New Study: Payment Fraud Hits 79% of Companies

Cybercriminals have zeroed in on finance, where every click can move real money. In fact, 79% of companies experienced an attempted or actual payment fraud attack in 2024, most involving manipulation of ordinary approval and payment workflows.

That’s the gist of the 2025 AFP Payments Fraud and Control Survey Report. The study also found that 63% of organizations ranked business email compromise (BEC) as the most common form of attack and that wire transfers are now the payment method most frequently targeted. 

Fake invoices, vendor impersonation, and wire diversion have become the fastest-growing ways to steal company funds.

Cybercriminals Have Found a Shortcut to the Cash

The AFP findings reflect a much larger trend showing up in federal data. The FBI’s 2024 Internet Crime Report recorded more than $16 billion in cyber-enabled fraud losses, a 33% jump from the previous year. Much of that total came from BEC and vendor-spoofing scams that directly target finance operations.

Attackers have learned that exploiting payment workflows is faster and more profitable than breaking into IT systems. Wire transfers and vendor banking changes are now prime targets. Each scam depends on speed, authority, and trust inside the approval chain, the same qualities that make finance work efficiently.

The Weakest Link in the Payment Fraud Chain

Finance teams work under constant pressure and rely on speed and trust to keep payments moving. That same environment gives attackers the advantage. Modern scams use AI to craft realistic emails and vendor documents that mimic internal style and formatting, leaving even careful reviewers exposed.

Hybrid work expands the risk. Fewer face-to-face validations make it easier for fraudulent requests to slip through. In several documented cases, finance teams approved wire transfers after impersonation or compromised accounts bypassed verification protocols. The issue is no longer awareness; it’s capacity. Finance teams understand the risk but struggle to maintain the same control discipline against cyber threats that they bring to audits and reconciliations.

Real Money, Real Exposure

The financial damage now matches the scale of the risk. The FBI recorded $2.77 billion in losses from BEC across more than 21,000 incidents in 2024. Many companies never recover those funds because cyber insurance often excludes payments made voluntarily under deception. Even when coverage applies, the recovery process can stretch for months and draw investor attention to weak controls. Each incident can also disrupt liquidity planning, freezing working capital while banks and insurers investigate the loss.

Auditors now flag inadequate payables safeguards as potential material weaknesses, and boards are pressing CFOs for clearer evidence of cyber readiness. A single fraudulent transfer can erode confidence, raise compliance costs, and, for firms with thin margins or high transaction volume, erase an entire quarter’s profit.

What Finance Can Do to Shut the Door

The strongest defense begins with process, not software. Finance teams should require an independent callback or a separate-channel check for any change to vendor or banking details, and multi-step authentication should be standard for all wire approvals. Regular, joint risk reviews between finance and IT help identify new tactics before they reach the inbox.

AI tools can flag unusual payee data or suspicious payment timing, but technology only works when it supports human control. Every payment process should include at least two confirmations before funds move. Training also needs to reflect real-world conditions – rushed requests, spoofed email addresses, and subtle language cues that suggest manipulation.

“You have to create a culture of vigilance, where employees feel empowered to question suspicious transactions without fear of repercussions,” Cody Manning, Chief Sales Officer at Yooz, previously told ResourceFinancePro.

Preparing Finance for the Next Phase of Cyber Risk

Cyber risk is now a financial concern, with losses appearing alongside credit exposure and operational errors on the balance sheet. Many finance leaders are beginning to model cyber events alongside other enterprise risks, treating payment fraud recovery and exposure as part of standard forecasting. That shift is quietly redefining how organizations view control and accountability.

As Q4 planning closes out the year, attention is already turning to 2026. The focus is moving from incident response to prevention, from IT oversight to finance governance. The line between financial accuracy and financial security has disappeared. Every transaction now carries both value and risk, and the finance teams that treat cyber resilience as core infrastructure will enter 2026 in the strongest position.