One of Toyota’s auto parts suppliers lost $37 million in an accounts payable fraud case in 2019. Today’s columnist, Danny Schaarmann of xSuite North America, offers some insights into how security teams can prevent AP fraud. (Photo by Junko Kimura/Getty Images)

The U.S. Attorney's Office of the Northern District of Georgia last October arraigned Christian Akhatsegbe on federal charges for a cyber-fraud scheme that duped companies into paying fraudulent invoices worth millions of dollars. According to court records, Akhatsegbe and his cohorts captured internal credentials through phishing efforts, allowing them to send phony invoices from the company's vendors for payment. 

Two invoices – one for $434,383.45 and the other for $996,000 – were submitted along with wiring instructions to a bank account in Hong Kong. Both were paid in full. 

This type of accounts payable (AP) fraud has become more common as cybercriminals penetrate companies to steal information about company vendors and suppliers and the employees responsible for paying them. The Association of Certified Fraud Examiners (ACFE) has found that businesses are losing up to 5% of their revenue to this fraud every year.

For example, Toyota Boshoku Corp., a major supplier of Toyota auto parts, lost $37 million in 2019 when cybercriminals convinced someone in accounts payable to change account information on an electronic funds transfer. Sometimes companies are defrauded for months as fraudsters repeatedly steal smaller sums of money over long periods. 

AP fraud comes in many forms, including: 

  • Business email compromise, also known as "CEO fraud," occurs when fraudsters target specific employees with a phony email from the CEO or another executive instructing the employee to pay a fraudulent invoice. 
  • Duplicate invoices, where a vendor submits the same invoice multiple times or posts multiple invoices with marginal differences.   
  • Changing master data, like with Toyota Boshoku Corp. with an email from a criminal, who fraudulently represents a supplier, states their bank details have changed. Without checking in with the supplier, the invoice amount gets transferred to the new account.
  • Asset misappropriation, in which two or more employees collaborate to commit fraud against their employer. In this case, one person produces a fraudulent invoice and approves it, and another one pays it.  

Attacks of this nature are difficult to detect and prevent without structural changes to existing AP processes. For many companies, structural change comes in the form of automation. 

Fully-digital end-to-end solutions offer greater security versus manual controls by automating the entire AP process, including invoice receipt, data capture, approval, release, and archiving. This lets companies manage the entire workflow within one system. Automation offers the transparency and speed to make it easier and more efficient to enact the following four steps for security measures:

  • Apply four eyes to the invoice process.

Many companies will apply a four-eye (two or more employees) principle to their invoicing process to avoid fraudulent invoices from slipping in through their front doors. This includes segregating the AP duties to prevent a single person from managing the invoice workflow. In this case, the person receiving an invoice can’t approve the document and release the payment. 

However, it does not preclude two or more employees from collaborating in a fraudulent scheme.  Also, adding more employees to the workflow can substantially delay the overall invoice process.  

  • Require a three-way match.

A three-way match between PO, invoice, and goods receipts can ensure the information on all purchase-related documents matches and increases transparency within the AP department.

  • Detect fraudulent invoices.

Using artificial intelligence, AP automation can recognize patterns in large sets of data. If a supplier submits an above-average number of invoices in a short period, the system can automatically send an alert to inform the AP clerks about the anomaly.

  • Improve process reliability.

Organizations can digitize processes to produce automated flows and define standard procedures that are more difficult to bypass. Digital workflows are more reliable and secure than manual ones.

Companies can combat AP fraud by creating a fully-digital, end-to-end solution that can help map an entire automated process. This lets organizations manage workflows all from one place. Digital AP automation helps businesses identify clear release systems and successfully handle authorizations. Additionally, AP automation brings more transparency and momentum to invoice processing methods. 

Danny Schaarmann, chief executive officer, xSuite North America