As fraudsters continue to innovate and develop new techniques targeting businesses, organizations must remain vigilant to deter threats.

According to the Association of Financial Professionals’ (AFP) 2018 Payments and Fraud Control Survey, 78% of companies were victims of payments fraud in the previous year. AFP’s President and CEO Jim Katz, commenting on the study, said “It is alarming that the rate of payments fraud has reached a record high despite repeated warnings.”

Clearly, greater overall awareness on the part of business owners of new forms of fraud and advancements in anti-fraud technology has not deterred attackers. “Bad actors” have been keeping pace and continue to develop new tactics. In this environment, businesses need to remain vigilant, understand and anticipate scams, and better prepare themselves to deter threats.

Vigilance is especially critical for smaller organizations that may not have the level of resources to dedicate to fraud control that larger companies can deploy. Fraudsters are well aware of this, evidenced by their gradual shift from targeting larger organizations to victimizing smaller ones.

What are the sources of fraud?

The AFP survey identified four principal forms of fraud:

  • Check fraud
  • ACH debit fraud
  • Wire fraud
  • Business email compromise

Seventy percent of organizations experienced check fraud in 2018, per the survey, a slight decrease from 2017, but still far and away the most common form of payments fraud. Despite the rise of new payments technologies and predictions of the demise of paper checks, they remain the most popular payment method for business-to-business transactions. This makes checks an attractive target for fraudsters. As the survey notes, however, “The decline in check fraud activity has been offset by the increase in payments fraud via wire transfers and ACH debits and credits.”

Reflecting this shift from paper to electronic fraud, the level of ACH credit fraud has quadrupled over the past decade, rising from 4% to 20% of organizations affected. Similarly, fraud via ACH debit has also continued to rise, reaching 33% in 2018. A further 45% of organizations experienced wire fraud incidents in 2018.

Perhaps the biggest new threat to emerge in recent years, however, is business email compromise (BEC) and its cousins, vendor impersonation and executive impersonation. These relatively new forms of fraud can be the product of hours of painstaking research by bad actors. Instead of sending phishing emails to random addresses, cybercriminals select the business they wish to target, use readily available digital sources to identify out the names of core executives or vendors, then target a victim within the business who manages finances. They then create a fraudulent email to trick the victim into initiating one or more wire transfers.

Vendor impersonation fraud can be particularly damaging because of the time gap between invoice and notification. Often this fraud is only uncovered after the money has moved through several financial institutions, making recovery nearly impossible. Businesses that can alert their financial institution to BEC fraud and get them involved in the early stages can increase the likelihood of recovering funds. When a vendor changes banking information, calling to verify the new information can also help avoid problems down the line.

BEC scams can come from within or outside the organization. They may be as simple as an email purported to be from an executive requesting funds, or an “employee” requesting a change in direct deposit information that can result is several thousands of dollars in losses. As is the case with verifying changes in vendor information, making an extra phone call to confirm requests or changes is a best practice.

The percentage of companies falling prey to BEC scams has risen alarmingly in recent years, from 64% in 2014 to 80% in 2018, according to the AFP. Many organizations are aware of this type of fraud and have implemented additional controls and training to protect themselves from becoming victims, but BEC fraudsters continue to innovate.

The Potential Impact of Fraud

Beyond the financial losses incurred as a result of payments fraud, businesses should consider its nonfinancial impacts, which have the potential to be substantial. They can include damage to the organization’s reputation, the exposing of confidential information and significant costs resulting from clean-up efforts.

So what can you do to minimize the effects of fraud, avoid significant outlays of money and time, and enjoy greater peace of mind?

  • Stay up to date on the latest attack schemes. Fraudsters are notoriously resourceful and skilled at exploiting any weakness. Understanding where and how new attacks may emerge can help you better anticipate and adapt
  • Invest upfront in training and controls. When employees and IT teams are armed with knowledge in advance, attacks are less likely to succeed.
  • Encourage your employees to be skeptical of requests than seem unusual and report any time they think they may have received a phishing or impersonation attempt

Communicate with your financial institution the moment you suspect fraud may have occurred. The earlier they can respond, the less likely you are to suffer financial or reputational damage.

Download Article (PDF)>


This article is for informational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.


Share this page

If you are interested in sending this page to a friend or relative, please enter the following:

* Indicates required fields
+ Add another

No personal information (including e-mail addresses) about you or your friend will be collected from this e-mail notification feature offered by M&T Bank.

Please Note:

By clicking "ok" below, you will leave and enter a Third-Party Website.

Please note that:

  • The Third-Party Website is governed by a different set of terms and conditions and privacy policy than and you should review those terms, conditions and privacy policy prior to reviewing the content of the Third-Party Website
  • M&T is providing a link to the Third-Party Website as a convenience and does not necessarily control the content of, or endorse, the Third-Party Website, it's owner/operator or any information, products or services that are made available on or through it
  • M&T makes no representations or warranties regarding the information, products or services provided through the Third-Party Website

Such Third-Party Website's owner/operator may be regulated by governmental entities and laws that are different than those that regulate M&T.