When we think of corporate theft, we often picture sophisticated cyberattacks or dramatic embezzlement schemes. However, the reality is usually much more mundane—and often happens right inside your ERP system.
According to the Association of Certified Fraud Examiners (ACFE), billing schemes are among the most common and costly forms of occupational fraud. At the top of that list is the infamous “Ghost Vendor” scam.
It is a quiet, highly effective crime that thrives in the blind spots of your internal controls. Here is a look at how the scam works, why it happens, and how proper Segregation of Duties (SoD) can stop it in its tracks.
What is a Ghost Vendor?
A ghost vendor is a fake company set up by a dishonest employee within your organization’s purchasing or finance system. This “company” doesn’t provide any actual goods or services. Its sole purpose is to receive payments from your organization.
Because the payments often look like routine operational expenses—such as consulting fees, office supplies, or maintenance services—they can go unnoticed for years.
How the Scam Works
The execution of a ghost vendor scheme usually follows three simple steps:
- The Setup: An employee creates a new vendor profile in the ERP system (e.g., Infor LN, SAP). The vendor details often include a PO Box, or even the employee’s own home address or a relative’s bank account.
- The Invoicing: The employee generates fake invoices from the ghost vendor and submits them to the Accounts Payable (AP) department.
- The Payment: Because the vendor exists in the official system, the invoice is processed, approved, and paid. The funds are routed directly into the fraudster’s pocket.
The Root Cause: A Breakdown in Segregation of Duties
A ghost vendor scam rarely succeeds because the fraudster is a mastermind; it succeeds because of a fundamental flaw in the company’s internal controls. Specifically, it happens due to a lack of Segregation of Duties (SoD).
In a well-designed control environment, no single person should have control over an entire transaction process. The “Toxic Combination” that enables a ghost vendor scheme looks like this:
Access to Vendor Master Data + Access to Accounts Payable / Invoice Entry
If the person who has the authority to create or alter vendor banking details is the same person who can enter or approve invoices, you have a critical security risk. They can create the fake vendor, generate the fake invoice, and push the payment through without any independent oversight.
4 Red Flags in Your ERP Data
If you are worried that your organization might be vulnerable, auditing your ERP data can reveal potential ghost vendors. Look for these warning signs:
- Address Matches: Vendor addresses that match the home addresses of current employees.
- PO Box Only: Vendors that only use a P.O. Box with no physical business address.
- Missing Details: Vendor profiles lacking standard documentation, such as tax ID numbers, phone numbers, or contact names.
- Sequential Invoices: If a vendor submits invoice #1001, followed a month later by #1002, it likely means your company is their only customer.
How to Protect Your Organization
Stopping the ghost vendor scam requires shifting from a reactive approach (hunting for fraud after the money is gone) to a proactive approach (preventing the fraud from happening in the first place).
1. Enforce Strict Segregation of Duties (SoD)
The most critical step is drawing a hard line between Master Data management and Accounts Payable. The team that sets up and edits vendors must be completely separate from the team that processes invoices and executes payments.
2. Implement a Vendor Approval Workflow
Even if Master Data is segregated, new vendors should require a secondary review. An independent manager should review the tax documents and physical existence of the vendor before they are made active in the ERP.
3. Automate Your Compliance Monitoring
In complex ERP environments like Infor LN, managing user roles manually via spreadsheets is nearly impossible. Employees change roles, cover for colleagues on vacation, and accumulate “super user” access over time.
By utilizing an automated compliance solution, you can automatically scan your ERP roles for toxic combinations. An automated system will flag any user who currently holds both Master Data and AP access, allowing you to remediate the conflict before it can be exploited.
Don’t Pay for What You Don’t Get
The ghost vendor scam is a classic example of why compliance is not just about passing audits—it’s about protecting your bottom line. By tightening your Segregation of Duties and relying on automated monitoring, you can ensure that every dollar leaving your accounts payable department is going to a legitimate business partner.
Want to see if your ERP roles contain the “Toxic Combinations” that lead to fraud? Contact Dynaflow Compliance Solutions today to learn how our automated SoD tools can secure your environment.