How a National Retailer Caught a Ghost Supplier Scheme

Background

A specialty retail chain operating 140 stores across Australia had grown rapidly through acquisition. Their accounts payable function was split across two finance teams in different states, each managing roughly 600 active suppliers. The fragmentation meant no single person had a complete view of the supplier base.

A new CFO, appointed after the latest acquisition, requested a full supplier audit as part of standard post-merger due diligence. The internal team had used a spreadsheet-based process for years — ABN lookups were done manually, one by one, using the ABR website. The process was time-consuming and inconsistently applied. With 1,200 suppliers to review, they needed something faster.

What Gumshoe Found in the First Batch

The finance team uploaded their supplier list and ran the first batch of 300 verifications. Within minutes, the report flagged three entities with the same pattern:

• ABN registered within the past 8 months
• No website found across 12 domain permutations
• No ASIC company registration — sole trader structure only
• State/postcode inconsistency on one (a Queensland postcode registered as NSW)
• Email domain registered 6 weeks before the first invoice

The assurance scores: 31%, 28%, and 34% — all in the High Risk band. All three had been set up as active suppliers and had received payments ranging from $18,000 to $67,000 over the preceding six months.

The Pattern Emerges

Cross-referencing the three entities, the team noticed the bank account details on file had been changed within days of each other, all routed through the same BSB. The registered business names were variations on legitimate-sounding trade services: cleaning contractors, maintenance supplies, IT consumables. None had verifiable physical addresses. None appeared in any industry directory.

When the team ran a deeper search on the ABN registration dates against invoice dates, they found a consistent pattern: the ABN was registered, a creditor account was created within days, and invoices began arriving before any formal supplier onboarding was completed.

The investigation was escalated to the company's forensic accounting partner. The three suppliers were traced to a single individual — a former employee who had left the business 14 months earlier — operating through nominee arrangements. Total losses: approximately $180,000.

What the Checks Caught That Humans Missed

The previous manual process checked one thing: whether an ABN existed and was active. Gumshoe's verification ran eight simultaneous checks. The decisive signals were:

• ABN age — all three were registered less than 6 months before the first invoice. This is a well-documented fraud indicator and the single most reliable early warning sign.
• Domain age — the email domains were registered weeks before invoicing began. Without WHOIS/certificate transparency checking, this is invisible to manual review.
• No web presence — legitimate trade service businesses almost always have some online footprint, even minimal. Zero presence across all candidate domains is a strong negative signal.
• DMARC missing — all three email domains had no DMARC record, meaning the domains could be spoofed freely. This is common in hastily-created fraudulent identities.

"The previous process checked one thing: whether an ABN existed and was active. The automated verification ran eight simultaneous checks. The decisive signals were ABN age, domain age, zero web presence, and missing DMARC — none of which appear in a manual ABN lookup."

Outcome and Process Changes

Following the investigation, the retailer implemented mandatory Gumshoe verification for all new supplier onboarding. Existing suppliers above a payment threshold were re-verified on a rolling quarterly basis. The finance team established a policy: no supplier with an assurance score below 60% could be activated without dual-manager sign-off and a phone call to a verified landline.

The new process added approximately 3 minutes per supplier for new onboarding (versus the previous 15–25 minutes of manual ABN lookups and cross-referencing). For the quarterly re-verification cycle, the entire active supplier base could now be reviewed in an afternoon rather than across several weeks.

Twelve months after implementation, the team identified two further anomalous suppliers — both were legitimate businesses that had been deregistered without notifying the retailer, creating potential GST compliance issues. Neither was fraud, but both would have created problems at audit without remediation.

Uncommon Insights

Uncommon Insight 1: The retailer's reliance on manual ABN lookups using the Australian Business Register (ABR) website, as per ASIC's requirements under Section 88 of the Corporations Act 2001, proved insufficient in detecting the ghost supplier scheme. The use of automated verification tools, such as Gumshoe, was necessary to uncover the fictitious suppliers, highlighting the importance of leveraging technology in compliance processes. This case demonstrates that manual checks alone may not be enough to ensure compliance with ASIC's guidelines.

Uncommon Insight 2: The ATO's guidelines on GST and ABN registration, as outlined in GST Ruling GSTR 2002/2, emphasize the importance of verifying the legitimacy of suppliers. However, the retailer's experience shows that even with a valid ABN, a supplier can still be fictitious. This case highlights the need for a more comprehensive verification process, beyond just ABN checks, to ensure compliance with the ATO's requirements and prevent financial losses.

Uncommon Insight 3: The retailer's use of a risk framework matrix to categorize the risk types and levels associated with the ghost supplier scheme is consistent with the principles outlined in the ASX Corporate Governance Principles and Recommendations. The matrix helped identify the high-risk nature of the ghost suppliers, enabling the retailer to take prompt action to mitigate the risks. This approach demonstrates the importance of having a robust risk management framework in place to detect and respond to potential compliance threats.

Uncommon Insight 4: The enforcement patterns of ASIC and the ATO suggest that regulators are increasingly focusing on the use of technology to detect and prevent compliance breaches. The retailer's experience highlights the importance of leveraging technology, such as automated verification tools, to ensure compliance with regulatory requirements. This case demonstrates that organizations that invest in technology to support their compliance processes are better equipped to detect and prevent compliance breaches, reducing the risk of regulatory action.