in a company's vendor management system. The fictitious vendor often evades detection because it uses false information that makes it appear legitimate within the company's system, including fabricated bank account numbers, tax identification numbers, and vendor numbers.

The fraud can operate for months or years before detection, accumulating losses through a pattern of small, regular payments that do not individually trigger scrutiny. In organizations without robust vendor master file monitoring, a ghost vendor that invoices for modest amounts on a regular schedule looks indistinguishable from a legitimate recurring supplier.

The variant known as the pass-through scheme adds a layer of operational sophistication: an employee sets up a shell company, has the organization purchase goods or services through it at market price, and then bills the organization for those same goods or services at an inflated rate, pocketing the margin. Because the goods or services are actually delivered, three-way matching does not catch the overpayment — the issue is not that nothing was received, but that the organization paid more than necessary to an intermediary it does not know it controls.

What enables it: Access to the vendor master file without a parallel verification requirement; approval authority over invoices without segregation from vendor setup functions; insufficient review of new vendors during onboarding; no periodic audit of the vendor master for anomalous records; and inadequate three-way matching or PO controls that allow invoices to be paid without confirmation of delivery.

Scheme Two: Check and Payment Tampering

Check and payment tampering encompasses a range of schemes in which an employee with access to the payment process alters, diverts, or fraudulently creates disbursements. Despite the widespread transition to electronic payments, check tampering remains among the highest-risk internal fraud categories in the ACFE data — in part because checks continue to represent a meaningful share of B2B payments, and in part because the manual handling that checks require creates multiple points of potential manipulation.

The most common check tampering schemes include: altering the payee name on a check before mailing to redirect it to the perpetrator's account; intercepting and cashing checks intended for legitimate vendors; forging an authorized signature to create an unauthorized check; and using a signature stamp to create fraudulent payments while maintaining plausible deniability about authorization. In organizations that have not eliminated internal check handling — a control measure that removes the opportunity for diversion simply by ensuring no single employee has physical access to checks through their full lifecycle — these schemes remain viable and relatively low-risk from the perpetrator's perspective.

Electronic payment tampering follows the same logic but through digital channels: an employee with system access alters ACH payment details, redirects a wire after it has been approved, or submits a legitimate-looking electronic payment to a bank account they control. The ACH diversion variant is particularly relevant in light of the 2026 Nacha rule amendments discussed in the preceding article: the rule changes specifically target ACH entries authorized under false pretenses, and the controls they require — account validation, dual authorization, documented verification — directly address the vectors through which employees can redirect electronic payments.

What enables it: Insufficient segregation between check creation and check signing; physical access to signed but unmailed checks; inadequate bank reconciliation that does not promptly surface unauthorized disbursements; single-person authorization for electronic payments; and access controls on payment systems that do not prevent modification of approved payment details after authorization.

Scheme Three: Expense Reimbursement Fraud

Expense reimbursement fraud is the most broadly distributed form of internal payment fraud — it touches every level of the organization, from entry-level staff to senior executives, and it operates through channels that are often subject to less rigorous oversight than vendor payments and payroll.

The scheme takes four primary forms. Fictitious expenses involve submitting claims for costs that were never actually incurred — fabricated receipts, non-existent business meals, invented travel costs. Inflated expenses involve real expenditures reported at amounts higher than actually paid. Personal expenses disguised as business expenses involve legitimate costs that do not qualify for reimbursement submitted alongside or in place of business expenses. Duplicate submissions involve the same legitimate expense submitted more than once, relying on insufficient cross-referencing of submissions across pay periods.

The 2024 ACFE report notes that median losses from frauds increased for the first time since the 2016 report, with the average loss per month reaching $9,900, up from $8,300 in the 2022 study. Expense fraud, because it often involves many small transactions rather than a single large one, tends to accumulate below detection thresholds and can persist for years in organizations where expense reports are approved by direct supervisors without independent review or systematic anomaly detection.

The senior executive variant of expense fraud is worth specific attention. Median losses for frauds committed by owners or executives were more than seven times greater than those carried out by employees. Senior executives perpetrating expense fraud benefit from two structural advantages: they typically have greater dollar authority over their own expense approvals, and the organizational culture that defers to seniority — the same dynamic that BEC attackers exploit from the outside — can suppress the normal oversight that would apply to lower-level employees.

What enables it: Self-approval of expense reports; approval by direct supervisors who lack independence from the claimant; no cross-referencing of submissions against prior periods or across employees; inadequate receipt verification; and no data analytics applied to expense patterns to surface anomalies.

Scheme Four: Payroll Schemes

Payroll fraud is the internal disbursements scheme with the highest individual impact because payroll represents, for most organizations, the single largest disbursement category. The ACFE identifies four primary payroll fraud schemes: ghost employees, falsified wages, commission fraud, and payroll diversion.

Ghost employees are fictitious individuals added to the payroll by an employee with access to HR or payroll systems. The ghost employee's wages are deposited to an account the perpetrator controls. Ghost employee schemes are closely analogous to ghost vendor schemes in their structure — they exploit access to a master file (in this case, the employee master rather than the vendor master) and the absence of controls that would detect records with no genuine counterpart.

Falsified wages involve legitimate employees manipulating their own pay — overstating hours worked, fraudulently overriding commission calculations, or submitting false overtime claims. In organizations where supervisor approval of timesheets is perfunctory or where commission calculations are performed by the employees who receive them, falsified wages can be sustained for significant periods.

Payroll diversion — in which an employee redirects their own or another employee's direct deposit to a bank account they control — was specifically addressed in the preceding article as a fraud variant targeted by the 2026 Nacha rules. In the internal fraud context, payroll diversion typically involves an employee with HR or payroll system access either changing their own banking details through a channel that doesn't require independent verification, or changing another employee's details and intercepting the redirected funds.

What enables it: No segregation between HR and payroll functions; ability to add new employees or modify banking details without dual authorization; no independent verification of banking changes against employee records; no periodic audit of the payroll register for records with unusual characteristics (no tax ID, no address, duplicate banking account numbers); and inadequate reconciliation of payroll disbursements against headcount.

Scheme Five: Procurement Corruption — Kickbacks, Bid Rigging, and Conflicts of Interest

Procurement corruption is the category of internal fraud that most directly involves collusion between employees and vendors — and it is the category that sits most precisely at the intersection of internal and external threat. Nearly half of the cases in the ACFE 2024 study (48%) involved some form of corruption, with a median loss of $200,000 per case.

In a kickback scheme, an employee with procurement or AP approval authority directs business to a vendor — legitimate or fictitious — in exchange for personal payments, gifts, or other benefits. The employee may approve inflated invoices, ensure the vendor wins competitive bids regardless of price or quality, or create sole-source arrangements that insulate the vendor from competitive scrutiny. The vendor benefits through inflated revenue; the employee benefits through the kickback. The organization pays for both.

Bid rigging — in which an employee with procurement responsibility collaborates with preferred vendors to manipulate competitive bidding processes — takes multiple forms: bid rotation (vendors take turns winning), complementary bidding (losing vendors submit noncompetitive bids by arrangement), and bid suppression (potential competitors are discouraged from participating). The common element is that the competitive process that is supposed to produce fair pricing instead produces a pre-arranged outcome, with the employee ensuring the result and the vendor compensating the employee for the service.

Conflicts of interest — undisclosed financial relationships between employees and vendors, including ownership interests in vendor companies, employment of family members by vendors, or personal financial relationships that compromise objectivity — create conditions in which procurement and payment decisions are made in the employee's personal interest rather than the organization's. Conflicts of interest are not always criminal, but they are reliably correlated with financial harm: contracts awarded to connected vendors at above-market prices, services approved for payment that were not adequately delivered, and oversight relationships that are compromised by the personal stake of the supervisor.

What enables it: Absence of vendor relationship disclosure requirements; no independent review of sole-source procurements; inadequate oversight of recurring payments to the same vendors over time; no matching of vendor ownership or contact information against employee records to detect related-party relationships; and an organizational culture that does not make it safe to report concerns about procurement decisions.

The Perpetrator Profile: Who Commits Internal Payment Fraud

The ACFE data provides a consistent and important corrective to the assumption that internal fraud is primarily committed by disgruntled low-level employees looking for an opportunistic quick gain. The profile of the occupational fraudster is more complex, and more organizationally embedded, than that assumption suggests.

The perpetrator demographics are of a trusted, experienced, professionally credentialed employee — precisely the profile of the person who has been given access to payment systems, vendor master files, and financial authority.

Most perpetrators — 87% — are first-time offenders with no previous criminal history. Perpetrators are typically male (74%), hold a university degree (52%), and are between the ages of 36 and 50 (53%). These are not the demographics of an opportunistic interloper. They are the demographics of a trusted, experienced, professionally credentialed employee — precisely the profile of the person who has been given access to payment systems, vendor master files, and financial authority.

Median losses for frauds committed by owners or executives were more than seven times greater than those carried out by staff-level employees. This reflects the structural reality that greater authority produces greater access, and greater access enables greater fraud. The manager who reviews their own expense reports, the controller who both approves vendors and authorizes payments, the CFO whose financial decisions are not independently reviewed — these are not just fraud risks. They are the highest-magnitude fraud risks in the organization.

More than half of all occupational fraud cases in the 2024 study were concentrated in five departments: operations, accounting, sales, customer service, and executive/upper management. The accounting function — which encompasses AP — is represented in this concentration not coincidentally. Access, authority, and reduced oversight combine in accounting functions in ways that create elevated structural risk regardless of the character of the individuals involved.

The typical perpetrator was able to commit their scheme for a full year before being detected. Frauds caught within the first six months had a median loss of $30,000; frauds that lasted between two and three years had a median loss of $250,000; cases that went undetected for five or more years caused losses in the hundreds of thousands. Duration is not just a measure of how long the fraud ran — it is a direct multiplier of financial harm. Every month a fraud scheme operates undetected is another month of loss that structural controls and detection mechanisms were not in place to interrupt.

Behavioral Red Flags: What Organizations Often See Before They Act

The ACFE data on behavioral indicators is both important and sobering. In 75% of fraud cases, the perpetrator displayed at least one of the eight most common behavioral red flags. In other words, the signals were present. In most cases, they were noticed by someone. What was often absent was a defined response — a process for acting on the signal, reporting the concern, and triggering review.

The most persistent behavioral red flag across every ACFE reporting cycle is living beyond one's means: a lifestyle that appears inconsistent with known compensation, evidenced by unexplained purchases, travel, housing, or other visible spending that cannot be explained by legitimate income. Other common flags include: financial difficulties or stress (expressed or inferred); unusually close relationships with vendors or frequent vendor contact outside normal business channels; reluctance to take vacations or share job responsibilities (a direct indicator that the perpetrator is concerned about what would be discovered in their absence); defensiveness or irritability when asked questions about their work; and excessive pressure or complaints about compensation that are out of proportion to circumstances.

These behavioral signals are not proof of fraud, and treating them as such creates a different set of organizational problems. They are signals that warrant inquiry — a review of the accounts the employee manages, a second look at the vendors they interact with, a check of expense submissions and payment approvals for anomalies. The distinction between a behavioral red flag and a control failure is important: the red flag is an indicator; the control response is what transforms the indicator from noise into actionable intelligence.

The median duration of fraud is 12 months, meaning that for a full year before the typical fraud is detected, the perpetrator may be exhibiting warning signs. Organizations with mechanisms to surface and act on those signals — hotlines, supervisor training, a defined escalation process — detect fraud faster and lose less than those that do not.

How Internal Fraud Is Detected — What Organizations Should Know

The top methods by which occupational fraud is detected are: tips (43%), internal audit (14%), management review (12%), and by accident (5%). The dominance of tips as the primary detection mechanism is consistent across every ACFE reporting cycle and carries a clear implication: the most effective fraud detection system an organization can build is one that makes it safe and easy for people to report what they see.

Fraud losses were 50% smaller at organizations that had anonymous reporting hotlines than at those that did not. That is a substantial and consistent finding. The hotline does not prevent fraud; it accelerates detection. Faster detection means less loss. The mechanism need not be elaborate — the ACFE data shows that web-based and email-based reporting mechanisms have become more popular than traditional telephone hotlines and are equally effective. What matters is that the mechanism exists, that employees know it exists, and that reports are acted on by a party independent of the reported party.

The implication for organizational structure is direct: the fraud reporting function should report to a body that is independent of the operational management of the AP and finance functions — typically the audit committee, the board, or the organization's inspector general function, where one exists. A hotline that routes to the CFO does not provide independence if the CFO is the subject of the concern.

Internal audit — the second most common detection mechanism — is most effective when it is genuinely independent, adequately resourced, and focused on the specific risk areas most likely to harbor fraud: the vendor master file, the expense reimbursement process, the payroll register, and the procurement function. Surprise audits are more effective than scheduled ones, for the obvious reason that a perpetrator who knows the audit schedule can time their activities accordingly. Data analytics applied to payment patterns — identifying statistical anomalies, duplicate payments, round-number transactions, vendors with addresses matching employee addresses, and payments just below approval thresholds — are among the most powerful detection tools available and among the most consistently underused.

The Control Architecture: Structural Defenses Against Internal Fraud

Internal payment fraud prevention depends on structural controls — the design of the payment process itself — more than on behavioral controls. Training and culture matter, and this article addresses them. But the ACFE data is clear: more than 50% of occupational frauds occurred due to lack of internal controls or an override of existing internal controls. The majority of internal fraud is not explained by employees who were extraordinarily clever or organizational cultures that were unusually corrupt. It is explained, mostly, by control gaps that made the fraud straightforward.

Segregation of Duties. The foundational structural control for internal payment fraud is the separation of incompatible functions. No single employee should have end-to-end control over any payment process — from vendor setup through invoice approval through payment initiation and release. Specifically: the employee who can add or modify vendor records should not be the employee who approves invoices from those vendors; the employee who initiates payments should not be the employee who reconciles the resulting bank transactions; the employee who approves expense reports should not be the employee whose expenses are being approved.

In small organizations where full segregation is impractical due to limited staff, compensating controls — management review, enhanced monitoring, periodic independent audit — should be explicitly designed and documented to address the residual risk that reduced segregation creates.

Access Controls and System Permissions. Vendor master file access, payment initiation authority, and payroll modification capability should be restricted to the specific roles that require them, reviewed periodically, and revoked immediately when an employee's role changes or employment ends. The principle of least privilege — providing access only to what is necessary for the specific role, and no more — is the system-level implementation of the segregation principle.

Departing employees represent a specific and frequently undermanaged access risk. An employee who leaves under difficult circumstances, or who anticipates termination, has both the motive and the remaining access to commit significant fraud during the period between when departure is known and when access is revoked. Access revocation should be synchronized with HR notification and should be treated as a time-sensitive control requirement, not an administrative afterthought.

Three-Way Matching and Invoice Verification. Requiring that invoices be matched against both the originating purchase order and the receiving documentation before payment is approved eliminates the simplest billing scheme variant — payment for goods or services never ordered or delivered. Three-way matching is most effective when it is systematic rather than discretionary, applied to all invoices rather than sampled, and not subject to management override without documented justification and independent review.

Vendor Master File Hygiene and Audit. The vendor master file should be treated as a fraud-critical asset and subjected to periodic, independent review. Specific review targets include: vendors with addresses matching employee addresses or P.O. boxes; vendors with no recent activity that have reactivated; duplicate vendor names or banking details across separate vendor records; vendors with no TIN or with TINs that do not match IRS records; and recently onboarded vendors that received payments before standard verification was completed.

VendorInfo specifically addresses the vendor master as a controlled, verified data environment — one in which vendor information is validated at onboarding and maintained through a managed change process, reducing the structural opportunity for ghost vendor creation by removing the conditions that make it easy. Platforms that provide automated TIN verification, bank account ownership verification, and documented verification audit trails make it substantially harder for a fraudster to create a convincing ghost vendor record that passes the controls an auditor would apply.

Dual Authorization for Payments. Payment approval processes should require independent authorization — at minimum two separate approvers for significant transactions, with neither approver also having the ability to create or modify the payee record. Dollar thresholds for dual authorization should be set conservatively; fraud actors who understand the approval architecture will calibrate their payments to fall just below the threshold that triggers the second review.

Mandatory Vacation and Job Rotation. The behavioral insight that fraudsters avoid vacations — because their absence creates the conditions for discovery — is also a control mechanism. Mandatory vacation periods, during which the employee's responsibilities are temporarily assumed by someone else, are specifically recommended by the ACFE as a fraud prevention measure. Job rotation serves a similar function by preventing any single employee from developing the exclusive knowledge and control over a process that a sustained fraud scheme requires.

Fraud Hotline and Reporting Culture. As noted above, tips are the most productive fraud detection mechanism available. The investment required to establish and maintain an effective, independent reporting mechanism is modest. The return — faster detection, lower losses, and a cultural signal that the organization takes fraud seriously — is consistent and well-documented.

The Internal-External Intersection: When Insiders Enable External Fraud

Internal payment fraud does not always operate in complete isolation from the external threats addressed in earlier articles. The intersection is worth naming explicitly because it represents a category of risk that is particularly difficult to defend against through controls that address only one dimension at a time.

The complicit insider is the most dangerous variant. An employee who deliberately provides an external attacker with vendor payment schedules, approval workflow information, organizational contact names, or system credentials effectively functions as a force multiplier for BEC and vendor impersonation attacks. The external attacker armed with insider intelligence can craft communications that are far more contextually specific and operationally timed than a cold attack could achieve. The controls that defend against pure external fraud — out-of-band verification, account ownership validation, segregation of duties — are necessary but not sufficient against an insider-assisted attack, because the insider may be positioned to subvert the verification step itself.

The unwitting insider is a less dramatic but equally consequential variant. An employee who is socially engineered into providing information — vendor lists, payment schedules, organizational hierarchy — without understanding that it will be used for fraud does not intend to facilitate theft. The result is the same. This is the human factor that connects the internal fraud control architecture to the security awareness training program: employees who understand what information is sensitive, why it is sensitive, and what to do when they are asked for it by unexpected parties are a genuine fraud prevention resource, not merely a training checkbox.

The Tone at the Top: Leadership as a Control

The ACFE data consistently identifies poor tone at the top as a primary factor in frauds committed by owners and executives — not a secondary or contextual factor, but the dominant contributing weakness for the highest-magnitude perpetrators in the study. This finding has direct implications for how finance leaders approach the internal fraud risk.

The control environment for a disbursements function is not created only by the policies posted on the intranet or the segregation of duties embedded in the ERP system. It is created, in large part, by the visible behavior and stated expectations of the organization's financial leadership. CFOs, Controllers, and Directors of Financial Operations who treat the fraud prevention policy as a genuine operating commitment — who enforce it consistently, who do not tolerate exceptions for convenience, and who create the cultural conditions in which concerns can be raised without career consequence — produce control environments that are materially more resistant to internal fraud than those who treat policy as a compliance artifact.

Fraud training combined with a formal reporting mechanism dramatically increases the likelihood that an organization will receive fraud tips. Fraud training also sends a powerful message about the organization's intention to fight fraud no matter where it originates. That "no matter where it originates" is the operative phrase. Internal fraud, like external fraud, is deterred when perpetrators believe they will be caught. The probability of detection is the most powerful deterrent available — and it is a function of the controls, the culture, and the leadership commitment that defines both.

The Professional Standard: Knowledge, Certification, and Continuous Practice

Internal payment fraud is a subject that AP and finance professionals cannot address only reactively. The schemes it encompasses are not new; the ACFE has been documenting them in consistent detail since 1996. What changes is their sophistication, their scale, and the tools available to perpetrators and defenders alike.

Professional training that equips AP staff to recognize the structural conditions that enable internal fraud, and to implement the verification and segregation disciplines that remove those conditions, is among the most direct fraud prevention investments an organization can make.

The work of fraud prevention is continuous. Schemes evolve. Personnel change. Control environments erode without maintenance. The organizations that sustain the lowest internal fraud losses over time are those that treat fraud prevention not as a one-time implementation but as an ongoing management discipline — one that is reviewed, tested, and reinforced by leadership that understands its stakes.