Construction Payment Fraud: Red Flags, Common Schemes, and the Controls That Stop Them
- What is construction payment fraud, and why is construction so exposed?
- What are the most common construction payment fraud schemes?
- What are the red flags of contractor and vendor fraud?
- What controls stop construction payment fraud?
- How does Corpay help construction firms prevent payment fraud?
- Protect construction payments from fraud with Corpay
Construction payment fraud is any scheme that diverts, inflates, or fabricates payments moving through a contractor's accounts payable, from fake subcontractors and duplicate invoices to a spoofed email that redirects a six-figure wire. The exposure is structural. Subcontractor rosters run long and churn constantly, progress payments dwarf what most industries move in a month, and every project layers change orders and retainage on top of several parallel payment rails. A fraudster has more places to work here than almost anywhere else.
The numbers say this isn't a niche worry. In AFP's 2025 Payments Fraud and Control Survey, 79% of organizations reported attempted or actual payments fraud in 2024. Business email compromise alone drove $2.77 billion in reported losses across 21,442 complaints that year, per the FBI Internet Crime Complaint Center's 2024 annual report. What should worry contractors is where the money goes missing. Most of it doesn't disappear inside the construction ERP. It disappears at the payment-execution layer — vendor banking records, wire release, check printing — the steps the ERP was never built to police.
Key Takeaways
Construction payment fraud concentrates where the ERP's controls end. The ledger and approval workflow are usually governed; vendor banking data, wire release, and check stock usually aren't.
The costliest schemes are business email compromise and vendor bank-change fraud, and both defeat approval workflows by attacking payment instructions after the invoice is already approved.
Fake subcontractors, duplicate invoices, inflated change orders, and retainage manipulation all hide behind the same cover, which is high invoice volume spread across decentralized project approvals.
Every scheme has a matching control, and most of the controls are procedural rather than expensive, starting with segregation of duties and out-of-band vendor verification.
Checks remain the most-defrauded payment method, so replacing them with single-use virtual cards removes the exposure instead of just monitoring it.
An immutable audit trail doesn't prevent the first fraudulent payment, but it's the difference between catching a scheme in week two and discovering it at year-end.
What is construction payment fraud, and why is construction so exposed?
Construction payment fraud is the fraudulent diversion, inflation, or fabrication of AP payments at a construction firm, and it comes in three flavors: external (a fraudster impersonating a subcontractor), internal (an employee routing company money to themselves), and collusive (an insider working with a vendor). The definition is ordinary. What makes construction different is how much surface area the business model hands to all three.
Consider what a mid-sized general contractor's AP desk is managing in any given week:
Subcontractor rosters that run to hundreds of active vendors, with new subs and suppliers added every season
Progress payments large enough that a single redirected wire funds a fraud operation for a quarter
Change orders that legitimately alter contract value mid-project, which gives fabricated ones something to hide behind
Retainage balances that sit untouched for months and then release in lumps nobody re-verifies
Four or five payment rails running in parallel: check, ACH, wire, card, and often an owner's payment portal
Approval authority spread across project managers, superintendents, and office staff who rarely get payroll-level scrutiny
The dollars track the theory. The Association of Certified Fraud Examiners' 2024 Report to the Nations puts the median occupational fraud loss at $145,000 across all industries, while construction cases run a median of $250,000, among the highest of any sector the study covers. Fraud examiners will tell you the gap comes down to transaction size. When your routine payments are five and six figures, one successful scheme does the damage of ten in a smaller-ticket industry.
The losses that sting most are the preventable ones. In one r/Accounting post-mortem that made the rounds, an AP specialist wired $475,000 to the wrong vendor because the payment template matched a similar-looking vendor name, and the approving manager missed it for the same reason. Nobody in that chain was a criminal. The controls were simply thin enough that one lookalike name beat two sets of eyes, and a fraudster who studies vendor rosters engineers exactly that situation on purpose. Construction shares most of this anatomy with every other back office, and the horizontal mechanics are cataloged in the definitive guide to AP fraud, but the schemes below take a distinctly construction shape.
Where do a construction firm's existing controls usually stop?
Most contractors' controls stop at the ERP boundary. Job costing, invoice coding, and approval routing are governed inside the system; vendor banking data, payment release, and check stock live in whatever the bank portal and the office manager's process happen to be. That split is worth seeing plainly, because it explains why firms with clean audits still lose wires.
Control layer | What the construction ERP typically governs | Where payment fraud gets through |
Vendor master | Vendor codes, 1099 status, insurance tracking | Banking details changed by email request and never verified by callback |
Invoice approval | Coding to cost codes, PM sign-off, threshold routing | Duplicate or inflated invoices approved because volume buries comparison |
Change orders | Contract value updates, budget revisions | Fabricated change orders entered with real-looking documentation |
Payment release | Payment batch creation | Wire instructions edited after approval; checks printed and altered |
Reconciliation | GL posting, job cost reports | Diverted payments surfacing weeks later, after recovery windows close |
The ERP-versus-payment-layer split on a typical contractor's AP operation.
Swap the system name and the boundary barely moves. Whether the back office runs CMiC, Sage 300 CRE, Viewpoint Vista, or Acumatica Construction, the ledger side is controlled and the execution side mostly isn't, which is the same gap Sage Intacct users face with payment fraud in the horizontal AP world. The ERP is doing its job. Its job just ends earlier than most controllers assume.
What are the most common construction payment fraud schemes?
Nine schemes account for most construction payment fraud losses. Three of them are universal AP attacks that hit every industry, and six exploit mechanics specific to construction, which is why generic fraud training tends to miss them.
Fake or shell subcontractor fraud. A fabricated vendor gets added to the master file, sometimes by an outside fraudster with forged W-9s and sometimes by an insider, then bills for work never performed. Long rosters and seasonal churn make one more sub invisible, and payments can run for months before anyone asks which jobsite the vendor was on.
Duplicate and inflated invoices. The same invoice arrives twice, once by email and once through a portal, or quantities and unit rates get padded a few percent at a time. An AP desk drowning in subcontractor invoices, a complaint that shows up verbatim in contractor forums, is exactly the desk that pays both copies.
Change-order fraud. Inflated or fabricated change orders get inserted into progress billing, often with plausible scope language and a forged or rushed PM signature. Because legitimate change orders genuinely do alter contract value mid-stream, the fake ones ride the same rail and rarely get re-bid or re-verified.
Over-billing on progress payments. On percentage-of-completion jobs, a sub bills ahead of the work in place, banking on the schedule of values being front-loaded and the field verification being casual. If the sub later stalls or goes insolvent, the GC has paid for work that doesn't exist.
Mechanic's lien and fake-lien fraud. False or inflated lien claims get filed, or threatened, to extract payment the claimant hasn't earned, because owners and lenders pressure GCs to clear title fast. Waiver discipline is the paper defense here; the conditional-versus-unconditional mechanics covered in construction lien waivers determine whether a false claim is arguable or already released.
Business email compromise and vendor bank-change fraud. A fraudster spoofs or takes over a subcontractor's email account, waits for a large payment to come due, then sends updated wire instructions. The social engineering behind these attacks is patient and well-researched; the request references the real project, the real invoice, and the real people.
Check fraud. Checks remain the payment method most often hit, with 63% of organizations reporting check fraud in the same AFP survey, and construction still writes a lot of them. Stolen, altered, and counterfeit checks all exploit the same weakness, a static account number printed on paper, which is why the rise of check fraud keeps outpacing the industry's slow migration off the rail.
Prevailing-wage and certified-payroll fraud. On public works, falsified payroll records claim prevailing wages that were never paid, or ghost employees appear on certified reports. The GC carries exposure for subs' violations on many contracts, and the penalty menu runs from back wages to debarment.
Retainage manipulation. Held retainage gets released early without the required sign-offs, released to the wrong party, or quietly diverted, and because retainage sits on the books for months, nobody is watching the balance closely week to week.
The mix shifts with the work. Public-works contractors see more payroll fraud, private GCs see more change-order and lien games, and BEC hits everyone with an email domain and a wire limit.
What are the red flags of contractor and vendor fraud?
The red flags of contractor and vendor fraud are mostly process anomalies rather than forged documents. A request arrives through the wrong channel, a document skips a step, or a vendor doesn't quite check out. Individually each one has an innocent explanation. Two together deserve a phone call.
A vendor bank-account change requested by email, especially in the week before a large progress payment.
A new subcontractor with no verifiable history, meaning no license record, no insurance certificate, and no jobsite anyone remembers, added just before a payment run.
Invoices that sit just under an approval threshold, or round-number invoices with no backup attached.
Duplicate invoice numbers, or identical amounts billed by vendors with similar-looking names.
Change orders without documentation or PM sign-off, particularly ones dated near a billing cutoff.
Pressure to expedite a wire outside the normal process, usually framed as the sub needing money today to hold a crew.
One person controlling vendor setup, invoice approval, and payment release, with no second set of eyes anywhere in the chain.
Most of these surface in email first, and the tells repeat across cases. Reply-to domains sit one character off, the urgency feels manufactured, and the sender firmly prefers to keep everything in writing. The catalog of fraud email patterns that compromise back offices is worth an hour of AP training time on its own. When we run post-mortems with contractors after a near-miss, the story is rarely a sophisticated forgery. It's a Thursday-afternoon bank-change email, a PM who vouched for it because the project name was right, and an AP specialist with forty invoices still to key.
Protect cash flow on every project
Modernize AP to cut costs, speed approvals, and reduce payment risk — with the real-time visibility construction finance teams need to scale without adding headcount.
Download the whitepaperWhat controls stop construction payment fraud?
Eight controls stop the large majority of construction payment fraud, and none of them requires replacing the ERP. They live in the payment-execution layer, which is where the losses actually happen.
Segregation of duties. Separate vendor setup, invoice approval, and payment release so no single person controls the full chain. This is the control every fraud examiner checks first, because most internal schemes depend on its absence.
Dual approval and payment-batch review. Set thresholds so high-dollar payments, new-vendor payments, and change-order-driven payments always get a second reviewer, and review the batch before release rather than after. A second reviewer looking at the batch level is also the person who catches the lookalike-vendor template error before the wire leaves.
Vendor verification and validated banking. Verify every new vendor and every banking change out-of-band, by calling a number from the original contract file, never one supplied in the email making the request. One controller, writing after a near-miss, put the requirement plainly: "Something needs to change with templates, either a unique vendor ID match, or a second step in the verification process."
Virtual cards. Replace check and ACH payments with card numbers that work once, locked to an amount and payee, so intercepted payment credentials are worthless. This is the one control that removes exposure structurally instead of monitoring for it.
Duplicate-invoice detection. Automated matching flags exact repeats and near-duplicates, the same amount from a slightly different vendor name, that a busy desk will miss. It's one of the four ways automated invoice processing reduces payment fraud, and probably the fastest to show results on a high-volume construction ledger.
Immutable audit trail. Log every capture, approval, edit, and payment in a record nobody can alter after the fact. This won't stop the first bad payment, but it collapses detection time and makes the scheme provable, which matters for both recovery and insurance.
Positive pay on remaining checks. Your bank matches every presented check against the issue file and rejects what doesn't match. Most treasury teams already run it; the discipline is keeping the issue file current and reviewing the exceptions instead of auto-releasing them.
Payment-rail consolidation. Run payments through one controlled system instead of a scatter of bank portals and owner platforms. One VP of accounting described the failure mode from the inside: "We pay vendors several different ways, and different approval routing for different payment methods can interfere with each other." Every extra rail is another approval path a fraudster can probe, and ACH in particular has its own hygiene checklist, covered in preventing ACH credit fraud.
Each control maps to at least one scheme, and the pairing is worth pinning to the wall next to the AP desk.
Scheme | Primary control | Backstop |
Fake or shell subcontractor | Vendor verification at onboarding | Segregation of duties |
Duplicate or inflated invoices | Duplicate-invoice detection | Payment-batch review |
Change-order fraud | Dual approval on CO-driven payments | Audit trail |
Progress over-billing | Field verification against pay app | Dual approval |
Lien and fake-lien claims | Waiver discipline per payment | Audit trail |
BEC and bank-change fraud | Out-of-band verification | Validated banking |
Check fraud | Virtual cards replacing checks | Positive pay |
Certified-payroll fraud | Sub payroll compliance review | Audit trail |
Retainage manipulation | Release sign-offs and aging review | Audit trail |
Scheme-to-control map for a construction AP operation.
How does segregation of duties reduce AP fraud?
Segregation of duties removes the single point of control that most AP fraud depends on, because the person who can create a vendor, approve its invoice, and release its payment can steal without tripping any system alert. Split those three powers across three people and an internal scheme suddenly requires a conspiracy, which is harder to start and much harder to sustain.
The honest objection is headcount. A $30M specialty contractor might have two people in the office who touch AP, and a textbook three-way split isn't happening. The workable version is compensating review, where the owner or CFO gets a monthly vendor-master change report showing every new vendor and every banking edit, and someone outside AP reconciles payments to approvals. Anecdotally, that one report kills more schemes than any software purchase, because the person most likely to commit internal fraud knows it exists.
How do virtual cards structurally prevent payment fraud?
A virtual card is a single-use card number generated for one payment, locked to the amount and the payee, so a stolen or intercepted number is worthless by design. Compare that with the alternatives on the table. A check carries your live account and routing number on every piece of paper. An ACH credit depends on the banking details in your vendor master being honest. A virtual card carries neither; once it's used for the approved amount, it's dead.
That's a different kind of protection than monitoring. Fraud alerts and bank recalls try to catch bad payments in flight, and automation and virtual cards work together precisely because the card removes the credential a fraudster needs while the workflow removes the manual touchpoints where instructions get swapped. Suppliers that accept card also get paid faster, which makes enrollment an easier conversation with subs than most controllers expect.
How do you stop vendor bank-change (BEC) fraud?
You stop vendor bank-change fraud by making email an insufficient channel for changing payment instructions, full stop. Every banking change gets verified by callback, on a phone number pulled from the original contract or a prior verified record, before the next payment runs. No exceptions for urgency, and urgency should raise suspicion rather than lower the bar.
The cases that end badly skip exactly that step. In another r/Accounting account of a $188,000 loss, the writer's summary was blunt: "The original vendor email was hacked... Asset Management didn't voice verify the updated wire information." Everything else in that company's process worked, and none of it mattered, because the one control that addresses BEC wasn't in the chain. A callback protocol costs nothing to run. The harder version, and the one that scales past a few hundred vendors, is validated banking, where account changes are verified against bank-account ownership data and held in a managed vendor file that AP staff can't casually edit under pressure from a convincing email.
How does Corpay help construction firms prevent payment fraud?
Corpay closes the gap between approval and money movement by pulling subcontractor payments, approvals, and payment records into one controlled and auditable system, instead of leaving them scattered across bank portals, check runs, and whoever answers the vendor's email. That consolidation is the fraud story behind the broader construction payment management approach, which comes down to fewer rails, fewer hand-offs, and one place where every payment decision is recorded.
The specific controls line up with the list above. Corpay's AP automation enforces configurable dual approval, flags duplicate and near-duplicate invoices before payment, and writes an un-editable audit trail from invoice capture through settlement. Virtual cards replace check and ACH exposure with amount-locked numbers that die after one payment, and eligible card spend generates rebate income, which has the pleasant effect of making the safest payment method the one that pays you back. Managed supplier enablement handles vendor onboarding and banking validation, so a request to update payment details goes through verification by people whose whole job is spotting the fake ones, not through a busy AP inbox.
For a controller weighing the security posture, the attestations hold up under audit scrutiny. Corpay is SOC 2 Type II compliant, and PCI DSS applies to card and virtual-card handling. The point isn't the certificates themselves. It's that the payment layer, the part of the fraud surface the ERP doesn't govern, ends up with controls at least as strict as the ledger's.
Protect construction payments from fraud with Corpay
All nine schemes lean on the same weakness, a payment operation that runs on manual process and trust. Take that away and most of them stop being practical. Corpay gives construction finance teams the pieces to do it:
One auditable system for subcontractor payments, approvals, and records, with configurable dual approval and payment-batch review
Virtual cards locked to one payment and one amount, with rebate income on eligible spend
Managed supplier enablement with validated banking, so an emailed change of payment details never reaches a wire run unverified
Duplicate-invoice detection and automated matching built into Corpay's AP automation
Construction ERP connections, including CMiC, Computer Guidance, Sage 300 CRE, and Acumatica Construction, among 180+ supported integrations
The platform runs payments for 800,000+ businesses as the #1 commercial Mastercard issuer in North America, per Corpay's corporate fact sheet, and it complements the construction ERP rather than replacing it. See how Corpay layers fraud controls onto the ERP you already run, and what your check volume is costing you in exposure.
Frequently Asked Questions
What counts as construction payment fraud?
Any scheme that diverts, inflates, or fabricates payments in a construction firm's AP counts, including fake subcontractors, duplicate or padded invoices, change-order fraud, progress over-billing, lien fraud, business email compromise that redirects wires, check fraud, certified-payroll fraud, and retainage manipulation. It can be committed by outsiders, insiders, or the two working together.
What are the most common construction fraud schemes?
Nine schemes cover most losses. They are fake or shell subcontractors, duplicate and inflated invoices, change-order fraud, over-billing on progress payments, mechanic's lien fraud, business email compromise and bank-change fraud, check fraud, prevailing-wage and certified-payroll fraud, and retainage manipulation. BEC and check fraud produce the largest single-event losses.
What are the red flags of contractor fraud?
Watch for emailed bank-change requests near large payments, new subs with no verifiable history, invoices sitting just under approval thresholds, duplicate invoice numbers or lookalike vendor names, undocumented change orders, pressure to expedite wires, and any process where one person controls vendor setup, approval, and payment.
What is business email compromise in construction AP?
Business email compromise is an attack where a fraudster spoofs or takes over a subcontractor's email account and sends updated wire instructions, timed to a real payment on a real project. The payment routes to the fraudster's account. Out-of-band verification of every banking change is the control that stops it.
How do you prevent payment fraud in construction?
Layer controls at the payment-execution level. Segregation of duties, dual approval with batch review, and callback verification of banking changes close the process gaps; virtual cards in place of checks, duplicate-invoice detection, and an immutable audit trail harden the payments themselves; positive pay and rail consolidation cover what's left.
How do virtual cards prevent payment fraud?
Each virtual card is a single-use number issued for one payment and locked to that amount, so an intercepted number can't be reused or drained. Unlike a check or an ACH instruction, there's no static account credential to steal, which removes the raw material most payment fraud depends on.
What is positive pay, and does it stop check fraud?
Positive pay is a bank service that compares every check presented for payment against the issue file you send, and holds anything that doesn't match for review. It reliably catches altered and counterfeit checks, though it can't help with payments that never touch the check rail, and it depends on someone reviewing exceptions.
How does segregation of duties work in a small construction office?
With two or three office staff, split what you can, then add compensating review for the rest, meaning a monthly vendor-master change report reviewed by the owner or CFO, plus payment-to-approval reconciliation done by someone outside AP. The goal is that no vendor gets created, approved, and paid by one unwatched person.
Is Corpay SOC 2 compliant?
Yes. Corpay maintains SOC 2 Type II attestation, and PCI DSS applies to card and virtual-card handling. Both cover the security and fraud controls that controllers typically screen for in vendor due diligence, and they apply to the payment layer where construction fraud losses concentrate.
Does Corpay replace my construction ERP?
No. Corpay is a payment-layer control set that complements the construction ERP. Job costing, budgets, and the ledger stay in your ERP; Corpay adds the approval enforcement, validated vendor banking, virtual cards, and audit trail at the point of payment, where most fraud gets through.
- What is construction payment fraud, and why is construction so exposed?
- What are the most common construction payment fraud schemes?
- What are the red flags of contractor and vendor fraud?
- What controls stop construction payment fraud?
- How does Corpay help construction firms prevent payment fraud?
- Protect construction payments from fraud with Corpay
Switch to Corpay
Discover how making the move to Corpay streamlines payments and strengthens your business.
Talk to an ExpertSmarter payments. Stronger growth. Keep business moving.
Corpay powers payments for 800,000+ businesses worldwide. Let’s build what’s next for yours.