8 Red Flags Your Accounts Payable Team Is Missing Every Day

The Signals Are There — They Are Just Hard to See at Volume

Experienced accounts payable professionals can often articulate, after the fact, what felt off about a fraudulent invoice. The email arrived from a slightly unusual domain. The banking details changed but nobody called to confirm. The ABN was active but the business had no web presence. These signals were there — but processing 200 invoices a week by hand makes it genuinely difficult to catch them consistently.

These are the eight red flags that appear most frequently in post-fraud investigations — and that a structured verification process catches before payment is made.

1. A Domain Registered in the Last Six Months

The vast majority of legitimate suppliers have been operating for more than six months and have a domain that reflects this. Fraudulent supplier setups almost always use recently registered domains — because the fraudster only needs the domain to last long enough to collect one payment. Checking domain age via WHOIS or RDAP takes seconds and is one of the highest-signal checks available.

Note that absence of a domain registration date can itself be a signal: Australian .au domain registrations are managed by auDA, which does not expose registration dates through RDAP. In this case, certificate transparency logs (crt.sh) provide an independently verifiable proxy for domain age — the date of the first SSL certificate issued for the domain.

2. No DMARC Record on the Sending Domain

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that tells receiving mail servers what to do with emails that fail authentication checks. A domain with no DMARC record — or with DMARC set to p=none — can be spoofed by anyone. Fraudulent invoices very frequently originate from domains with no DMARC enforcement, because the fraudster is spoofing a domain they do not control.

Checking for DMARC is a two-second DNS query. It does not require any special tool or access. Yet it is almost never part of a manual AP verification process.

3. An ABN Registered Less Than Six Months Ago

A supplier onboarding you for the first time with an ABN that is less than six months old is not automatically fraudulent — new businesses are legitimate businesses. But it is a meaningful risk indicator that warrants additional scrutiny: a phone call to verify banking details, a request for references, or simply a decision to delay the first payment until the relationship is better established.

The ABR shows the date an ABN became active. This check takes five seconds and is not universally performed.

4. Banking Details That Changed by Email

Payment redirection fraud almost always involves a request to update banking details. The request arrives by email — sometimes from the supplier's legitimate account after a compromise, sometimes from a lookalike domain. Without a call-back verification process using a phone number you already hold (not one provided in the email), you cannot distinguish between a legitimate banking change and an attempt to redirect your payment.

This is process rather than technology — but automated verification can flag when a supplier's domain lacks the email authentication records that would make impersonation difficult.

5. A Domain Listed in Threat Intelligence Databases

Spamhaus, SURBL, URIBL, and OpenPhish maintain continuously updated lists of domains associated with spam, phishing, and malware distribution. A supplier domain that appears on any of these lists is a serious red flag — it indicates that the domain has been used for malicious activity, that it has been reported by multiple independent sources, and that it has not been remediated.

These are free, DNS-based checks that take milliseconds to perform. They are never part of a manual supplier verification process because most AP teams do not know they exist.

6. An ASIC Deregistration Date That Post-dates the ABN Registration

A company can be deregistered by ASIC — meaning it no longer legally exists as a company — while its ABN remains active in the Australian Business Register for a period. Paying an invoice from a deregistered company has legal implications: the company cannot enter contracts, cannot sue or be sued, and any payment made to it may be unrecoverable.

Cross-referencing the ABR record against the ASIC register catches this. Doing it manually requires looking up two separate government websites. Gumshoe does it automatically as part of the address check.

7. A Website With No HTTPS

A legitimate operating business in 2026 will almost universally have a website secured with HTTPS. A supplier whose website runs on plain HTTP — or who has no website at all — is not automatically fraudulent, but it is an indicator worth noting. Combined with other signals (young domain, no DMARC, no GST registration), it contributes to a risk picture that should trigger additional scrutiny.

8. A State/Postcode Mismatch in the ABR Record

Australian postcodes map reliably to states and territories. A Victorian postcode does not overlap with New South Wales ranges; an ACT postcode does not appear in Queensland. An ABN where the registered state does not match the registered postcode indicates either a data entry error at registration time or a deliberate fabrication using a real ABN number. Either way, it warrants investigation before payment.

Why These Checks Are So Rarely Performed

Every AP professional reading this list recognises these signals. They are not obscure or technical — they are the things an experienced person would check if they had unlimited time. The problem is that unlimited time is not a resource any accounts team has.

Checking all eight of these signals manually for a single supplier takes approximately 20 to 40 minutes. At volume — onboarding multiple new suppliers a week, processing banking detail changes, reviewing recurring vendor relationships — that time simply is not available.

Automated verification runs all eight checks simultaneously in under 60 seconds and produces a timestamped, auditable record. It does not replace human judgement — it gives human judgement better information to work with.