What are the payments fraud trends to watch for in 2026? Email-based fraud continues to rise, check fraud remains stubbornly persistent and newer tactics, such as deepfake impersonation, are beginning to emerge.

The most telling insights into these trends come from what organizations are actually experiencing. Below are real-life scenarios shared by respondents to the 2026 AFP Payments Fraud and Control Survey, underwritten by Truist. They are lessons learned the hard way about how fraudsters exploit familiar processes and small breakdowns in verification.

Email fraud remains the most common and effective method of attack

Business email compromise (BEC) continues to be the most prevalent form of payments fraud, affecting roughly three-quarters of organizations, according to AFP’s survey. Its effectiveness comes from how closely it mirrors legitimate business activity.

In one survey respondent’s case, a fraudster infiltrated a vendor’s email account and began sending legitimate-looking messages to request updated banking details. The documentation appeared valid, and the request followed their processes, so the payment was initiated. But it was ultimately rejected by the receiving bank, allowing the organization to recover the funds.

In other instances, the outcome was less favorable. One organization issued three payments totaling $150,000 after receiving what appeared to be a routine request from a trusted vendor. The fraud was discovered later — and only $915 was recovered.

Even when controls exist, they’re not always followed. Several incidents involved teams bypassing callback verification procedures or relying on email-based confirmation, sometimes using the same thread that initiated the request.

Check fraud persists despite the shift toward electronic payments

Despite the shift toward electronic payments, check fraud remains a significant and evolving risk. Survey data and external reporting point to a rise in mail theft and check washing (in which fraudsters intercept checks, alter them or use the information to initiate additional transactions).

In one case, checks were stolen in transit, altered and successfully cashed because there were no payee validation controls in place. The organization was able to recover some of the funds, but only after the loss occurred.

In another instance, multiple checks were intercepted, duplicated and used to initiate ACH transactions. The fraud was only discovered after the account was overdrawn, underscoring how quickly these schemes can escalate.

At the same time, controls like Positive Pay continue to prove effective. Several organizations using the tool reported that fraudulent checks — some exceeding $100,000 — were identified and blocked before funds were released.

Impersonation is expanding beyond email

Fraudsters are increasingly using phone calls, text messages and even video to impersonate trusted individuals. These tactics rely heavily on urgency and familiarity.

In one incident, a fraudster posed as a banking partner, using the bank’s legitimate phone number. The request seemed credible enough to escalate. An independent verification with the bank, however, confirmed it was a fraud attempt.

In another case, a deepfake video call impersonating a CFO requested an urgent payment via WhatsApp. The fraudster may have succeeded if not for the company’s “stop, think and ask” policy that required additional validation.

Fraud is often detected through multiple signals

Detection rarely happens through just one mechanism. AFP’s survey findings show that Positive Pay, vendor notifications and bank alerts are among the most common triggers, often supported by internal reviews such as daily cash reporting.

In one scenario, a fraud attempt involving altered banking details was initially validated with a phone call, but only later identified as fraudulent when inconsistencies emerged and the actual client was contacted.

In another case, an employee questioned a suspicious invoice referencing outdated company details, including their location and a former employee. This skepticism led to further investigation, and ultimately, the discovery of a broader fraud attempt.

Fraud prevention is increasingly a cross-functional effort

Treasury may be at the center of fraud detection and response, but it is not alone. AFP’s survey data shows that effective fraud management involves coordination across accounts payable, finance, IT, legal, compliance and banking and vendor partners.

This is reflected in how organizations respond to incidents, working with banks to reverse transactions, involving law enforcement when necessary and strengthening internal controls after each event. In many cases, the most lasting impact of a fraud attempt is not the loss itself, but the changes that follow, including tighter validation procedures, improved communication across teams and employee education.

Whether it’s a vendor requesting updated banking details, a check moving through the mail or an urgent request from a senior executive, fraudsters are targeting the sweet spots where speed, trust and habit intersect. As their tactics evolve, organizations must adapt by layering controls, reinforcing verification and ensuring that both systems and people are equipped to stop, think and ask.