A few months ago, I was speaking with the CFO of a mid-sized NBFC in Mumbai, sharp, experienced, someone who has seen most tricks in the book. He told me something that stayed with me.
His Accounts Payable team had recently cleared an invoice from a long-standing facilities vendor. Everything was in order: correct GST number, matching GSTIN format, right TDS category, proper HSN code, professional letterhead. The payment went through. It was only three weeks later, during a routine vendor reconciliation, that someone noticed the bank account number had changed, and the real vendor had no idea an invoice had been raised in their name.
The amount wasn’t enormous. But the method was almost invisible.
That conversation keeps coming back to me, because I think it marks a genuine turning point in how fraud operates in Indian enterprises, one that most finance teams haven’t fully reckoned with yet.
The Old Clues Are Gone
For years, fraud detection relied on imperfection. A mismatched font. A GST amount that didn’t compute correctly. A vendor name that was slightly off. An invoice number that repeated. These were the tells that trained Accounts Payable teams learned to spot.
AI has quietly eliminated most of them.
Today, anyone with access to a generative AI tool and a sample invoice can produce a document that is visually and structurally flawless. The GST calculation is correct. The GSTIN validates. The PAN matches. The letterhead mirrors the real vendor’s. The invoice number follows a believable sequence. There is nothing to question, because the fraud has been designed, specifically, to pass your validation checklist.
What makes this different from earlier forgery isn’t just quality. It’s speed and scale. A fraudster used to be limited by how many fake documents they could produce manually. Now, they can generate and test dozens of variations in an afternoon, calibrated to beat specific controls. It’s no longer a one-shot attempt. It’s a systematic campaign.
The Scenarios I'm Seeing
Let me be specific, because “AI-powered fraud” can sound abstract until you see the shapes it takes in Indian enterprise finance.
The phantom MSME vendor. India’s push toward MSME registration has created a large, legitimate-looking vendor pool. It’s now possible to register a shell entity, get a valid Udyam number, generate professional invoices with correct GST structure, and submit claims that sail through Accounts Payable. The entity is real on paper. The work was never done. With AI generating the supporting documentation, delivery challans, service completion reports, even email correspondence, the paper trail looks complete.
The inflated travel claim, version 2.0. We’ve all seen employees round up hotel bills or add fictitious cab fares. That version was catchable, receipts looked wrong, amounts were oddly round, formatting was inconsistent. The new version is different. AI tools can now generate receipts that mirror the exact format, font, and structure of any hotel chain or cab aggregator. The ₹4,200 Ola receipt for a trip from Andheri to Bandra looks indistinguishable from a real one. And when you’re processing 40,000 expense vouchers a month across a large enterprise, no human reviewer is scrutinizing each image.
Bank account substitution on vendor payment. This one is particularly dangerous in India, where many vendor relationships still involve some personal communication. An email arrives from what appears to be a known vendor, similar domain, familiar tone, referencing your last three transactions, requesting a change in bank account details “due to a banking transition.” The language is professional. The timing is plausible. With AI now capable of mimicking writing styles from just a few sample emails, these impersonation attempts have become almost indistinguishable from legitimate requests. One approval by an Accounts Payable executive is all it takes.
Cross-system duplication in fragmented environments. Many large Indian enterprises still run a patchwork of systems, SAP or Oracle for core finance, a separate T&E tool, a standalone vendor portal, perhaps a legacy procurement system for certain categories. The same expense or invoice can travel through multiple channels, appearing legitimate in each. Without real integration between these systems, duplication is invisible until someone does a manual reconciliation, which often happens quarterly, if at all.
Why Standard Controls Aren't Enough Anymore
The honest answer is that most Indian Accounts Payable and expense controls were designed for a world where fraud was imperfect. Three-way matching catches quantity mismatches, not document authenticity. GST validation confirms format, not legitimacy. Vendor master checks verify what’s on record, not what’s changed recently.
I’ve sat across the table from enough CFOs and finance controllers to know that most controls feel robust from the inside. Checklists are followed. Approvals are obtained. Audits pass. But these controls were built to catch inconsistency, and AI-generated fraud has no inconsistency to catch.
There’s another dimension that’s specific to India: the informal trust that underpins many vendor relationships. A long-standing vendor whose account details change. A familiar email asking for an exception. A receipt from a vendor we’ve worked with for years. In a high-volume Accounts Payable environment, familiarity breeds efficiency, and that efficiency creates blind spots.
What Actually Needs to Change
I’m not going to pretend there’s a simple fix, but I’ll share what we’ve learned building fraud controls at Expenzing across 100+ CFO implementations.
The first shift is from document verification to behavioural monitoring. The question can’t only be “does this invoice look correct?” It has to also be “does this vendor behave consistently with their history?” A vendor who has submitted 50 invoices over three years suddenly submitting five in a week, at new amounts, from a new bank account, should trigger scrutiny, even if each individual document is flawless.
The second is continuous vendor validation, not periodic checks. Vendor master data in most organisations is a snapshot. Bank account details, GST status, PAN linkage, these are verified at onboarding and then trusted indefinitely. AI-enabled fraud exploits exactly this gap. Real protection requires these validations to run continuously, flagging any change for re-verification before the next payment clears.
The third is cross-system visibility. Fraud that exploits disconnected systems can only be caught by connecting them. Expense submitted in T&E, invoice in Accounts Payable, receipt in vendor portal, these need to be correlated in real time, not reconciled in a quarterly audit.
And the fourth, perhaps the most important, is treating the absence of red flags as insufficient evidence of legitimacy. In a world where fraud is designed to look normal, “nothing looks wrong” is no longer a clearance. Finance teams need systems that can identify what should be there, not just flag what looks wrong.
A Different Kind of Problem
I’ve been in enterprise finance software long enough to remember when the biggest risk was a duplicate invoice slipping through because two people were processing the same stack. We’ve come a long way from that.
The challenge now isn’t catching mistakes. It’s catching intent, in documents that have no mistakes.
That’s a genuinely new problem. And if you’re a CFO reading this thinking your current controls have it covered, I’d ask you to test that assumption. Ask your Accounts Payable team: if someone submitted a perfectly formatted, GST-compliant invoice from a vendor that looks exactly like one of your real vendors, different bank account, fabricated work, how many checkpoints would it pass?
The answer, in most organisations, is uncomfortable.
