Use a multilayered approach to prevent and detect fraud in state government agencies

A fraudulent invoice sent to a state police agency exposes the challenges that state agencies often face in preventing fraud. The author recounts this case of invoice fraud to Fraud Magazine and provides strategies for state agencies to better protect themselves against such schemes. 

With all the technology that fraudsters have at their disposal these days, it might be hard to believe that a conventional billing scheme could succeed. Why attempt something so low tech when there are technologies like artificial intelligence (AI) to conduct a more complex scheme?

I thought my organization — a state law enforcement agency — would be immune from such a conventional attempt. It’s hard to imagine that someone would be bold enough to defraud the elite police force that I’m honored to be a part of. Even though the case I detail in this column involves a traditional invoice scheme and a small dollar amount, it highlights the challenges that many state agencies face as targets for fraud. According to the Association of Certified Fraud Examiners’ (ACFE) Occupational Fraud 2024: A Report to the Nations, state/provincial governments accounted for 29% of government fraud cases in the study — second only to national government organizations, which accounted for 47% of the fraud cases analyzed in the report.

While state-level government fraud might not be as plentiful as fraud at the national-government level, it can still drain public resources, undermine trust in government programs and impede the timely delivery of services. Throughout my career in state government, I’ve witnessed the evolving nature of fraud and the corresponding need for robust countermeasures. Many state agencies, which often manage vast sums of taxpayer money similar to national agencies, must implement strategies to deter fraud and ensure that legitimate payments are processed swiftly. Here, I’ll explore ways that state agencies can reduce fraud in their invoicing processes, examine how to improve verification systems and evaluate the role of both automated and traditional verification methods in achieving these goals, and balancing fraud prevention with operational efficiency.

‘B.A.G. Tactical Carrier’

It all started on a dreary Monday morning in February 2025. Rhonda (not her real name), an administrative assistant, walked into my office holding a printed invoice for something called “B.A.G. Tactical Carrier.” The price of the item — $213.97 — immediately raised a red flag for me. In law enforcement, anything labeled “tactical” usually costs at least $1,000.

Rhonda asked if I remembered approving, requesting or receiving the item. I looked closely at the invoice and noticed a couple of things. The invoice had a 2023 date, and most vendors don’t like waiting two years for a payment from a state agency. Moreover, the invoice didn’t appear to be from any of our approved vendors.

As a detective and Certified Fraud Examiner (CFE), I was galvanized by the thought of someone trying to swindle the police department. I immediately went to work, looking up the vendor in the database to verify purchase of the item. It wasn’t there. I then searched for the vendor’s website online. I found what appeared to be a legitimate site, but the information, including addresses for its headquarters and branch locations, was different from what was on the invoice.

I then searched the vendor’s site for the “B.A.G Tactical Carrier”; no such item existed. I further examined the invoice and found a police employee’s name recorded as the “purchaser.” He was a real employee, but he wasn’t assigned to my bureau, division or section. After more research, I discovered that he was a new officer who would’ve been fresh from the training academy when he supposedly purchased the item.

The invoice was well crafted and looked official with all the information you’d expect to see on a legitimate invoice. Most interestingly though, the invoice was addressed to Rhonda, who’s authorized to approve invoices not handled by the procurement office. The agency has a centralized procurement office that makes most large and repeat purchases; however, each division and section is authorized to make local, small-dollar purchases and payments. But this invoice was first sent to the procurement office for payment; procurement personnel didn’t see any inconsistencies or flag any items before sending it to my division. Since the payment request came from the procurement office, Rhonda assumed it was genuine.

A small dollar amount is still a big deal

The invoice was for less than $215. Why bother with it? Because it’s part of a bigger story. With their often cumbersome and convoluted processes, government agencies are ripe for fraud and abuse. As I considered my agency’s operations, I realized that perpetrating such a scheme wasn’t outlandish. It made perfect sense.

Thanks to Rhonda’s vigilance, we were able to intercept the invoice. When I showed her the discrepancies and remarked that it was likely fraudulent, she was dismayed that she’d almost processed it. I realized that my organization had failed, and the scope wasn’t insignificant.

Scope of the problem

The invoice made its way through the system largely because procurement staff lacked proper training to anticipate, detect and screen fraudulent invoices. The agency’s practice of forwarding invoices to divisions without a screening process primed it for this basic fraud attempt. I wondered how many other fraudulent payments passed through the system undetected.

Fraudsters exploit vulnerabilities in public-sector systems to carry out all types of billing schemes. Common schemes include submitting invoices for goods or services never delivered (phantom billing), inflating the costs of services, duplicating invoices, or impersonating legitimate vendors, as in our case. As CFEs surveyed in the 2024 Report to the Nations indicate, billing fraud accounts for a significant portion of occupational fraud cases across industries, with a median loss of $92,000 for state/provincial government entities. Billing schemes were the second most common fraud scheme for government organizations, accounting for 26% of cases in the report. Corruption is the most common government fraud scheme, accounting for 56% of cases in the report.

State agencies often have multiple departments, operate with decentralized procurement processes, and have staffing shortages, high employee turnover, and high volumes of transactions, which create gaps in oversight — and perfect opportunities for fraudsters to exploit. Pressure to process payments quickly to avoid backlogs also encourages employees to take shortcuts when verifying information.

A multilayered approach to verification processes

To reduce invoice fraud, state agencies should adopt a multilayered approach to verifying information and integrating technology, human oversight and clear policies into their systems. These three strategies may enhance verification and facilitate timely payment processing:

1. Standardize invoice submission and documentation requirements.

Fraudsters leverage inconsistent procedures to submit invoices that appear legitimate but lack critical details. A standardized process for invoice submissions encompasses the following items and procedures:

• Mandatory fields for invoices: All invoices should include vendor name, tax identification number, purchase order number, descriptions of goods/services, dates of service, and contact information for vendors and purchasers. Missing or incomplete information should trigger an automatic rejection or flag for further review.
• Electronic submission portals: Implement centralized electronic portals for invoice submissions. These portals enforce mandatory fields, automatically reject invoices that lack necessary information and provide a digital audit trail for every submission. Electronic submissions also reduce the risk of fraudulent paper invoices slipping into the system.

Standardization ensures that invoices meet a minimum threshold of legitimacy before entering the payments pipeline.

2. Enhance vendor verification and authentication.

Like my case, invoice fraud schemes often involve impersonating legitimate vendors or creating fictitious ones. State agencies can mitigate this risk by strengthening vendor verification processes.

Vendor pre-approval and ongoing monitoring: Do your due diligence before adding a vendor to the procurement system. Verify the vendor’s tax ID, business license and banking information against public records. Approved vendors should undergo periodic reverification to detect changes in ownership or banking details indicative of fraud.

Organizations should also conduct needs analyses periodically to determine whether a vendor’s services are still required. I’ve uncovered many old contracts for software and services we were still paying for but no longer using. Be wary of multiyear contracts for technology services, especially considering how quickly technology changes.

Two-factor authentication for vendor changes: Require vendors to confirm changes to payment details (e.g., bank account numbers) via a secondary method, such as a phone call or email link to a secure portal. This prevents fraudsters from redirecting payments by submitting fake change requests.

3. Implement robust internal controls.

Internal controls are the backbones of fraud-prevention programs. Prioritizing controls like segregation of duties ensures that no single employee has oversight of the entire invoicing process. For example, different employees should approve invoices and authorize payments or update vendor records. Segregating these duties can also reduce the risk of collusion with vendors and insider fraud. This fundamental fraud prevention practice might be sidelined in state agencies because of staffing shortages and budgetary constraints, but it's the best defense against fraud.

Employing AI

If your agency allows it, consider investing in AI to automate processes, save time and enhance fraud prevention and detection activities. AI analyzes vast amounts of data in real time and identifies patterns and anomalies that human auditors might miss. Many jurisdictions currently prohibit its use (including mine). Although, as more people grow comfortable using AI, governments too may acclimate and develop policies for its use to help prevent and detect fraud.

Traditional processes are still necessary

AI has significant advantages, but traditional verification methods remain vital for fraud prevention. Humans are still necessary for oversight, physical inspections and establishing protocols that complement technology-driven approaches. Here are three traditional methods that remain effective:

1. Manual reviews and sampling.

Despite AI’s efficiency, manual invoice reviews are essential for spotting nuances that technology can’t recognize. A human auditor might notice that a vendor’s invoice uses a slightly different logo or font, which could indicate impersonation. With random sampling and audits of invoices for manual review, no method of detection should stand alone.

A human’s eye for nuance and that “gut instinct” honed by years of experience can’t be replaced by technology (at least not yet). Audits should include verifying the delivery of goods or services, cross-checking invoices with purchase orders, and confirming the legitimacy of vendors. In our case, the fraudulent invoice was caught largely by happenstance. According to the 2024 Report to the Nations, only 5% of frauds reported by CFEs in the survey were detected serendipitously.

2. Employee training and awareness.

The biggest vulnerability in my organization was the lack of anti-fraud training for employees. Human error and negligence often contribute to successful fraud schemes. State government agencies must invest in regular training for employees to learn how to recognize suspicious vendor behavior, inconsistencies in documentation or pressure to expedite payments.

While employee-level training is critical, it’s necessary for agency executives to understand and prioritize fraud prevention, detection and mitigation strategies. Without executive support, training programs, systems and personnel won’t be successful.

Newly appointed executives and employees should all receive fraud training related to their roles that clarifies their specific risks and responsibilities.

3. Whistleblower protections and reporting channels.

Encouraging employees and vendors to report suspected fraud through anonymous channels uncovers schemes that might otherwise go undetected. Over the years, each iteration of the Report to the Nations has shown that tips are the most important way for organizations to detect fraud. In the 2024 report, 43% of fraud cases were detected by tips. In comparison, internal audits detected fraud in 14% of cases and management review detected 13% of fraud cases, according to CFEs surveyed in the report.

My organization had reporting mechanisms for all types of things — complaints, suggestions, employee safety concerns — but nothing specifically for reporting fraud. I was curious to learn whether anyone had ever blown the whistle on my organization, so I visited the Washington state auditor’s office and learned that in the last 25 years, not a single fraud report had been filed.

State agencies should establish clear whistleblower policies, protections and processes, and ensure that adequate ongoing training and discussions occur to promote a culture of employees reporting incidents.

A path forward

State agencies are particularly vulnerable to fraud, especially with their oftentimes byzantine procedures and staff shortages. Because of these vulnerabilities, agencies must remain vigilant and adaptable as fraud schemes evolve. By investing in the right combination of tools, training and procedures, they can safeguard taxpayer money while efficiently delivering services. The fight against fraud is ongoing, but with a strategic and balanced approach, state governments can stay one step ahead of those seeking to exploit their systems — whether the scheme is high or low tech.

In the case I detailed, we discovered that an external fraudster had been trying to scam the police agency. They made two subsequent attempts by impersonating other businesses. I hope that by recounting this case, other state agencies are encouraged to take a closer look at their programs and consider how they might be vulnerable to fraud. My organization has already taken significant steps to improve our training programs, invoice processing procedures and reporting system since discovering that fraudulent invoice. Implementing the necessary changes now can set your organization on the right path and prevent future losses.

Ryan Durbin, D.B.A., CFE, is a 20-year-plus veteran of the Washington State Patrol. He currently serves as assistant commander of the Criminal Investigation Division, overseeing major crime investigations for the agency. Contact him at ryan.adurbin@my.trident.edu.