Business fraud has changed, so have the warning signs
Companies can reduce risk with stronger payment controls, employee training and quick reporting
Lectura de 4 minutos
PUNTOS CLAVE
- Fraud is becoming more sophisticated and harder to detect as AI enables faster, more convincing scams.
- Traditional red flags are no longer reliable, as fraudsters increasingly target everyday processes like payments, email communication and check usage with highly tailored attacks.
- Companies can reduce risk by layering controls, training employees to verify requests and acting quickly, especially within the first 24 hours of detecting fraud.
Fraudsters are still using familiar tactics, but the tools behind them are becoming faster, more convincing and harder to detect—and for businesses everywhere, that spells trouble.
At some point, most companies will have someone try to steal their data, information or money, said Linda Marcum, director of treasury sales enablement at BOK Financial®. "It's not a matter of 'if,' but 'when' these days."
The risk is not limited to one type of attack, experts cautioned. Fraudsters are targeting payment systems, business email accounts, checks, login credentials and employee routines. Since many payment methods now move quickly, the window to recover stolen funds can be narrow. Moreover, the quality and scale of deception is making fraud more difficult to spot, experts said.
"AI is making scams faster, cheaper, and more convincing than ever. Fraudsters can now create emails, phone calls, texts and even voice or video impersonations that sound legitimate enough to fool busy employees," said Paul Tucker, director de seguridad y privacidad de la información en BOK Financial.
“The challenge in our industry is that the same technology businesses use to move faster is also helping criminals scale fraud faster. That means companies can't rely on old red flags like bad grammar or obviously suspicious messages.”- Paul Tucker, director de seguridad y privacidad de la información en BOK Financial
Fraud attempts typically are aimed at employees who handle payments, vendor records, account access or financial approvals. A rushed accounts payable employee may receive a request to update vendor banking information. A controller may be asked to quickly approve a wire. A payroll employee may be told to change direct deposit instructions.
“The growing expectation for faster payments places greater emphasis on protecting individuals and organizations from fraud and scams,” said Tammy Foy, director of treasury sales at BOK Financial.
Check fraud remains a problem
Even as payments have moved increasingly online, paper checks remain a common target. A check placed in the mail can be stolen, altered or used as a template for counterfeit checks.
“The U.S. Postal Service continues to raise awareness about the number of items stolen out of the blue mailboxes and postal workers being robbed,” said Scott Edwards, director de gestión del riesgo de fraude en BOK Financial.
For companies that still rely on paper checks, prevention matters. "BOK Financial continually adds protections to help detect fraudulent items, but companies also need to continually review how they are protecting themselves," Marcum said.
Controls such as Positive Pay with payee name verification can help by allowing checks or ACH payments to clear only when the payment details match information the business has already provided or approved.
Business email compromise is a daily threat
Business email compromise remains one of the most damaging fraud risks for companies because it targets ordinary business activity.
A fraudster may monitor email traffic, learn how a company communicates and wait for the right moment to intervene. The criminal may send a request to update vendor payment instructions, change account information or approve a transaction. By the time the real vendor asks why payment has not arrived, the money may already be gone.
AI can make these attacks more effective by helping fraudsters write more convincing messages and tailor them to specific companies, employees or transactions.
"It used to be fraudulent emails had obvious typos and spelling mistakes and involved a prince in a foreign country," Edwards said. "Now, with AI written communications, it's much more sophisticated."
AI also can be used in scam attempts beyond email, including deepfake voice fraud over the phone and through live chats. "With AI, one person can do the work of a thousand fraudsters, so the scalability is exponential," Edwards said.
Other ways fraudsters target businesses:
- Account takeover: Criminals may use stolen login credentials to gain access.
- Mule accounts: Fraudsters may use accounts controlled by other people or businesses to receive and move stolen funds.
- Compromised payment cards: Stolen card numbers, expiration dates and other information may be used for unauthorized purchases or sold to other criminals.
- Security breaches: Unauthorized access to company systems can expose customer data, employee information, payment credentials or other confidential records.
The first 24 hours matter
If fraud is detected, time is of the essence.
Businesses should contact their financial institution as soon as possible after discovering a suspicious or unauthorized transaction. The sooner the issue is reported, the better the chance of attempting recovery, though recovery is never guaranteed. With faster payment movement, stolen funds may be transferred again before a company realizes what happened.
At BOK Financial, the fraud team will determine whether there is a way to recover funds stolen through fraud. If fraud is caught within 24 hours, there is a greater potential for recovery, Edwards said.
A company’s response plan should include: having clear internal steps for notifying your financial institution, escalating the matter to your own company’s leadership, involving IT or information security teams and reporting the incident to law enforcement when appropriate.
How businesses can reduce fraud risk
Fraud prevention works best when companies use both technology and internal processes. No single control can stop every attempt, but layers of protection can make it harder for criminals to succeed.
Steps to take:
- Use multifactor authentication
- Verify payment changes through a separate channel
- Use dual approval for high-risk transactions
- Segregate duties so that no single employee has control over an entire financial or operational process
- Review access permissions
- Use Positive Pay and ACH controls
- Reconcile accounts daily
- Set transaction limits and alerts
- Train employees regularly
- Create a fraud-response plan
Slow down the request
At its core, fraud prevention often comes down to one simple discipline: slow down when money or sensitive information is at stake.
That does not mean creating unnecessary friction for every transaction, experts said. However, it does mean identifying the moments when a mistake would be costly-a new vendor, a changed payment instruction, a large wire, a password reset, a request from an executive, a sudden change in routine-and building verification steps around them.
"Cuanto más sepa su personal, más podrá ayudar a la organización a identificar amenazas potenciales y abordarlas", dijo Tucker. "At the end of the day, combining the education and training of your workforce and investing in systems that can help identify and thwart potential fraud is your best bet in protecting your business from advanced techniques aimed at compromising data."
Aprenda más sobre Seguridad en línea de BOK Financial o llame al 844-517-3308 para reportar actividad sospechosa en las cuentas relacionadas con BOK Financial. La Agencia de Ciberseguridad y Seguridad de la Infraestructura también mantiene una Lista actualizada de amenazas actuales.