According to the 2025 AFP Payments Fraud and Control Survey, underwritten by Truist, business email compromise (BEC) was the most common method used in attempted or actual payments fraud in 2024. Despite growing awareness, these scams remain remarkably effective. The reason, explained Roderick Brown, Senior Vice President of Wholesale Payments Fraud Control Solutions for Truist, lies in their simplicity and psychological manipulation.

“Technology alone can’t always prevent these types of attacks,” said Brown. “That’s why it’s critical for organizations to minimize opportunity through layered security, strong payment verification processes and comprehensive training programs.”

Unlike other forms of cybercrime that exploit technical flaws, BEC targets people. “Bad actors aren’t going after systems — they’re going after individuals,” he said. “They gain access to data by exploiting human vulnerability, especially when the right controls are missing. That’s why it’s essential to educate not only internal teams but also clients and partners.”

And while security tools continue to improve, so do fraud tactics. Given the rapid evolution of technology, organizations find themselves continuously trying to catch up. Brown cautioned that until effective mitigation tools and practices become more widespread, instances of fraud are likely to continue rising.

How ISO 20022 factors in

With most business communication still happening over email — and wire transfers remaining a top target for BEC — some in the industry are asking whether the growing adoption of the ISO 20022 standard could help curb this type of fraud.

“Adoption of the ISO 20022 is a major step forward,” said Brown. ISO 20022 will lead to improvements in the speed, efficiency and transparency of payment processes. It will also actively reduce costs by streamlining some processes, as well as enhancing reporting and analytics capabilities.

“But the root cause of BEC lies within social engineering and human manipulation,” he said.  “And as long as we're leveraging those channels, there will be vulnerabilities.”

Wires remain vulnerable

After a brief shift in 2023, wire transfers once again became the primary payment method targeted by BEC attacks — though ACH credits continued to see high levels of fraud as well. This raises an important question: Will wires remain the top target, or are fraudsters simply pursuing whichever method presents the easiest opportunity?

“Wires are still vulnerable because usually the dollar amount of the transactions is a lot higher than any of the other types of payment modalities — and they're usually first and final,” said Brown.

While a drop-off in BEC activity targeting wire transfers isn’t expected in the near term, ISO 20022’s enriched data and reporting requirements offer more consistency and structure, making it easier to detect anomalies and flag suspicious activity.

Why larger organizations are being targeted

Beyond the seemingly obvious financial reasons why the majority (66%) of BEC attempts occur within organizations with annual revenues of at least $1 billion and more than 100 payment accounts, Brown said there are more intricate reasons why fraudsters are targeting the “big fish.”

“Fraudsters are leveraging their inherent operational complexities,” said Brown. Larger organizations must contend with a combination of multiple departments, subsidiaries and business units, plus more than 100 payments accounts and extensive networks of vendors and partners, thereby creating complex workflows and distributed accountability.

The heightened transactional noise and complex payment structures within larger organizations make it easier for fraudsters to hone in on specific gaps in the operational model. “There’s no one person who is privy to everything that's going on,” he said.

Bad actors exploit these complexities through tactics such as impersonation, deepfakes, business identity theft and vendor compromise schemes. And the bureaucratic layers, technology constraints and slower decision-making processes further add to the vulnerability of larger organizations, as these things can delay the rollout of fraud prevention tools or policy changes.

“It creates a window of opportunity for fraud,” said Brown. “While larger organizations may have more resources, they don’t always have the agility or funding flexibility to respond as quickly as the threat evolves.”

“So many companies have all these structures and levels of approval in place to protect themselves, but if fraudsters are taking advantage of that, then there probably needs to be some change in the training as well,” said Andrew Deichler, Director of Enterprise Payments Practice, AFP. “So much of this is important, but if that's also creating its own weakness … are companies aware of that?”

Brown is seeing that companies are becoming more aware. “They're becoming more vigilant and making sure that they have the right educational platforms in place, and that their clients are educated also,” he said.

Collaboration is a critical part of your defense.

At the same time that fraud tactics are evolving, employee awareness is growing. In the AFP survey, 60% of respondents reported an increase in vendor impersonation, and 63% identified third-party impersonation as the most common.

“Cyber criminals are becoming more sophisticated, and they're shifting toward more nuanced tactics,” said Brown. Vendor impersonation is one example, underscoring the need for stronger controls around vendor verification. “As much as we want to trust our vendors, they may have vulnerabilities we don’t see.”

That’s why organizations must focus not only on verifying vendors but also on understanding the security practices of those third parties. Minimizing access points, closing security gaps and keeping up with modern tools and training are all part of a collaborative approach to reducing risk.

AI is a double-edged sword

AI can make scams more believable — and it's a critical tool in the fight against fraud. “Fight like with like,” said Brown. “If bad actors are using AI, we need to make sure we're leveraging those tools to combat fraud.”

Despite the growing complexity of fraud tactics, Brown predicts the industry will eventually reach a new equilibrium, driven in part by the same AI technologies that fraudsters exploit today. “AI tools will be leveraged to help diminish some of the fraud associated with AI itself,” he said. “But they’ll need to evolve alongside the shift toward faster payments.”

To keep pace, organizations will require more real-time detection capabilities, behavioral analytics and benchmarking data to spot anomalies as they occur. That includes understanding what AI-generated fraud looks like and how to recognize it early.

“As a product developer, I’m actively exploring what types of tools are available and the kind of scalable automation we need to build,” Brown said. “It’s about finding the right solutions to both detect fraud and mitigate it in a rapidly changing environment.”

Losses from fraud are more than financial

The greatest and most immediate loss from BEC scams is financial, with wires topping the list. “These are often high-dollar transactions, and recovery isn’t always possible,” said Brown.

But the ripple effects reach beyond the financial. Vendor impersonation scams can result in legitimate payments being delayed or missed, causing breakdowns in service delivery or production.

“A BEC incident can severely damage trust with vendors, clients and stakeholders, especially if the breach becomes public or is shared with the industry networks,” said Brown. Depending on the nature of the breach, companies could also face legal and regulatory repercussions, including fines and heightened scrutiny if sensitive data is compromised.

The internal toll shouldn’t be overlooked either. A BEC incident can expose weaknesses in technology infrastructure and strain internal teams already working to maintain system integrity.

For more payments fraud insights, fill out the form below to download the 2025 AFP Payments Fraud and Control Survey Report, underwritten by Truist.

Rethinking Surcharging: Compliance and Customer Trust in Today's Payment Landscape

Read More

8/1/2025