At a glance:
- Generative AI makes invoice fraud easier, faster, and much more convincing.
Scammers now create plausible, targeted fake invoices and payment requests at scale.
Strengthen payment controls and always verify requests through a trusted, known channel.
Use staff training, simulations, and automation to build a resilient defence.
Invoice fraud has long been part of the risk landscape for finance professionals. But in the past 18 months, the ease with which attackers can generate convincing fakes has risen dramatically.
What was once a slow, manual deception is now fast, scalable and convincing.
And that has arrived through the same technology that is transforming some of the ways in which accountants work – artificial intelligence (AI). Specifically, it’s a product of generative AI, a type of artificial intelligence that can create text, images and video on command.
Scams are already big business. The Australian Competition and Consumer Commission said in its 2024 Targeting Scams report that it estimated 2023 scams at $2.74 billion.
Reported scams on small business totalled just $17.3 million. But the ACCC points out that many scams go unreported. And AI is now making invoice fraud much easier.
If a forged $40,000 invoice slipped through the cracks this week and was paid in full, how confident are you that you’d spot it quickly? And how confident are you that you would be able to explain the incident to an anxious client?
For firms and many of their clients, this is the uncomfortable shift that AI-generated invoice fraud is bringing. It is turning what used to be crude scams into plausible payment requests. And it is moving the risk of loss and blame directly onto finance functions and the strength of their security practices.
“Just as people can be fooled, AI can be too, so human verification must be the final step.”
Peter Wolski
Plausibility at scale
The proliferation of free and low-cost AI image-generation and deepfake software has pushed this capability firmly into the mainstream. False invoices and expense receipts can now be generated in seconds with none of the visual flaws that once made forgeries easier to spot.
Meanwhile, regulatory responses lag.
Andrew Philp is field chief information security officer for Australia and New Zealand at Trend Micro. He observes that AI “has lifted the quality and consistency of the impersonation attempts. Fraudsters can now replicate logos, layouts and tone with uncanny accuracy. As a result, we’re seeing higher hit rates, faster campaign cycles and more ‘micro-targeting’, where scams are tailored to target specific individuals or supplier relationships”.
These attempts are increasingly embedded in seemingly normal commercial activity. Attackers can generate dozens of credible scam emails in seconds, until one fits the tone of a genuine supplier or internal contact. Philp notes that deepfake audio and video are then used to reinforce the manufactured payment request. Says Philp: “By the time an employee receives a voicemail or video message from a ‘senior executive’ urging an urgent payment, the groundwork of the scam has already been done. This multi-layered approach makes the scam feel real and thus more likely to succeed.”
Protecting firms and finance teams
So how can firms and internal finance teams protect themselves in this ever-evolving digital climate? Philp suggests Australian businesses should adopt a layered approach, starting with process, strengthened with technology and supported by culture.
Trust nothing mindset
As AI removes the visual cues that once exposed forgeries, basic payment controls must be adhered to. Peter Wolski, General Manager, Reliability and Cyber Security at MYOB, recommends strengthening defences by applying multi-factor authentication wherever possible and following ACSC guidance on recognising common scam red flags.
Says Wolski: “When reviewing invoices, especially those arriving by email, teams should adopt a ‘trust nothing’ mindset: never rely on the contact details listed on the invoice itself and always verify payment requests through a known, trusted contact or channel.”
Train for discipline, not detection
Experts also told Public Accountant that disciplined processes and informed people make the difference.
Teamwide education on internal controls helps ensure that double-verification of high-risk payments is routine and that escalation paths are followed. These measures significantly narrow the space in which scammers can operate.
Philp also emphasises the value of “regular cyber-awareness simulations and staff training”, which help people recognise AI-generated manipulation when it appears. Scenario-based exercises can be particularly effective, as they force teams to rehearse decision-making in situations where complacency typically sets in. This can happen when, for example, a request looks routine, comes with implied authority or appears at an inconvenient moment.
Embrace automation
The third crucial layer of defence is technology, which, according to Philp, brings visibility, speed and confidence.
Real-time tools that flag anomalies in email behaviour, detect rogue attachments or surface suspicious patterns can buy critical time before a fake invoice is paid, helping teams “manage this risk holistically by correlating signals across email, endpoints and cloud systems – giving [them] a clearer view of threats before they cause harm.”
Wolski also advocates using AI to detect fraudulent image or PDF invoices, but cautions against using the results as definitive. “Just as people can be fooled, AI can be too, so human verification must be the final step,” he says.
Ensure any new software will slot into your existing approval routines: the value lies in what these tools surface for human review, not in running a parallel system. Providers should be able to explain how manipulation is identified, how invoice and expense data is monitored over time and how alerts are prioritised so that genuine anomalies reach your team quickly.
A proactive approach
AI may not change the nature of invoice fraud, but it certainly has removed the friction that once limited it. For firms and their clients, the advantage now lies not in spotting the perfect fake but in maintaining processes resilient enough to withstand one. As Philp notes, the right combination of measures can help “not just in detecting fraud early, but deterring it altogether”.
Interested in bolstering your strategic advisory skillset? The IPA Program is designed with that in mind. Learn more here.
