Fraud Prevention in Financial Processes for DTC Brands

Fraud Prevention in Financial Processes for DTC Brands

Most operators running a $2M to $10M physical product brand spend their fraud-prevention attention in the wrong direction. They obsess over Shopify chargebacks, friendly-fraud ratios, and the discount-code abuse a customer-service team can spot in five minutes. The bigger drain runs the other way, through the back office, where one trusted bookkeeper raises the bills, releases the payments, and reconciles the bank. The storefront fraud you watch costs basis points. The internal fraud you do not watch costs full percentage points of revenue, and you usually find it years late.

The $180,000 That Walked Out the Front Door

What follows is a composite drawn from three real engagements, anonymised and combined to protect the brands involved. Treat the numbers as representative rather than literal.

A Melbourne-based homewares brand hit $4M in revenue in its fifth year. The founder, an ex-buyer with a strong eye for product, hired a contract bookkeeper at year three. The bookkeeper had two referrals from other DTC operators in the founder's network. She charged $95 an hour, worked four mornings a week from her home office in Geelong, and had full admin access to Xero, the corporate card platform, the Macquarie business banking portal, and the inventory module. She was, by every social and professional measure, trustworthy.

For three years the books were clean. The monthly P&L arrived on the second business day of each month. Bank reconciliations tied to the cent. Audit-style supporting documents sat in a tidy folder in Dropbox, organised by month and by vendor. The founder, like most founders at this scale, looked at the top-line revenue, the cash balance, and the gross margin. The detail behind those numbers was someone else's job.

The bookkeeper was paying a fictitious supplier. The vendor was registered as a freight-and-logistics consultancy with an ABN that resolved to a mail-forwarding service in inner-Melbourne. Invoices arrived monthly, ranged from $4,200 to $7,800, never repeated the same amount, and were always coded to "freight and handling." The bank account on the vendor file was the bookkeeper's husband's account at a different bank. Over 36 months, $180,000 left the business in 28 separate transactions, none individually large enough to trigger the founder's gut.

Detection happened by accident. A new operations manager ran a SKU-level freight reconciliation against the 3PL's monthly invoice and asked the founder why a "freight consultancy" was being paid every month when freight was already inside the 3PL contract. The founder pulled the vendor record, called the listed phone number, and got a disconnected tone. Two days later the bookkeeper resigned by email. Six weeks later the founder's lawyer was negotiating a repayment plan that recovered, in the end, around 30 cents on the dollar.

The forensic accountant the brand hired estimated the founder had spent more on storefront chargeback prevention software in the same three-year window than the bookkeeper had stolen. The fraud the brand watched cost it $40,000 in subscriptions and disputed payments. The fraud it did not watch cost it $180,000 in vanished cash plus the legal fees and the fortnight of paralysed operations that followed discovery.

This story is not unusual. The 2024 ACFE 2024 fraud report puts the median loss to occupational fraud at $145,000 per case across 1,921 cases studied in 138 countries. Small businesses with fewer than 100 employees were hit hardest, with median losses higher than larger organisations because they have fewer controls, fewer eyes, and more concentrated trust. The same study finds organisations lose an estimated five percent of annual revenue to occupational fraud, every year, with the median scheme running for 12 months before discovery.

Why the Math Doesn't Work: Your Bookkeeper Has All Three Keys

The standard small-business finance setup hands one person the three roles a real control environment keeps separate. They raise the bill. They release the payment. They reconcile the bank. The auditor language for this is "incompatible duties." The plain-English version is that you have given one human the ability to invent a transaction, pay it to themselves, and erase the evidence in the same workflow. No discipline, no character reference, and no length of service neutralises that structural problem.

The AICPA fraud risk guidance is explicit about why this matters. The fraud triangle of opportunity, pressure, and rationalisation is not a personality test. It is an environmental description. When opportunity is high enough, the population of people willing to act on it expands beyond the few you can screen out at the hiring stage. Removing the opportunity is the only control you actually own. Screening for character is theatre.

There is a second risk vector that has overtaken employee embezzlement for many remote-first brands and almost nobody at the $2M to $10M tier has it priced into their cash forecast. Vendor impersonation, the formal name being Business Email Compromise or BEC, now sits at scale that dwarfs the older internal-theft pattern. The FBI IC3 2024 report tracked $2.77 billion in BEC losses across 21,442 reported incidents in 2024 alone. The mechanic is dull and almost always works the same way. An attacker spoofs a real supplier's email, sends a banking-detail change request to your bookkeeper, and asks her to update the vendor master ahead of the next invoice cycle. She does. The next payment routes to the attacker. The brand discovers it three weeks later when the real supplier rings to ask where the money is.

The brand most exposed to BEC is the brand running its finance function over Slack and email with one bookkeeper in a home office. The control that catches this attack is not better email filtering. The control is a phone-call verification rule for any banking-detail change, made to a number from the vendor's website rather than the number in the requesting email. This single rule, properly enforced, eliminates more BEC loss than any tool sold to defend against it.

For brands operating in Australia specifically, the structural exposure is amplified by two local conditions. Most $2M to $10M DTC brands have outsourced finance to a contract bookkeeper rather than employing in-house, which compresses all three roles into one external party with weak performance oversight. Banking platforms in Australia, with the exception of CommBank's stricter business banking workflow, default to user permissions that allow a single approver on most domestic payments. The combination is a near-perfect setup for the loss patterns the ACFE report describes.

The Internal Fraud Defence System Blueprint

I call this The Internal Fraud Defence System. It is a three-control framework that pulls the bookkeeper's three keys apart and hands them to three different humans, with the system enforcing the separation rather than relying on anyone's good intentions. I have rolled it out across DTC brands between $2M and $14M in revenue, and the structural shape is identical regardless of the team size or the accounting platform underneath.

The first control is segregation of duties. The person who raises a bill cannot release the payment for that bill. The person who releases the payment cannot reconcile the bank statement that records it. Three roles, three different people, every time. In a small team this looks like the bookkeeper raises bills, the founder or operations lead releases payments above a threshold, and a fractional CFO or external accountant performs the bank reconciliation as a monthly review activity. There is no version of this framework where one person retains two of the three roles because the team is "too small." Team size is the reason the loss happens, not the reason the control gets waived.

The second control is dual approval thresholds tied to dollar amounts. Bills under $1,000 follow a single-approver rule because the friction cost of a second approval at that size exceeds the realistic fraud risk. Bills between $1,000 and $25,000 require two approvers from different roles. Bills above $25,000 require a third approver and a 24-hour cool-down before the payment is released. New vendor records and any banking-detail change on an existing vendor trigger an automatic dual-approval workflow plus a phone-call verification step using a number sourced from the vendor's website. These are not policy documents pinned to a notion page. They are tool configurations that physically refuse to execute the action until the conditions are met.

The third control is independent reconciliation. The bank reconciliation is performed by a person who has not raised a bill or released a payment in the period being reconciled. The reconciler's job is forensic, not clerical. They review every payment for vendor legitimacy, every refund for source authorisation, and every fee for explanation. The reconciler has read-only access to the accounting system and read-only access to the bank feed. They cannot post adjustments. They flag exceptions, and the exceptions go back to the founder for resolution, with the trail logged.

The COSO control framework describes this structure as the difference between a soft control and a hard control. A soft control depends on culture, training, and discipline. A hard control depends on the system refusing to execute the prohibited action. Remote DTC finance functions need hard controls because the soft controls assume hallway conversations and over-the-shoulder oversight that no longer happen. The Internal Fraud Defence System is built almost entirely from hard controls, because the soft ones have already failed by the time you are reading this article.

Execution: Day 0 to Day 90

Phase 1 runs Days 1 through 30 and is a segregation audit of the current payables stack. This is unglamorous spreadsheet work that pays back faster than any subscription you have bought this quarter. Pull the user list from Xero or QuickBooks, the bill-pay tool, the corporate card platform, the business bank portal, and the expense tool. Document for each user whether they can create a vendor, edit a vendor, raise a bill, approve a bill, release a payment, view bank statements, and reconcile the bank. Most founders discover at this point that their bookkeeper has all eight permissions and the founder has two. That is the diagnosis, written in your own handwriting.

Week two is the overlap freeze. For every user with both raise-bill and release-payment authority, you remove one. The default rule is the bookkeeper raises bills and the founder releases payments above the $1,000 threshold. If the founder cannot release competently because they are too removed from the day-to-day, the second authoriser is the operations lead or a fractional CFO retained for the role. The fractional CFO market in Australia sits between $180 and $350 an hour, and four hours a week of fractional CFO time costs less than half a single BEC incident at the median loss size.

Week three is the vendor master review. Pull every vendor in the system. Flag any vendor added in the last 12 months, any vendor whose bank details changed in the last six months, and any vendor with a generic email domain like gmail or outlook. Call the flagged vendors using a phone number from the vendor's own website, not from the email signature on the most recent invoice. This is the cheapest fraud test you will ever run. In a portfolio of 200 vendors it surfaces between one and three anomalies, and one of them is usually a real attempted impersonation nobody had spotted.

Week four is the historical sweep. Run a transaction listing for the last 24 months filtered to vendors with one or two payments only. Tail-vendor patterns are where fictitious-vendor fraud lives. A genuine bookkeeper is paying repeat suppliers across the year. A fraudulent bookkeeper is paying a different shell company every quarter for $4,000 to $12,000 invoices that never repeat. If you find this pattern, stop the audit, call your accountant, and call your insurer the same day.

Phase 2 runs Months 2 and 3 and moves The Internal Fraud Defence System out of the spreadsheet and into the tools. Modern payables platforms compress what used to be a three-month build into about six weeks. The Ramp expense control patterns playbook documents the dual-approval thresholds, automated vendor verification, and anomaly-detection rules that catch the patterns a human reviewer misses. The Brex internal controls guide covers the distributed approval workflows and the audit trail enforcement that the segregation-of-duties control depends on. Australian operators running on Xero can pair it with Approvalmax, Lightyear, or Dext for the approval workflow, and the configuration sits inside a weekend rather than a quarter.

Configure the bill-pay tool to enforce three rules. First, every bill under $1,000 routes to a single approver with a 48-hour timeout. Second, every bill between $1,000 and $25,000 routes to two approvers from different roles, with the wire blocked until both approve. Third, every bill above $25,000 adds a third approver and a 24-hour cool-down before release. New vendor records and banking-detail changes on existing vendors require dual approval plus a phone-call verification ticked off in the system before the next payment will release.

Phase 3 runs Months 4 through 6 and addresses the BEC vector specifically. Configure your email security to flag external messages mimicking internal domains. Train every person with payables access to the four-step verification routine: pause, identify the website-listed phone number, call, confirm. Build a one-page incident-response checklist that names who to call inside the first hour if a suspected BEC payment has been released, including the bank's fraud team, your insurance broker, and the AFP cyber-crime portal at cyber.gov.au. Print it. Pin it to the wall above the bookkeeper's desk. The first hour after a BEC payment releases is the only window in which recovery is possible, and the brands that recover are the ones who knew exactly what to do in advance.

From Tenure-Based Trust to Control-Based Confidence

The shift The Internal Fraud Defence System produces is not technical. It is psychological, and it lands inside the founder's head before it lands in the system. The brand goes from trusting one person because they have been there a long time, to trusting the controls because the controls cannot be talked out of doing their job. The bookkeeper who used to feel personally accused by the introduction of a second approver discovers, six months in, that her job is easier and her risk exposure is lower. The founder who used to spend their Sunday-night review checking the bank balance for surprises stops needing to.

The new metric this framework hands you is fraud-control coverage, expressed as the percentage of your monthly payments cycle that runs through enforced segregation, dual approval, and independent reconciliation. A brand at the start of the rollout typically scores between 10 and 20 percent. A brand at the end of Phase 2 typically scores above 85 percent. The remaining 15 percent is corporate card spend, petty cash, and edge cases the framework deliberately leaves outside the structure because the friction cost exceeds the risk. Track it monthly. Report it to your board if you have one. Show it to your insurer when the cyber policy renews. The premium reduction usually pays for the fractional CFO inside the first year.

The brands that adopt this framework do not eliminate fraud risk. They compress the detection window from the ACFE-median 12 months down to inside the close cycle, which is to say they catch problems while the cash is still recoverable. The ACFE press release reporting on the same study notes that organisations with active anti-fraud controls lose roughly half as much per incident as those without, and detection happens faster. Half the loss, faster recovery, and a structure that survives the bookkeeper resigning, the founder going on leave, or a phishing email landing in the wrong inbox at the wrong moment.

The question worth asking on Monday morning is not whether your bookkeeper is honest. The question is whether your payables system would stop her if she were not.