Ghost Vendor Fraud: How It Happens and How to Stop It

Ghost vendor fraud is one of the highest-value and longest-running forms of occupational fraud in accounts payable. The Association of Certified Fraud Examiners, in their biennial Report to the Nations, consistently finds that billing schemes (which include ghost vendors) account for roughly one in five occupational fraud cases, with a median loss measured in six figures and durations often exceeding 18 months before detection.

What makes ghost vendor schemes so successful is that they don't look like fraud from the outside. There's no forged signature, no unusual invoice, no external attacker — just a vendor that's been in the system for a while, submits invoices regularly, and gets paid on time. The fraud is the vendor itself.

How the Scheme Actually Runs

The basic pattern: an insider with vendor master access — often someone in AP or procurement — sets up a new vendor record. The vendor's legal name might be a real-sounding service company, the address might be a rented PO box or the insider's home, and the bank account on file is controlled by the insider directly or through an intermediary.

Once the vendor is in the system, the insider generates invoices from the fictitious vendor and submits them through normal channels. Because the insider knows the approval workflow, the invoices are carefully sized to stay below thresholds that would trigger extra scrutiny — $2,500 and $4,800 invoices, rather than $12,000 ones. Approvals are signed by someone the insider knows won't look closely, or in some schemes by the insider themselves if they have approval authority.

The money flows. Month after month. The scheme typically runs until a new controller arrives and audits the vendor master, a tip comes in, or the insider gets greedy and invoices grow large enough to trigger scrutiny.

The Red Flags

Ghost vendors share a set of telltale signatures that, while not conclusive individually, become strong indicators when two or more appear together.

Control 1: Segregation of Duties

The single most effective ghost vendor prevention is segregation of duties between vendor setup and invoice approval. The person who creates a new vendor record must not be the same person who can approve invoices from that vendor. In small organizations where one person necessarily does both, a compensating control is required — typically a second-person signoff on every new vendor above a trivial threshold.

The control is structural, not behavioral. A written policy that 'the AP manager shouldn't approve invoices from vendors they set up' fails the moment the AP manager gets busy, because there's no system enforcement. A system that literally won't route an invoice to the approval queue if the approver also created the vendor record is the only reliable version.

Control 2: Address Verification

Every new vendor's business address should be verified against a commercial database of business addresses. There are multiple commercial services that make this check easy — D&B, commercial real estate databases, USPS business address verification. The specific provider matters less than the fact that the check happens.

The check catches two patterns: addresses that are residential (the vendor is someone's house), and addresses that are commercial mail-forwarding services (the vendor doesn't actually exist at that address). Neither is conclusive proof of fraud — legitimate small businesses sometimes operate from residences — but both warrant additional verification before payment.

The complementary control is employee address cross-reference. New vendor addresses should be automatically checked against all employee home addresses in HR. A match is a strong enough signal to require manager signoff before payment.

Control 3: TIN Matching and Documentation

The IRS TIN Matching Program verifies that a taxpayer identification number matches the name on file at the IRS. The program is free, returns near-instant results, and creates a documented record. Every new US vendor should be TIN-matched before first payment, and vendors whose TIN fails matching should be prevented from being paid until the issue is resolved.

Ghost vendors fail TIN matching with high frequency because the fraudster either doesn't have a real TIN to use, uses their own Social Security Number (which then matches the employee's name in the HR system, triggering the address cross-reference), or uses an old expired business TIN. Any of these signals should stop the vendor activation.

Control 4: Periodic Audit Sampling

Structural controls prevent most ghost vendor activity but cannot catch every case. Periodic audit sampling is the retrospective control. On a quarterly or semi-annual basis, pull a sample of vendors meeting one or more red flag criteria (new in the last year, low transaction count, no PO history, paid only by check or ACH to a single account) and perform verification: call the vendor's listed phone number, visit or search for them online, confirm the address, request updated documentation.

Sampling catches the schemes that slipped past preventive controls. More importantly, it creates an ongoing deterrent: the insider considering setting up a ghost vendor has to contend with the fact that their vendor will eventually be sampled and verified, and any one of those sample calls is enough to unravel the scheme.

How Automation Changes the Math

Each of the four controls above can be implemented manually. The reason ghost vendor schemes continue to succeed is that manual implementations fail under operational pressure. A vendor gets set up without TIN matching because the team is behind on onboarding. An invoice from a new vendor gets paid because the receiving confirmation hasn't arrived yet and the sub is pushing for payment. An audit sample doesn't happen because the quarter-end close ran long.

Automated AP platforms make the controls structural rather than behavioral. Vendor activation gates on TIN match results, W-9 presence, and address verification. Invoice approval gates on vendor activation plus segregation-of-duties enforcement. Audit sampling runs automatically with prioritized queues for human review. The controls happen by default, and deviating from them requires an explicit override with its own log.

Detection After the Fact

If you suspect a ghost vendor is already in your system, the investigation pattern is consistent: pull all activity for the vendor, cross-reference the bank account against other vendors and employee accounts, trace the original setup record for who entered the vendor and when, check the invoices for common signatures (same PDF template, same metadata, sequential numbering), and verify the claimed business against public records.

The investigation almost always uncovers the scheme completely once started — ghost vendors leave a consistent paper trail. The harder work is usually the organizational aftermath: confronting the insider, recovering the funds (often impossible if the money has been withdrawn), and implementing the structural controls that prevent the next scheme.

Bottom Line

Ghost vendor fraud is an entirely preventable category of loss. The four controls that stop it — segregation of duties, address verification, TIN matching, and audit sampling — are well-understood, inexpensive, and broadly applicable. What prevents them from being implemented is almost never cost; it's organizational drift under operational pressure. Automation removes the drift, which is the single most durable reason to move ghost vendor prevention from a policy document into a system.