US bookkeepers with a global reputation Client Login ›

News

How AI Is Supercharging Business Payment Fraud — and 7 Controls That Stop It

Payment fraud is not new, but artificial intelligence has made it dramatically more convincing — and far more common. According to the FBI's Internet Crime Complaint Center, business email compromise (BEC) alone caused roughly $3 billion in reported losses in 2025, part of more than $20 billion lost to these schemes since 2015, with an average loss north of $120,000 per incident. A growing share now has a confirmed AI component. The good news: the defenses are well understood, inexpensive, and entirely within reach of a small business. Here is how the modern scams work and the controls that stop them.

How AI Changed the Game

For years, fraudulent payment requests were easy to spot — broken grammar, odd phrasing, a sender address that didn't quite match. Generative AI erased those tells. A large language model can now draft a flawless email in your CEO's exact tone, reference real projects it scraped from public sources, and reply instantly when questioned. Voice-cloning tools can put a familiar-sounding voice on the phone to "confirm" a wire. Free websites generate realistic fake receipts and invoices in seconds, and AI can spin up an entire fake vendor — website, W-9, articles of incorporation, even a staffed-sounding phone line. The barrier to committing convincing fraud has essentially collapsed.

The Three Scams Every Business Owner Should Know

1. Executive impersonation (BEC). You receive an urgent message that appears to come from the owner, CEO, or CFO asking you to send a payment or change wiring details. It may include a realistic-looking email thread for credibility. The urgency and authority are the manipulation.

2. Vendor and invoice fraud. A criminal impersonates a real supplier and emails a legitimate-looking invoice — or, more dangerously, a "banking update" asking you to send future payments to a new account. One approved change can redirect months of payments to a fraudster.

3. Doctored receipts and expense fraud. Internally, AI has made it trivial to fabricate or alter receipts, inflating expense reports or creating a paper trail for payments that never should have happened. What used to require Photoshop skill now takes a few clicks.

The 7 Controls That Actually Stop It

1. Dual authorization on payments. Require two people to approve any wire or ACH above a set threshold. A single compromised inbox should never be able to move money alone.

2. Call back to verify — on a known number. Any request to send a wire or change bank details gets confirmed by phone using a number you already have on file, never the number or link in the message. This one habit defeats most BEC attempts.

3. Lock down banking-change requests. Treat every vendor request to change bank account or routing information as high-risk. Verify it out-of-band, in writing, with a named contact, before anything is updated.

4. Keep a clean vendor master file. A tidy, validated vendor list is your first defense. Vet new vendors before adding them, watch for red flags like a P.O.-box address or a bank account shared with another "vendor," and review the list regularly.

5. Ask your bank about Positive Pay and ACH filters. These bank services flag checks and ACH debits that don't match a pre-approved list — a powerful, low-cost safety net most small businesses never turn on.

6. Separate duties. The person who enters vendors shouldn't be the same person who approves payments and reconciles the bank account. Separation makes both internal and external fraud far harder to pull off unnoticed.

7. Reconcile every month, without exception. The fastest way to catch a fraudulent payment is a timely bank reconciliation performed by someone independent. Fraud that hides for months in neglected books becomes catastrophic; fraud caught in days is often recoverable.

What to Do If You've Been Hit

Speed matters enormously. Contact your bank immediately to attempt a recall — wires and ACH transfers can sometimes be reversed within a narrow window. Report the incident to the FBI's IC3 (ic3.gov); its Recovery Asset Team has helped freeze fraudulent transfers when notified quickly. Then preserve the evidence and review how the request bypassed your controls, so the same door can't be used twice.

How VarStan Helps

Strong books are your best fraud defense, and that is exactly what we build. As part of our CPA-led bookkeeping, we help clients put practical controls in place — dual approvals, verification habits, clean vendor files — and we reconcile every account monthly so a fraudulent payment surfaces in days, not at tax time. You don't need an enterprise security budget to be resilient; you need disciplined processes and a second set of expert eyes on your money. If you're not sure where your payment process is exposed, that is a conversation worth having before a fraudster starts it for you.