Back to course overview
Module 4Anomaly detection 13 min

Fraud signals

The classic AP and expense fraud patterns — duplicates, splitting, ghost vendors, diverted payments — what each looks like in data, and the false-positive discipline that keeps detection humane.

Most anomalies are errors. Some are fraud — and occupational fraud runs a median 5% of revenue lost across organizations, mostly through schemes that are visible in data once someone looks at 100% instead of a sample. The classic patterns, in rough order of how often AP teams meet them:

  • Duplicate payments (fraud and innocent — the data looks identical): same vendor + amount + date-window with a mutated invoice number ('-R', '-A', transposed digits). You caught one in Module 2's lab. Mostly honest re-sends; occasionally deliberate double-submission by a vendor testing your controls. Either way, money out the door — and the check is cheap.
  • Invoice splitting: amounts clustering just under approval thresholds, same vendor, tight window. The tell is the cluster, not any single invoice — three $4,900s where one $14,700 would have needed a director's signature. Detection: band-scan under each threshold (e.g., 90-100% of limit), group by vendor, flag repeats.
  • Ghost vendors: a fabricated vendor billing for services that were never rendered — historically an insider scheme (someone with vendor-master access). Data tells: perfectly sequential invoice numbers (you're the only customer), round amounts on a regular cadence, service descriptions too vague to verify ('consulting services'), young vendor record, and — the connector — vendor details matching an employee's (address, bank account, phone). That last check is why vendor-master hygiene is a fraud control: duplicate and near-duplicate vendor records (the entity-resolution problem — Meld's home turf) are exactly the murk ghost vendors hide in.
  • Payment diversion: the vendor is real; the bank account isn't — 'please remit to our new account' via email (often a compromised vendor mailbox or lookalike domain). The problem-set invoice from Module 2 was this. The control is procedural, not statistical: bank-detail changes verify out-of-band via a known-good contact, always, no month-end exceptions — and any detail-change followed shortly by unusual invoice volume is a compound red flag.
  • Expense schemes: duplicate receipts across two reports (or two employees at the same dinner), personal spend miscategorized, mileage/per-diem padding. Individually small; the 100%-screening from Module 2 changes the economics — and the pattern across months (always 1-2 days' padding, always just under receipt-required limits) is what turns annoyance into a case.

The false-positive discipline (detection's other half)

  • Score, don't verdict. Each signal contributes to a review score; combinations escalate (young vendor + sequential invoices + round amounts ≫ any one alone). AI's language for flags: 'matches pattern X', never 'fraud' — the word is a legal event, and it belongs to investigators, not classifiers.
  • Route by asymmetry: high-score compound flags → senior review, same-day; single soft signals → weekly batch triage. The automation-course unsure-lane logic, with dollar-weighted thresholds.
  • Presume innocence in the workflow itself. Most flags are errors, quirky-but-legit vendors, or your own data quality. The disposition taxonomy makes this concrete: error / legitimate-explained / policy-violation / escalate-to-investigation — and the log of dispositions (who reviewed, what they concluded, when) is both your audit evidence and your tuning data. A detection program that treats every flag as an accusation poisons the culture that makes people report things.
When it IS fraud

The moment a flag becomes credible suspicion of intentional fraud, the analyst's job changes: stop investigating solo, preserve evidence untouched (no confronting, no tipping-off, no 'just asking' the vendor or colleague), and hand off per your escalation path (typically controller → internal audit/legal). Fraud response is a legal process with chain-of-custody rules; enthusiasm at this stage destroys cases. Your detection system's product is a well-documented handoff, not a confrontation.