Accounts payable (AP) departments are under siege
The frequency, sophistication, and financial impact of payment fraud are accelerating at an unprecedented pace. According to the 2025 AFP Payments Fraud and Control Survey, 71% of organisations were targeted by payment fraud last year, and more than one-third of those attacks involved phony bank account change requests.
While cybersecurity teams focus on firewalls and phishing filters, AP departments are targeted through a much simpler vulnerability: trust.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
This article explores how today’s fraudsters operate, why traditional controls fall short, and what best practices and technologies can help AP leaders safeguard their organisations from devastating losses.
Why the risk of fraud Is rising
The risk of payment fraud isn’t just higher, it’s accelerating.
The FBI’s Internet Crime Complaint Center reported more than $3bn in business email compromise (BEC) losses in 2024, a nearly 20% increase from the prior year.
Several factors are driving this surge:
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData- Dependence on email. Nearly 90% of invoice and payment communications still flow through unsecured email channels, creating endless opportunities for spoofing.
- More sophisticated criminals. Today’s fraudsters use AI-generated text, cloned logos, and even deepfake audio to create convincing fake requests.
- Data breaches. Stolen data fuels targeted attacks, giving scammers everything they need to impersonate real suppliers.
- Weak or inconsistent controls. Many organizations still rely on manual verification or decentralised onboarding.
- Limited staff training. According to PwC’s 2025 Global Economic Crime Survey, fewer than one in three finance employees receive regular anti-fraud education.
The result: AP teams face a daily balancing act between efficiency and vigilance, and criminals are exploiting that tension.
The biggest fraud threats in AP today
Across industries, five schemes dominate today’s AP fraud landscape. Each exploits the weak points in manual AP processes and human oversight.
- Insider fraud exploiting manual processes. Employees with access to vendor data can manipulate bank details or create fake suppliers when there’s no audit trail. The Association of Certified Fraud Examiners (ACFE) estimates median losses from billing fraud at $140,000 per incident.
- Duplicate and altered invoices. Fraudsters resubmit legitimate invoices with small tweaks, such as a new number, a slightly different date, or a changed bank account, counting on overworked staff to miss the differences.
- Phishing and BEC. Attackers impersonate suppliers or executives using lookalike domains. The FBI attributes more than $14bn in cumulative losses to BEC scams in the past five years, and AP remains one of the most common targets.
- AI-generated fraud techniques. Deep-fake voice calls and synthetic invoices created with AI make fraud attempts harder to detect. These scams exploit AP’s natural tendency to trust familiar voices and document formats.
- Phony bank account change requests. The fastest-growing threat. Fraudsters pose as legitimate suppliers and ask AP to “update” their banking details. Without independent verification, payments are rerouted to criminal accounts. AFP reports a 43% increase in these attacks over just two years, with individual losses often reaching six or seven figures.
Each of these schemes thrives on the same weakness: manual processes and fragmented vendor data.
How phony bank account change schemes work
These scams are frighteningly simple and effective.
Fraudsters start by submitting a fake change request. Sometimes they hijack a supplier’s legitimate email account; other times, they use a nearly identical domain name and a professional-looking message.
Next, they wait for AP to route payments to the wrong account. Because the email looks authentic and may include correct invoice references, the change often goes unquestioned.
The result? Payments intended for real suppliers are deposited into fraudulent accounts, often overseas and impossible to recover. The FBI IC3 puts the average loss per incident at $125,000, and recovery rates remain below 20%.
The most alarming part: no hacking is required. These crimes depend on social engineering, exploiting human trust rather than breaking through technical defences.
Why this Is an AP problem, not just an IT problem
Payment fraud is not a cybersecurity issue alone. It’s a process-integrity issue.
Over 85% of successful payment fraud cases begin with social engineering, not hacking (Deloitte 2025 Global Fraud Survey).
Criminals know AP teams are under pressure to process invoices quickly and keep suppliers happy. They use urgency – “we need this change to avoid late payment” – to bypass normal verification procedures.
That’s why AP is both a target and a line of defence.
Technology teams can protect the network, but AP controls protect the money.
Where traditional supplier onboarding falls short
Traditional onboarding and vendor master data processes are filled with gaps that fraudsters exploit:
- Manual processes introduce errors and delays.
- No validation means fraudsters can slip through undetected.
- Decentralised data hides red flags.
- No real-time checks against OFAC, sanctions, or TIN databases create compliance risk.
- Bank details collected via email make interception easy.
- No audit trail leaves no way to trace who approved what or when.
- A single misstep – an unchecked update or unverified email – can lead to catastrophic loss.
The global challenge of verification
For companies paying suppliers around the world, bank account verification is even more complex.
Different countries use different systems – IBANs, SWIFT codes, local routing numbers – making it hard to standardise checks. Worse, only about 40% of global banking systems provide real-time verification, according to research from LexisNexis Risk Solutions.
That means AP teams often resort to manual callbacks or email confirmations, both of which can be spoofed. The more time zones and currencies you deal with, the more exposure you have to fraud.
Manual checks: Why they don’t work anymore
For decades, AP teams relied on phone calls and email confirmations to validate supplier changes. But as transaction volumes grow, this approach simply doesn’t scale.
No audit trail = no accountability
Verbal confirmations leave no record, making it impossible to prove compliance.
High volume overwhelms staff
Each manual check takes 15–30 minutes. Multiply that by hundreds of requests, and something will inevitably slip through.
Human errors are unavoidable
Under pressure, even experienced staff can miss a one-digit change or click “reply” instead of “forward.”
According to PYMNTS’ 2024 AP Efficiency Study, 58% of AP professionals admit to skipping verification steps at least occasionally due to time constraints.
The consequences of falling victim to fraud
The financial losses from falling victim to payment fraud is only the beginning.
The ripple effects include:
- Reputational damage. Suppliers lose confidence in your controls and may demand stricter payment terms.
- Operational disruption. Investigations, recovery efforts, and rework drain resources.
- Regulatory exposure. Missing audit trails can lead to compliance fines.
- Employee morale. Stress and guilt after a fraud incident can lead to burnout and turnover.
The ACFE estimates median payment-fraud losses at $150,000 per incident, but many real-world cases climb much higher.
Best practices for stopping phony bank account change requests
- Standardise Your Bank Change Process
- Replace ad-hoc updates with a formal, documented workflow.
- Use a secure online portal for all supplier bank account change requests, never email.
- Require official documentation, like a voided check or bank letter, and establish clear approval roles.
2. Verify Bank Account Ownership Independently
- Never rely solely on supplier-provided information.
- Use third-party data or automated tools to confirm the account belongs to the supplier’s legal entity.
3. Flag and Escalate High-Risk Changes
- Not all requests are equal. Prioritise review for:
- High-value or high-frequency suppliers
- International accounts
- Requests made outside standard procedures
4. Automate the Verification Process
- Automation provides the speed and consistency human processes can’t. A typical automated workflow includes:
- Supplier registration via secure portal
- Structured data submission
- Real-time validation against trusted databases
- Automated routing for approval
- Seamless integration with your ERP
Automation: The first line of defence
Automation transforms supplier verification from a reactive control to a preventive one.
By verifying every payment automatically, organisations eliminate human error and reduce fraud attempts by more than 60%, according to AFP.
Every action is time-stamped, every approval logged, and every verification documented. This creates a permanent audit trail that auditors love, and fraudsters hate.
It’s not just about efficiency; it’s about confidence.
What to look for in a verification solution
When evaluating automated bank account verification tools, look for:
- Seamless ERP integration
- Support for international bank accounts
- Real-time ownership validation
- Built-in alerts and escalation for mismatches
- Comprehensive audit documentation
These capabilities are essential components of a secure, scalable supplier network.
The bottom line
Phony bank account change requests are one of the most preventable, yet costly, types of payment fraud. Manual controls can’t keep up with the pace, scale, and sophistication of today’s threats. By standardising processes, independently verifying ownership, flagging high-risk changes, and automating verification, AP leaders can protect their organisations, their suppliers, and their reputations.
Phil Binkow, CEO, Financial Operations Networks
