
What a Fraud Expert Wants Every Finance Leader to Know
by Hannah Khouri
Accounts payable fraud is a fast-moving, increasingly sophisticated threat that’s costing businesses real money every day. We sat down with Joaquin Lechuga, Risk & Fraud Manager at Ottimate, to get his unfiltered take on what’s changed, what’s working, and what most finance leaders still get dangerously wrong.
Why the threat is bigger — and closer — than most leaders think
Q: How has the fraud landscape changed in recent years?
The biggest shift right now across the entire fraud landscape is the speed and the scale at which fraudsters are working. Fraudsters used to rely on slow, labor-intensive schemes — physical document forgery, impersonation over the phone, things like that. Now they can spin up a convincing fake vendor identity in minutes, and this is even faster with AI, because AI removed most of the friction that used to slow them down in the first place. They can deepfake audio, generate emails that perfectly mimic the tone of a CFO’s voice, or create fake invoices that match a real vendor’s formatting down to the font they use. This is not a theoretical threat anymore. This is stuff that is happening right now.
Q: What’s driving that acceleration?
Two things. First, accounts payable processes haven’t kept up. A lot of companies are still running on the same manual workflows they had 10 years ago. That means the attack surface hasn’t changed much, so fraudsters know exactly where to look. Second, the tools available to fraudsters have become much easier to access. You don’t need to be a sophisticated criminal organization to pull off vendor impersonation. You just need access to a free AI tool, and you can compromise someone’s account in 30 minutes.
Q: What’s the biggest mindset mistake you see business leaders make?
They tend to confuse familiarity with security. There’s this thing where they know their vendors; they’ve worked with them for years, so they think, “What could really happen?” And that’s exactly the mindset that fraudsters are counting on. The longer and more routine a vendor relationship becomes, the less scrutiny there is from the company’s side to validate information. That’s when a fraudster who takes over a vendor’s email account or spoofs their domain knows that a payment request is going to land in an inbox where people are used to saying yes all the time.
The other thing I hear constantly is, “We already have approvals in place.” Well, approvals don’t mean much if the person approving doesn’t have the context to know what they’re approving. They set up a multi-step process that creates the illusion of control, but it’s not control.
Q: Walk us through the most common types of AP fraud you see.
A: There are five main categories of AP fraud. First is vendor fraud. This includes fictitious vendor creation, where someone sets up a company that doesn’t exist and starts billing you for services never rendered, and vendor impersonation, where a fraudster contacts you pretending to be a real supplier and asks for your banking details.
Second is employee fraud, where an employee with access to the AP system abuses that access. This could be submitting personal expenses as business expenses, creating payments to themselves or an account they control, or even manipulating invoice amounts before final processing.
Collusion is when the inside and outside threats work together. An employee collaborates with a vendor or someone posing as one to inflate invoices, approve payments, and split the difference. This is harder to catch because the approvals look legitimate.
Payment fraud targets the disbursement itself. Business email compromises the most common form. A fraudster can impersonate your CEO or CFO over email and instruct your AP team to process a wire transfer to a new account. This works well because it exploits trust and urgency and bypasses every system-level control you have if your team doesn’t know what to look for. Check fraud, ACH redirect schemes, and card data theft also fall into this category.
Finally, there’s procurement fraud, which happens in the buying process before an invoice is even generated. It could be kickbacks, splitting purchases to stay under purchasing thresholds, or buying from unapproved vendors. The result is overpayment, off-contract spending, or money going to vendors who were selected for the wrong reasons.
Q: What about employee fraud and internal collusion? Are there early warning signs business leaders should watch for?
It becomes more of an awareness thing because most companies, especially smaller ones that have grown over time, are run on trust. They know their employees. But there are behavioral patterns worth paying attention to. If someone is keeping everything very private — always vague about what they’re working on, lots of secrecy involved, staying late after hours when everyone else has gone, asking a lot of questions about sensitive information that doesn’t really pertain to their role — each of those things individually isn’t necessarily suspicious. But when you start seeing all of them together in one person, you need to pay extra attention. Most likely they are trying to gather insider information they can then use to conduct some kind of scheme or fraud.
Q: Are certain types of businesses more at risk than others?
Yes; high invoice volume, multiple locations, and high staff turnover. That’s the trifecta. Hospitality and restaurants are a perfect example. They usually have dozens of locations, each receiving invoices from dozens of vendors, all processed by teams that rotate constantly. No one ever has the full picture. A duplicated invoice or a modified bank account number can get lost in the noise for months. And manual processing takes an average of 14.6 days per invoice.
Q: Can you give a real-world example of how a manual process failure leads to fraud?
A CFO goes on vacation and sends a text message to one of their employees saying, essentially, “Just work on these invoices. It doesn’t matter; just approve them.” One of those invoices was for up to $75,000. The information was never verified. The employee never reached out to the vendor to confirm banking details. They just approved it and moved on. That’s the thing with manual systems. When everything falls on one person, and that person doesn’t have the full context or the time to go deeper, things like this happen. And they happen quite often.
What you can do about it
Q: Before implementing any new software, what can AP teams do right now to reduce their fraud exposure?
There are a few things every company can do on its own, without spending anything extra. First, make sure you have a secure network. If employees are working from home, set up a VPN that connects directly to the company’s network so activity can be monitored and flagged if anything is out of the ordinary.
Second, train your staff. It doesn’t have to be a custom program. There’s a lot of readily available compliance, risk, and fraud detection training on YouTube. Having staff who are properly trained to identify and mitigate basic fraud attempts goes a long way.
Third, enable two-factor authentication on all company credentials. And fourth, be extremely cautious with emails. Make sure they’re coming from trusted sources. If you’re not expecting an attachment or a link, don’t open it. Look up unfamiliar domains before you respond.
Q: What about role-based access — can companies do that on their own?
Absolutely. When it comes to accounts payable specifically, it’s extremely important. An entry-level employee can receive an invoice from a vendor; they shouldn’t be able to approve or process payment on their own. That goes to someone with the proper credentials to move through the next steps. The manager or controller decides who has which role and what each role is authorized to do. Any company can structure this internally.
Q: What can companies do to protect against vendor impersonation specifically?
The fix is actually pretty simple, and it’s something every company can do right now. Whenever you receive an email from a supplier (or someone impersonating that supplier) make sure the email is coming from a verifiable domain. It’s not going to come from a Yahoo, Outlook, or Gmail address. It takes one minute to open Google and search the email domain to verify whether it’s an actual company and whether it’s the same company that’s supposed to be sending you the invoice. And if you don’t recognize the sender, you can always call your vendor directly and ask. That’s it. One minute for the search, five minutes for the phone call, and you’re protected.
Q: What does a solid vendor verification process look like?
I’ll take this moment to give some well-deserved credit to our risk team at Ottimate, because this is what we do daily. We run what’s essentially a KYC (know your customer) verification process. We use industry-standard internal tools to review the name of the person reaching out to us, sensitive information like EIN, the registered business address, and we even run a search on the phone number to make sure it’s actually registered to someone who works at that company.
It can take up to an hour to validate all of that information. And if everything checks out except for one thing — say, the banking details — we don’t approve it. We go back to the customer and let them know that the vendor is requesting a change or adding new information that we can’t independently validate, and ask them to confirm it directly before we move forward. If a single piece doesn’t hold up, the whole thing stops until it does.
One thing I want people to know: Even though Ottimate markets itself as an automated system, there are real, highly experienced people working behind the scenes. We don’t leave everything up to automation. It’s about having experts looking at the finer details too.
Q: What is Ottimate’s Invoice Trust Scoring, and how does it work?
Invoice Trust Scoring is essentially a risk rating that gets assigned to every invoice that comes through the system. The model is looking at a combination of signals: Does this invoice match what we’d expect from this vendor based on historical patterns? Are the line items consistent with prior invoices? Does the total fall within a normal range? Has anything changed — banking details, contact information, invoice format — that wasn’t expected?
The scoring isn’t binary. It’s not “fraud” or “not fraud.” It’s a confidence level that helps route invoices appropriately. High-trust invoices move through efficiently. Invoices that score below a threshold get flagged for human review with context about what triggered the flag. That’s important — it’s not just saying “something’s wrong”; it’s showing you specifically what to look at.
How AI fits in on both sides
Q: We’ve talked about how AI is making fraud easier. How does it help organizations fight back?
AI is very good at automation, and in this industry specifically, it can do the work of a compliance analyst at scale. Let’s say a compliance team needs to validate 100 vendors. All of those records get run through an AI system that’s already been trained to understand vendor details. It goes through the analysis on its own, checks that everything fits, and if it does, it moves on to the next vendor. But if something raises a red flag, that same AI agent automatically detects it and passes it over to a human analyst to investigate.
And that’s the key point — AI handles the volume and catches what human reviewers might miss due to sheer workload, while humans handle the nuance and the judgment calls. There’s always human error when someone is doing this manually at scale, and AI removes a lot of that risk. Fraudsters use AI, yes, but so do we, and I’d say there are far more people working on the good side, constantly updating and building new algorithms to track down these types of wrongdoings.
Q: So it’s not replacing human judgment; it’s working alongside it?
Exactly. The AI handles the volume and pattern recognition. The humans handle the investigation and the decision-making. At Ottimate, there are real experts reviewing everything the AI flags. Automation doesn’t mean unattended.
What to do when fraud happens
Q: A company just discovered it’s been defrauded. What are the first steps?
First: Stop the bleeding. You may have already paid one or several invoices. If there are pending payments to the same vendor or account, put them all on hold immediately. You don’t have to understand the full scope of what happened before you stop the additional exposure.
Second: Preserve everything. Do not delete emails. Do not modify records. Do not do a cleanup. Every communication and transaction that exists has to stay exactly as it is; all of it is potential evidence. As soon as you start tidying up, you’re compromising your ability to investigate or prosecute. Keep everything intact.
Third: Notify your bank right away. If the payment went out within the last 24 to 72 hours, there’s a chance it can be recalled. Banks have fraud recovery processes, but they are extremely time-sensitive. Every hour you delay reduces your likelihood of recovering the funds.
Q: What do you wish more people understood about fraud that people outside your field often miss?
Most of it is pretty boring. There’s this mental image of fraud as a sophisticated, elaborate scheme pulled off by criminal masterminds. The reality is that the vast majority of AP fraud succeeds because of mundane, fixable failures: an email that wasn’t verified, a vendor record that wasn’t audited, a login that was shared, an approval that was clicked without being reviewed.
The sophistication of a fraud scheme is usually inversely proportional to the quality of the controls in place. Give a fraudster a target with no controls, and they don’t need to be sophisticated at all.
See what controls actually look like in practice
Joaquin and the team built Ottimate’s fraud detection around the same principles in this piece — Invoice Trust Scoring, KYC-style vendor verification, and human review behind every flag. If you want to see how that works against your current process, we’ll show you. Book a demo with our team here.