Case Study: The $340k Subcontractor Fraud a Small Builder Almost Missed

The Business

A family-owned construction and project management business operating in regional Queensland. Twelve staff, primarily project management and administration, with all trade work contracted to a stable base of about 30 subcontractors. Annual revenue around $8M. The business had operated for 22 years and prided itself on long-term relationships with its subcontractor network.

The owner-operator managed supplier relationships personally and had never experienced significant fraud. Trust was earned over years. That trust, it turned out, could be exploited.

How the Fraud Began

A new project management hire, brought in to handle overflow during a busy period, began approving invoices from a subcontractor the owner had never dealt with. When asked, the PM said the entity — a concreting contractor — had been recommended by another subcontractor on site. The work was real, the quality acceptable, and payments were approved.

Over 14 months, 23 invoices were approved for this entity, totalling approximately $340,000. The PM who approved them had left the business by month 11. Nobody else had visibility of the ongoing relationship.

The fraud surfaced during a routine end-of-year accounts review. The bookkeeper noticed the entity had never been formally onboarded — no contract, no insurance certificates, no bank account verification form. The ABN was looked up for the first time. It had been registered 16 months ago.

What a Gumshoe Check Would Have Shown

Running the entity through Gumshoe's verification at the time the first invoice was approved would have produced the following results:

• ABN check: WARN — ABN registered 2 months prior to first invoice. Less than 6 months old, automatic escalation trigger.
• Web presence: FAIL — No website found across 10 domain candidates. For a concreting contractor billing at this volume, no web presence is anomalous.
• WHOIS/domain: WARN — No domain to check, which in context compounds the web finding.
• Email infrastructure: WARN — All invoices sent from a free Gmail address. No business email domain, no MX records to verify.
• Address: WARN — Registered address a residential postcode. While not unusual for sole traders, combined with other signals, significant.
• Overall assurance score: 41% — Verify Further band. Below the 60% threshold that would trigger dual-approval under even a basic policy.

The assurance score of 41% would not have automatically stopped the payment. But it would have required a second pair of eyes — specifically the owner's eyes. And the owner would have made a phone call.

What Actually Happened

Investigation by the company's accountant and, later, Queensland Police, determined that the concreting entity had been set up by the PM's partner, operating under a different surname. Approximately 60% of the invoiced work had been performed by a legitimate labourer paid cash in hand; the remaining 40% was for work that had either been double-invoiced against another subcontractor or fabricated entirely.

Recovery was partial. The PM had no assets to pursue. The insurance claim was complicated by the fact that the business had no formal supplier onboarding process — the insurer's position was that the absence of basic controls contributed to the loss. A settlement was eventually reached, but the legal costs consumed much of the recovery.

The Process That Changed Everything

Following the incident, the business implemented a simple rule: every new subcontractor must be verified before the first invoice is approved. The owner runs the Gumshoe check personally for anyone new. The report takes about 40 seconds to generate. It is saved to the project file.

The owner described the shift: "I've been in this industry 30 years. I know most of the people I work with. But I don't know their business. I don't know if their ABN is real, if their company is registered, if they've got a website. I used to just trust people. Now I verify them. It's not distrust — it's just good business."

In the 18 months since implementation, two new subcontractors have been flagged with WARN status. One was a legitimate business with a very young ABN — the owner called, confirmed the story, and proceeded with a smaller initial engagement. The other had a cancelled ABN they weren't aware of. They fixed it before any invoices were raised.

Lessons for Small Businesses

Small businesses are disproportionately targeted in supplier fraud because their controls are lighter, approval authorities are less structured, and personal trust substitutes for formal process. A few principles that emerge from this case:

• The first invoice is the highest-risk moment — by the time fraud is entrenched, detection is expensive. Verification at onboarding is prevention; verification after loss is recovery.
• A free email address is not automatically disqualifying — many legitimate sole traders use Gmail. But in combination with a young ABN and no web presence, it is a compounding signal that demands a phone call.
• No formal process means no insurance defense — the absence of documented verification procedures affected the insurance outcome. A saved Gumshoe report is documentation.
• The cost of verification is trivial relative to the cost of one fraud — a single event like this one costs more in legal fees alone than years of verification would cost.

Supplier fraud in construction is not rare. It is systematic, it targets the onboarding moment, and it exploits the trust that makes the industry function. The defence is not paranoia — it is a 40-second check before the first payment is approved.