Reference

Supplier-Employee cross-check

Detects shell-company fraud: an employee creating a fake supplier in their own name or under their personal domain, then submitting bills against it. Inline + manual scan.

2 min readLast updated 20 May 2026
Jump to section

Supplier-Employee cross-check

A common occupational fraud pattern: an employee sets up a shell supplier with their own surname or under a personal-looking domain, then submits invoices against it for goods or services never delivered. The cross-check flags suppliers whose identity overlaps with an employee's identity.

What the scanner looks at

Two signals in v1:

  1. Email prefix match — a token in the supplier's name matches the username part of an employee's email. Example: employee sarah.quinn@acmetech.io matches supplier Quinn Consulting Ltd. Score 0.85.
  2. Email domain match — the supplier's contact email domain equals an employee's domain (excluding public providers like gmail.com, hotmail.com, etc). Example: an employee at @acme-suppliers.co.uk and a supplier billing from @acme-suppliers.co.uk — strong signal. Score 0.90.

Phase 6a-2 v2 will add full name + address + phone + bank-account matches, plus a nightly cron that walks all tenants automatically.

How matches are raised

  • Inline on supplier create/update — every time a supplier is added or edited, the scanner runs. New matches land on the Fraud Centre page (Spending → Fraud Centre) with status open.
  • Manual rescan — click "Scan now" on the Fraud Centre to re-run against every supplier-typed contact. Useful when a new employee joins.

Resolving matches

Each open match has two resolution actions:

  • Acknowledge — "I see it, this match is real but expected" (e.g. the employee genuinely runs a side consultancy with their surname, and you've verified the relationship). Optional notes captured for audit.
  • Dismiss — "Coincidence, not a real overlap" (e.g. shared surname between unrelated people). Optional notes.

Resolved matches move to the Acknowledged or Dismissed tabs. The dashboard tile only counts open matches so a clean state shows nothing.

False positives

The most common false positive: surname coincidence. "Smith Heating Ltd" matching an employee j.smith@... doesn't mean Mr Smith is running Smith Heating — it's a common surname. Dismiss with a brief note for audit.

The PUBLIC_EMAIL_DOMAINS allow-list rules out gmail / hotmail / outlook / etc to keep domain-match noise down.

Still stuck? Email support or open the support widget in the bottom-right.