The $340k Subcontractor Fraud a Small Builder Almost Missed

The Business

A family-owned construction and project management business operating in regional Queensland. Twelve staff, primarily project management and administration, with all trade work contracted to a stable base of about 30 subcontractors. Annual revenue around $8M. The business had operated for 22 years and prided itself on long-term relationships with its subcontractor network.

The owner-operator managed supplier relationships personally and had never experienced significant fraud. Trust was earned over years. That trust, it turned out, could be exploited.

How the Fraud Began

A new project management hire, brought in to handle overflow during a busy period, began approving invoices from a subcontractor the owner had never dealt with. When asked, the PM said the entity — a concreting contractor — had been recommended by another subcontractor on site. The work was real, the quality acceptable, and payments were approved.

Over 14 months, 23 invoices were approved for this entity, totalling approximately $340,000. The PM who approved them had left the business by month 11. Nobody else had visibility of the ongoing relationship.

The fraud surfaced during a routine end-of-year accounts review. The bookkeeper noticed the entity had never been formally onboarded — no contract, no insurance certificates, no bank account verification form. The ABN was looked up for the first time. It had been registered 16 months ago.

What a Gumshoe Check Would Have Shown

Running the entity through Gumshoe's verification at the time the first invoice was approved would have produced the following results:

• ABN check: WARN — ABN registered 2 months prior to first invoice. Less than 6 months old, automatic escalation trigger.
• Web presence: FAIL — No website found across 10 domain candidates. For a concreting contractor billing at this volume, no web presence is anomalous.
• WHOIS/domain: WARN — No domain to check, which in context compounds the web finding.
• Email infrastructure: WARN — All invoices sent from a free Gmail address. No business email domain, no MX records to verify.
• Address: WARN — Registered address a residential postcode. While not unusual for sole traders, combined with other signals, significant.
• Overall assurance score: 41% — Verify Further band. Below the 60% threshold that would trigger dual-approval under even a basic policy.

The assurance score of 41% would not have automatically stopped the payment. But it would have required a second pair of eyes — specifically the owner's eyes. And the owner would have made a phone call.

What Actually Happened

Investigation by the company's accountant and, later, Queensland Police, determined that the concreting entity had been set up by the PM's partner, operating under a different surname. Approximately 60% of the invoiced work had been performed by a legitimate labourer paid cash in hand; the remaining 40% was for work that had either been double-invoiced against another subcontractor or fabricated entirely.

Recovery was partial. The PM had no assets to pursue. The insurance claim was complicated by the fact that the business had no formal supplier onboarding process — the insurer's position was that the absence of basic controls contributed to the loss. A settlement was eventually reached, but the legal costs consumed much of the recovery.

The Process That Changed Everything

Following the incident, the business implemented a simple rule: every new subcontractor must be verified before the first invoice is approved. The owner runs the Gumshoe check personally for anyone new. The report takes about 40 seconds to generate. It is saved to the project file.

The owner described the shift: "I've been in this industry 30 years. I know most of the people I work with. But I don't know their business. I don't know if their ABN is real, if their company is registered, if they've got a website. I used to just trust people. Now I verify them. It's not distrust — it's just good business."

In the 18 months since implementation, two new subcontractors have been flagged with WARN status. One was a legitimate business with a very young ABN — the owner called, confirmed the story, and proceeded with a smaller initial engagement. The other had a cancelled ABN they weren't aware of. They fixed it before any invoices were raised.

"I've been in this industry 30 years. I know most of the people I work with. But I don't know their business. I used to just trust people. Now I verify them. It's not distrust — it's just good business." — Business owner, post-incident

Lessons for Small Businesses

Small businesses are disproportionately targeted in supplier fraud because their controls are lighter, approval authorities are less structured, and personal trust substitutes for formal process. A few principles that emerge from this case:

• The first invoice is the highest-risk moment — by the time fraud is entrenched, detection is expensive. Verification at onboarding is prevention; verification after loss is recovery.
• A free email address is not automatically disqualifying — many legitimate sole traders use Gmail. But in combination with a young ABN and no web presence, it is a compounding signal that demands a phone call.
• No formal process means no insurance defence — the absence of documented verification procedures affected the insurance outcome. A saved Gumshoe report is documentation.
• The cost of verification is trivial relative to the cost of one fraud — a single event like this one costs more in legal fees alone than years of verification would cost.

Supplier fraud in construction is not rare. It is systematic, it targets the onboarding moment, and it exploits the trust that makes the industry function. The defence is not paranoia — it is a 40-second check before the first payment is approved.

Uncommon Insights

Insight into the Australian Taxation Office's (ATO) approach to fraud detection reveals that the ATO is increasingly using data analytics and machine learning to identify high-risk transactions, including those involving subcontractors. In this case, a Gumshoe check would have flagged the subcontractor's ABN as high-risk due to its recent registration, which may have triggered an ATO review. The ATO's use of data analytics highlights the importance of implementing robust verification processes, as outlined in the ATO's Taxation Ruling TR 2018/1, to prevent and detect fraud.

The Australian Securities and Investments Commission (ASIC) has identified invoice scams as a significant threat to small businesses, with losses totaling millions of dollars each year. In this case, the subcontractor's use of a free Gmail address and lack of web presence raised red flags that were not addressed until it was too late. ASIC's Regulatory Guide 205, 'On-market buy-backs', highlights the importance of verifying the identity of counterparties, including subcontractors, to prevent such scams.

Section 588G of the Corporations Act 2001 (Cth) imposes a duty on directors to prevent insolvent trading. In this case, the director's failure to implement adequate verification processes for subcontractors may be seen as a breach of this duty. The Australian Securities and Investments Commission (ASIC) has taken action against directors who have failed to prevent insolvent trading, highlighting the importance of robust risk management processes, including verification of subcontractors.

The ASIC's 'Deed of Cross-Guarantee' (ASIC Form 403) is often overlooked in subcontractor arrangements, but it can provide critical protection for businesses. In this case, the lack of a formal contract, insurance certificates, and bank account verification form for the subcontractor created an environment in which the fraud could thrive. Implementing a Deed of Cross-Guarantee would have provided an additional layer of protection and may have prevented the fraud from occurring.