There’s hope in them thar hills… or, at least, with some of the responses showing dips among several new peaks in one of the US financial service arena’s largest and longest running annual payments fraud surveys.
These insights from treasury colleagues across the country might not be worth their weight in gold. In fact, though the results include mostly bad or ‘not great’ news, they are probably worth much more than a few ounces of precious metal to corporate treasurers,
finance teams, accounts payable directors, fintech leaders and managers, and of course, banks and credit unions.
Payments fraud in 2024, as reported in the findings of the 2025 AFP Payments Fraud and Control Survey, was down overall vs. the previous
year - by a narrow margin. Meanwhile, “classic BEC” (Business Email Compromise) scams may be declining – even if they’re just morphing into other forms.
However, with that sliver of hope comes more news on just how harmful financial fraud is and can be to those who are targeted and lose
billions every year to the criminals. These statistics and comments from financial professionals illustrate just how creative and persistent financial fraudsters have become in the US, and across the globe.
Chris Ward, is EVP and head of enterprise payments for Truist, one of the largest US banks and the underwriter of this year’s survey for the Association for Financial Professionals (AFP), the certifying body
for treasury and finance professionals in the US and Canada. He sat down with Finextra for a conversation on the highlights, lowlights, and lessons to learn from the 2025 outreach’s results.
Fraud’s a moving target, even as FIs, the industry, and law enforcement try to stay ahead
Given the constantly changing landscape of financial fraud, amidst efforts to prevent it at individual institutions, within the industry, and at all levels of law enforcement, Ward explained, it’s not really a ‘fair fight’ at all. “There are so many factors
that the fraudsters are good at adapting to that we're all trying to adapt to, to help prevent fraud. It's an asymmetrical war. We've got to try to prevent every transaction that the fraudsters can get through the (protection/monitoring) process. The fraudsters
just have to get one of them through (to be successful.)”
This year’s AFP fraud survey, conducted in January, 2025, received 521 responses from treasury professionals. Of those polled, just over half (56%) work for organisations exceeding $1 billion in annual revenue, while about 29% of respondents came from companies
between $100 million and $1 billion in sales. 14% were employed by smaller firms. The mix of respondents was weighted more to privately held companies vs. public firms (43% to 36%), though the sample also included 21% in total from nonprofit and government-controlled
organisations. A wide number of company types were included, with the largest shares of responses coming from treasury practitioners in manufacturing (14%), banking/financial services (14%), and health care and social assistance and insurance – each at 7%
apiece.
It’s important to also note that the transactions handled by responding firms lean much more toward business and commerce. 69% of organisations polled work primarily with business transactions when making payments, and 50% receive payments mostly from other
businesses. There were respondents that reported their payments split between business and consumer payables/receivables transactions (just below and above 30%, respectively), and as for the number of payment accounts maintained (indicating likely complexity
and possibly the level of sophistication of their payments organisations), a relatively even number of professionals responding said their teams either managed fewer than five accounts or more than 100. That said, 42% in combined categories reported managing
between five and fifty accounts. So, indeed this was a very broad collection of survey respondents in terms of their comparative size, payments applications, and banking structures.
Key survey stats and analysis: Overall fraud (very) slightly down, while individual categories increased
- 79% of respondents to this year’s survey reported actual or attempted payments fraud impacted their organisations over the past twelve months. That’s down from 80% in 2023, but not much, and the recent trend is still worrisome, as the
reported figure was only 65% in 2022.
- Wire transfers once again are the most frequently targeted payment types
for fraudsters using Business Email Compromise tactics.
These secure and practically irrevocable payments are typically much higher in transaction value, so what has been called “elephant hunting” for the high prizes available to enterprising criminals continues to be a prominent activity in this payment channel.
- Business Email Compromise is still a major threat, cited by 63% of respondents, but some of the ‘classic’ forms of this fraud method are being replaced with others. Sometimes, companies report a combination of efforts, from emails to phone
calls, phishing and vishing, and using a variety of nefarious tools, have been part of fraud attempts, or successes against their organisations.
- Spoof emails from supposed executives demanding immediate transaction initiation and approval for ‘urgent’ company or client payments, yet attempts using such tactics
are still being reported by 79% of respondents.
- Vendor impersonations – where a falsified email, and sometimes a phone call or letter, requests a change in banking information be applied to a vendor’s account -
increased to 60% of all respondents.
- Invoice fraud – either falsifying or counterfeiting invoices and submitting them for payment in hope they’ll be missed by harried or slipshod accounts payable teams – is rising in popularity, now reported by 24% of organisations.
On the BEC front, there has been progress, said Truist’s Ward, emphasising increased validation of requests to change payee or invoice details. “Account verification services are really helping, if you take advantage of them as a corporate (to) validate
the information that you're provided.”
Especially in large organisations, automation of fraud detection, for example with “the constant use of machine learning” and similar tools is common, though nothing replaces human intervention and common sense. “When your bank calls and says, ‘Hey, we think
that something doesn't look right,’ don't just automatically think, no, no, no, it's a legitimate transaction, let it go. Actually take some time and say, ‘Wait a minute. Why are they calling?’ Ward’s suggests for addressing questionable transaction
situations.
“I tell people all the time, ‘take a minute,’ because though the payment might be important, taking a few minutes to make sure it's right,” is the right thing to do.
- ACH credits and debits
are high on the list for fraud attacks on this year’s survey, both increasing as a percentage respondents’ total fraud experienced with 38% reporting debit attacks and 20% credit attempts using them vs. only 33%/19% of respondents in 2023. That’s
no big surprise, as ACH is the principal electronic payment rail for businesses and other commercial entities. Also, limits on value for standard ACH transactions have been largely eliminated, and with the advent of same-day ACH transactions with limits up
to $1 million, there are now extremely short windows for execution on potentially very high value transfers from one party to another – an attraction to fraudsters.
- Cheques are not going away anytime soon in American business (as most have expected for about the past 30 years, to no avail), and they actually increased in usage over the past year, per the survey’s respondents. The reported percentage
of fraud perpetrated by cheque held steady at 65% for 2025, and “more than 75% of organisations currently have no plans to reduce cheque usage in the next two years,” says AFP.
It’s a surprise to Ward and many others, that cheques continue to persist as the single most popular payment type for businesses, despite their associated fraud risks. “Even with the amount of stolen mail and other things that are going on, there still isn't
that big of a push associated with eliminating checks and going to more electronic forms of payment.”
Given that cheques are very susceptible to all sorts of threats, including being raised in amount (especially if handwritten), chemically washed to allow changes in amount or payee, or simply counterfeited with fake paper stock and account numbers, it’s
amazing to many payments experts (and not in a good way) that they’re still small business and corporate favorites.
“Even to this day,” Ward explains, “the number of people (notably commercial entities) who don't use Positive Pay (bank-provided product to help protect against cheque fraud) or ACH Debit Block (helps prevent electronic debits for illegitimate purposes)
is still quite high.” Ward likened this situation to insurance, and how customers might not actually take out a protection policy until after an event occurs. Then, as he said, comes the ‘wake-up call’ for affected businesses, except the incurred loss of money,
time, or both might far outweigh what the proactive coverage expenses would have been.
- What about Cards? They’re ubiquitous in American business now, with applications and formats ranging from
corporate and commercial credit cards (21% reported fraud attempts/losses in 2024) to
virtual cards (5%) Both of these reporting percentages are up only slightly from 2023’s survey.
We asked why business credit cards seem to be lower on the priority list for fraudster attacks, and Ward explained a few possible reasons. “When you think about how cards are used, with the controls that are placed on them,” it makes sense they would be
a bit less prone to attack, or loss, he said.
“Some are one-time use; some include restrictions on where you can use the card.” He noted that most corporate programs and business card accounts have a stricter set of rules and procedures governing their approved usage, which, he said, “really does help
control fraud. Yet, there's fraud in every payment rail. If you're paying somebody that you should be paying, you give them a card (or number), right? It (fraud) can still happen, but, there's just a different set of controls that are used.”
- Recovery statistics gleaned from survey respondents showed that, of those that experienced payments fraud,
20% lost all funds involved, with no recovery at all, and only 22% of respondents got at least 75% back
after a ‘successful’ fraud attack on their organisation. Only 12% were able to recover between 51-75%, and in total,
49% of respondents got less than 50% back.
Further, it’s likely that an even larger percentage spent hours of employee time trying to manage all the steps involved in seeking and hopefully gaining recovery from a fraud attack or loss. These ‘hidden’ costs of fraud might include expenses
for responding, tracking, researching, and then designing and effecting major changes in a company’s operations, account structures, and so on.
Ward agreed that not all of the ‘true’ costs of fraud are accurately captured in the financial services world. “The costs will be different by each individual entity. But if you think about what drives success in recovery, it’s identification of the problem
as fast as possible, right? If you don't figure it out right away, the chances of recovery go down quickly […] the sooner you know about the problem, the sooner that people can be mobilised and trying to trying to recover the funds.”
After a fraud incident, he continued, “There is a lot of work associated with (post-attack recovery.) Whether it be figuring out how you got compromised, how you're going to prevent it (in the future), designing improved processes, spending time
trying to do the recovery, filing reports,” and beyond. “If you think about most companies, they’re not staffed (highly enough) to take somebody offline to work on it. You could be ‘down’ 25% (just a hypothetical example) if you only had a four-person treasury
staff, and one person was working on (post-attack fraud issues) nonstop.”
That, he says doesn’t even take into account other potential costs, or new bank requirements arising from the attack, such as “whether or not you need to have your bank account shut down and reset-up with a new account number,” which might also be called
for, depending on the type of fraud or compromise involved.
The best fraud defense is consistent procedures, created in advance, regularly monitored
What are the best ways, even beyond the usual prevention and awareness recommendations, for companies to help protect themselves from payments fraud? We asked Ward for his top tips for businesses and other organisations wanting to prepare their staff and
systems in the most robust ways possible. While emphasising nothing is guaranteed, he listed three key steps that could make a difference:
- Review all your accounts to ensure the appropriate fraud controls are in place.
- Review your procedures to ensure they have the correct friction points to prevent gaps in security.
- Use tools to help detect and monitor payments, like account verification services.
He likened these and other business payments procedures, policies, and control steps to visiting a physician for a ‘health check,’ concluding, “it’s just like you do an annual physical on your body. Do an annual physical on all of your controls and processes
associated with what you do to prevent fraud.”