In 2024, Australians lost over $2 billion to scams, according to the National Anti-Scam Centre’s Targeting Scams report. Payment redirection, where a fraudster intercepts an invoice and swaps in their own bank details, remained one of the top five scam types, hitting businesses in construction, real estate, and professional services hardest.
But here’s what most fraud prevention conversations miss: the vulnerability rarely begins with the invoice. It begins with the data sitting behind it, in your supplier master file.
For mid-market businesses across Australia and New Zealand processing hundreds or thousands of invoices a month, this blind spot is expensive. Payment-redirection scams, supplier impersonation, duplicate payments, and GST mismatches don’t start with a dodgy email. They start with supplier records that are incomplete, unverified, or uncontrolled.
What Is Supplier Master Data – and Why Does It Matter for Fraud Prevention?
Supplier master data is the core record your finance system holds for every vendor you pay: legal entity name, ABN or IRD number, bank account details, payment terms, and contact information. It’s the source of truth your accounts payable process relies on every time it matches, approves, and pays a supplier invoice.
When that data is accurate, complete, and controlled, it acts as a gatekeeper. When it’s not, it’s an open door.
In a typical mid-sized business, it’s not unusual to find:
- Supplier records with missing or outdated bank account details
- Duplicate profiles for the same vendor, creating paths around existing approval workflows
- Invoices processed against suppliers who were never formally onboarded or verified
- ABN or IRD numbers that don’t match the legal entity being paid
- Bank detail changes applied on the basis of an email or PDF, without secondary verification
These aren’t just data hygiene issues. They’re attack surfaces. Each one represents a point where a fraudster, a phishing email, or a simple human error can redirect money to the wrong account, and each one is invisible until something goes wrong.
How Supplier Data Gaps Enable AP Fraud
The mechanics of supplier-related AP fraud are straightforward, which is precisely what makes them effective.
Payment redirection
A fraudster compromises a supplier’s email (or spoofs it) and sends your AP team a notice that the supplier’s bank details have changed. If your process allows bank account updates without verification, or if the supplier record has no verified baseline to compare against, the payment goes to the fraudster’s account. By the time the real supplier follows up on the unpaid invoice, the money is gone.
Supplier impersonation
A new “supplier” is set up in your system using details from a phishing email or a spoofed website. Without a controlled onboarding process that verifies the entity’s ABN, bank details, and legal identity against an independent source, the record looks legitimate. Invoices follow. Payments follow. The fraud isn’t discovered until the real supplier relationship surfaces the discrepancy.
Duplicate payments
Duplicate supplier records, often created by different team members at different times, allow the same invoice to be processed twice through different approval paths. This isn’t always fraud, but it’s always costly, and it’s a gap that fraudsters can exploit deliberately.
GST and tax mismatches
When the ABN or IRD number on an invoice doesn’t match the supplier record, you’re either paying the wrong entity or claiming GST credits you’re not entitled to. Both create audit exposure, one with the ATO, one with the IRD.
The common thread across all of these is the same: the supplier record either didn’t exist, wasn’t verified, or wasn’t controlled when it changed.
What Best Practice Looks Like in 2026
Modern AP automation doesn’t treat supplier data controls as a “nice to have.” They’re foundational, the first set of business rules that every invoice must pass through before it enters an approval workflow.
Here’s what best-in-class looks like for invoice fraud prevention in Australian and New Zealand businesses:
- Supplier validation before invoice acceptance. A supplier must exist in the master file, verified, approved, and onboarded, before an invoice against that supplier is accepted into the system.
- Bank account matching. The bank details on the invoice must match the verified record. Any mismatch is flagged and held before posting, not after.
- ABN/IRD validation. Tax identifiers are matched to the legal entity in your system. This catches both fraud and compliance errors.
- Controlled supplier onboarding. New suppliers go through a defined process with verification steps, approval authority, and an audit trail.
- Dual approval for sensitive changes. Any change to bank details, entity name, or payment terms requires a second approval and is logged with a full AP audit trail.
- Duplicate detection. The system flags potential duplicate supplier records before they’re created, preventing parallel payment paths.
These aren’t features you upgrade to. They’re guardrails that should be present from day one. And yet, they’re missing in many businesses, even those that have digitised their invoice-approval workflows.
Why This Gets Overlooked
In most organisations, supplier master data is treated as an admin task, a static list that someone in finance maintains. It doesn’t get the same attention as invoice approval tiers, payment runs, or month-end close.
Until something goes wrong.
Consider the scenarios AP teams encounter regularly:
- A junior team member creates a new supplier using details from a phishing email. No verification step catches it.
- An existing supplier changes banks. Someone updates the record based on a PDF attachment, without calling the supplier to confirm.
- A duplicate supplier record is created for a vendor who already exists, bypassing the approval controls attached to the original.
- An invoice is paid against an ABN that belongs to a different entity from the one providing the goods or services.
Each of these results in money being misrouted, overpaid, or stolen. The root cause is always the same: the supplier master file isn’t managed as a live, controlled part of the financial process. It’s treated as reference data rather than as the first line of defence against fraud.
How Acume Approaches Supplier Validation
At Acume, supplier data validation is built into every customer’s AP workflow as a baseline, not as an upgrade or a premium feature. Our approach treats the supplier record as the first checkpoint in the accounts payable automation process, for businesses running Xero, MYOB, or any other accounting system.
In practice, this means:
- Invoices are hard-stopped if the supplier isn’t recognised in the master file. They don’t enter the approval workflow; they don’t queue for payment. They stop.
- Mismatched bank details are flagged before posting, not surfaced in a post-payment exception report.
- Tax identifiers are validated against the supplier record, catching entity mismatches and GST compliance issues before they become audit findings.
- Every supplier change is logged with a full audit trail, who changed what, when, and who approved it.
This isn’t about adding friction to AP. It’s about applying AP business rules where they’re most effective: before a payment is committed, not after it’s gone.
If you’re not validating supplier data as part of your AP process, you’re not just exposed – you’re operating on luck.
The Payoff: Stronger Controls, Lower Risk, Faster Audits
When supplier master data is actively managed and system-validated as part of accounts payable automation, the downstream effects compound. The ATO benchmarks paper invoice processing at approximately $30 per invoice and PDF invoicing at approximately $27 – and that cost is recoverable through automation. But none of those savings materialise if the supplier records feeding the workflow are unverified, because one fraudulent payment or duplicate easily outweighs months of processing cost reduction.
The direct outcomes of governed supplier data:
- Fraud risk drops significantly. Payment redirection and supplier impersonation attacks fail at the first checkpoint rather than at the bank.
- Payment errors decrease. Duplicate payments, wrong-entity payments, and incorrect bank transfers are caught before posting.
- Audits get faster and cleaner. A complete audit trail on supplier records and changes means your auditors spend less time asking questions and your team spends less time answering them.
- AP teams focus on exceptions, not data wrangling. When the system handles validation, your people handle the work that actually requires judgment.
And with eInvoicing adoption accelerating across Australia and New Zealand – with mandatory Peppol deadlines arriving in July and December 2026 – these supplier data controls are no longer just best practice. eInvoicing through the Peppol network requires clean, verified supplier records with correct ABN and IRD identifiers. Businesses that don’t have governed supplier master data processes will find eInvoicing compliance harder to achieve, not easier.
Where to Start
If you’re investing in payment automation, approval workflows, or eInvoicing readiness, but haven’t reviewed your supplier data policy in the last twelve months, start there.
Three practical steps:
- Audit your supplier master file. How many records have verified bank details? How many duplicates exist? When was the last review?
- Map your supplier change process. Who can create a new supplier? Who can change bank details? Is there dual approval? Is there an audit log?
- Assess your automation layer. Does your AP automation software validate supplier data before accepting invoices? Or does it only automate the workflow after the data is already in the system?
No matter how sophisticated your invoice approval matrix is, it can all be undone by one unverified bank account. Clean data is safe money.
Want to see how Acume validates supplier data before every payment? Book a walkthrough or explore our AP automation solution to see supplier validation in action.
Frequently Asked Questions
What is supplier master data in accounts payable?
Supplier master data is the core record a finance system holds for every vendor it pays; legal entity name, ABN or IRD number, bank account details, payment terms, and contact information. It is the source of truth that accounts payable relies on every time it matches, approves, and pays an invoice. When supplier master data is unverified or uncontrolled, it becomes the primary attack surface for payment redirection fraud, supplier impersonation, and duplicate payments.
How does invoice fraud prevention start with supplier data?
Most AP fraud; payment redirection, supplier impersonation, duplicate payments, exploit weaknesses in the supplier record rather than the invoice itself. A fraudster doesn’t need to compromise an invoice if they can update a bank account detail in an uncontrolled supplier record. Fraud prevention starts by treating the supplier master file as a live, governed control: verified records, change-controlled bank details, and ABN/IRD validation on every invoice before it enters the approval workflow.
What are the most common supplier master data fraud risks in Australia?
The four most common are: payment redirection (fraudster updates bank details before payment), supplier impersonation (fake supplier onboarded without identity verification), duplicate payments (parallel records allow the same invoice to process twice), and GST mismatches (wrong ABN creates both a fraud risk and an ATO compliance exposure). The National Anti-Scam Centre reported over $2 billion in scam losses in Australia in 2024, with payment redirection among the top five categories affecting businesses.
How does AP automation prevent duplicate payments?
AP automation prevents duplicate payments through two mechanisms: duplicate invoice detection (checking whether the same invoice reference, amount, and supplier combination has already been processed) and duplicate supplier record detection (flagging when a new supplier record matches an existing one before it’s created). Both checks run automatically before the invoice enters the approval queue, catching the issue before payment, not in a post-payment exception report.
What does a controlled supplier onboarding process look like?
A controlled supplier onboarding process requires: ABN or IRD verification against the legal entity name, independent bank account verification (not self-reported via email), approval authority for new supplier creation, a complete audit trail of who onboarded the supplier and when, and dual approval for any subsequent changes to bank details or entity name. In a governed AP platform, these steps are enforced by the system, not dependent on a team member remembering to follow a procedure.
A demo on your actual workflow.
A live walkthrough using real data – the capture, the coding, the approval routing – and how it sits inside the AP workflow you already run. No slideware.