All Insights

40% of Employees Are Using AI to Fake Expense Receipts. Your Copilot License Is Paying For It.

CivSafe Team·June 28, 2026·6 min read

A survey dropped last week that should be sitting in the inbox of every operations lead, finance manager, and executive director running a small organization.

Emburse, an expense management platform, hired an independent research firm to survey 2,000 professionally employed adults — 1,000 in the US, 1,000 in the UK — in May 2026. They asked whether employees had used AI to generate fake expense receipts.

The US number: 40 percent. Four in ten employees admitted to it.

The UK number was lower — 29 percent — but in both countries the pattern was the same: AI has made expense fraud trivially easy, fast, and surprisingly normalized. And here's the detail that made us stop: of the US employees who used AI to fake receipts, 40% did it using company-funded AI tools.

You gave your team Copilot. Or ChatGPT Enterprise. Or a Claude subscription. And 40% of the people who committed AI-assisted expense fraud used the AI access their employer paid for to do it.

How We Got Here This Fast

The speed of this is what's genuinely alarming. AppZen, an enterprise AI platform that processes expense claims, tracked what percentage of their flagged fraudulent receipts were AI-generated over time. In March 2025: zero percent. By mid-May 2026: 70.8 percent. That's a 14-month window. That's how fast a completely new fraud vector materialized.

The mechanics are obvious once you see them. A realistic-looking receipt used to require either a scanner and some Photoshop skills, or the willingness to risk getting caught with an obviously doctored document. Now you describe a vendor, an amount, and a date to a language model, and you get something that looks like it came off a point-of-sale terminal. Not perfect — but good enough to pass a tired finance coordinator approving a stack of forty submissions on a Friday afternoon.

The Emburse survey broke down the behavior types: 19% fabricated a purchase that never happened, 15% inflated the value of a legitimate expense, and 6% recreated a receipt for something real that they'd lost. That last category is the one where employees probably rationalize the most — "I really did spend the money, I just can't find the original." But all three types are fraud. And finance teams in small organizations usually don't have the bandwidth to catch any of them.

Why Small Orgs Are Especially Exposed

The AppZen data tracked enterprise-scale companies — 745 employees across 174 firms claiming a combined $148,000 in fabricated reimbursements in a single detection window. That's an average detection, not a ceiling. For large organizations, a detection platform like AppZen or Ramp's AI-powered AP tool (which flagged over a million dollars in fraudulent invoices within 90 days of deployment) is becoming standard infrastructure.

For a 15-person NGO or a 40-person public-sector team, it's not. Your expense approval process is probably one person reviewing receipts in a spreadsheet, with a secondary sign-off from a director who trusts that the first review happened properly. There's no statistical sampling. There's no AI receipt-authenticity detection layer. If someone submits a plausible-looking receipt for $85 worth of conference supplies that didn't exist, it gets paid.

This isn't a knock on small org finance teams — it's a reflection of the resource reality. But the fraud vector has scaled dramatically while the detection capacity has stayed the same.

The survey also surfaced something that matters for how you think about the root cause: 51% of US respondents and 45% of UK respondents reported incurring overdraft fees, late-payment charges, or credit card interest while waiting for expense reimbursement. That's real financial stress. The people most likely to rationalize a fraudulent receipt are the ones who are already absorbing the cost of slow reimbursement cycles. If your organization's expense process runs four to six weeks, you've created a condition where some staff are essentially float-financing the org's costs out of their own accounts — and some of them are solving that problem in ways you wouldn't sanction.

This isn't an excuse for fraud. But it is a structural issue that you can actually fix.

Three Things to Do Before Month-End

Shorten your reimbursement cycle. If you're running monthly expense cycles, move to biweekly. If you're running biweekly, consider immediate-approval for small claims under $50. The financial stress driving rationalized fraud is real — and it's a problem you can actually remove. This doesn't require new software. It requires a policy decision.

Update your expense policy to name AI-generated documents explicitly. Many staff genuinely don't know whether recreating a lost receipt with AI constitutes fraud. The answer is: it does. Your expense policy needs to say that clearly. A one-paragraph update that addresses AI-generated receipts — whether used to fabricate, inflate, or reconstruct — removes the ambiguity that some employees are currently exploiting. It also establishes unambiguous grounds for discipline if you later discover a problem.

Add one meaningful audit step for amounts over your threshold. You don't need enterprise expense management software to add friction. Pick a dollar amount — $75, $100, whatever fits your org — and require any single expense over that threshold to include a photo of the receipt at point of purchase (timestamp visible), plus a second approver sign-off. The photo with a live timestamp is the specific friction that defeats AI-generated fakes: the model can create a plausible receipt, but it can't retroactively put your employee at the restaurant on the date they claim. This won't catch everything, but it will catch most of it.

Communicate, don't just audit. The survey data suggests most of this isn't organized, sophisticated fraud — it's normalized opportunistic behavior that's spreading because it's easy and the risk of detection seems low. A team conversation that acknowledges AI-generated receipt fraud exists, explains that the organization is aware of it, and states clearly that it will be investigated and treated as termination-level misconduct changes the perceived risk calculation for most people. You don't need to announce that you caught someone. You need to announce that you're paying attention.

The Bigger Picture

The Copilot license and the ChatGPT subscription weren't supposed to create new attack surfaces inside your organization. But that's what's happened. The same generative capability that drafts board reports and summarizes grant applications also fabricates convincing expense documentation.

There's no AI tool that checks whether it's being used ethically before it helps you fill in a form. The accountability layer has to be organizational — policy, process, and culture. And right now, most small orgs are behind on all three when it comes to this specific risk.

The good news: you don't need a forensic accounting firm to start closing this gap. You need a policy update, a reimbursement cycle review, and one extra approval step. That's a week of work for most finance leads, and it addresses a fraud vector that just became significantly more accessible to your entire workforce.

We're seeing this come up in sprints with organizations that recently deployed AI tools and haven't thought through the internal use-case implications. If your AI rollout has been primarily focused on external efficiency gains, this is worth adding to the internal risk conversation.

CivSafe — Strategic Innovation. Community Impact.