Purchase-Order Fraud
A scheme where a fraudster creates or manipulates purchase orders to authorise the delivery of goods or payment for services that benefit the attacker.
Also known as: PO fraud, fake purchase order, procurement fraud
Last reviewed: 1 June 2026
Purchase-order (PO) fraud occurs when an attacker creates fictitious POs — either as an internal employee or by impersonating a buyer — to procure goods, services, or cash that they divert for personal gain. In internal variants, a corrupt employee generates a PO to a shell company they control, receiving the goods or payment personally. In external variants, a fraudster impersonates a large, creditworthy company (hospital, government body, retailer) to order goods on 30-day credit terms with no intention of paying.
External PO fraud is particularly damaging to small suppliers who are eager to win large-account business and may skip credit checks. They ship goods that are never paid for and find the 'customer' unreachable. The impersonated brand suffers reputational harm as suppliers make contact to chase payment.
Organisations can mitigate internal PO fraud through segregation of duties (different people creating, approving, and paying POs), regular audits of vendor master files, and monitoring for POs issued to recently created or sole-trader vendors. Suppliers can defend against external fraud by verifying new large orders via the buying company's official switchboard before shipping.
Examples
- A fraudster emails a manufacturer posing as a major retailer, placing a large order on trade credit and providing a delivery address they control — then disappearing once goods are shipped.