Author: Pratik Singh Raguwanshi, Manager, Digital Experience, LiveHelpIndia
B2B payment fraud has crossed a structural threshold. The FBI’s 2025 Internet Crime Report recorded $3 billion in business email compromise losses for the year alone, with cumulative BEC damages now exceeding $55 billion since 2013. The 2025 AFP Payments Fraud and Control Report found 79% of organisations experienced fraud or attempted fraud last year. The figure that keeps CFOs awake is not the headline. It is the gap between what their B2B payment fraud controls were designed to catch and what attackers are deploying in 2026.
B2B payment fraud has moved on, and most defences have not. The controls in place at mid-market and enterprise finance teams were built around a threat model from five years ago, before generative AI made deepfake voice calls a commodity, before invoice redirection went industrial, and before authorised push payment scams could clear a wire transfer in seconds. Every business processing supplier payments at any meaningful scale is exposed to the same blind spot, and the cost of staying there compounds quietly.
How modern B2B payment fraud bypasses legacy controls
The classic BEC playbook used to be crude: spoof the CEO’s email, ask finance to wire money urgently, hope nobody calls to verify. The modern version of this B2B payment fraud pattern layers in lookalike domains, compromised real mailboxes, and AI-generated voice calls that match the executive’s actual speech patterns. The FBI’s 2025 report flagged 22,364 AI-related complaints accounting for $893 million in losses, the first time AI-enabled crime got its own section in 25 years of IC3 reporting. The defensive question is no longer whether the email looks legitimate. It is whether the entire chain of communication can be trusted.
Invoice redirection sits inside this evolution. Attackers compromise a real supplier’s mailbox, watch invoice cycles for weeks, and intervene at the moment a genuine invoice gets sent. They alter banking details, forward the modified invoice from the legitimate domain, and the accounts payable team processes it through normal channels. Nothing looks wrong because nothing technically is wrong, until the supplier calls three weeks later asking where the money went. FintechBits’ coverage of AI-driven fraud prevention systems lays out the pattern detection layer that catches these substitutions before they clear.
Vendor onboarding is the weakest link
Most B2B payment fraud losses trace back to a single moment of weak verification: either the initial vendor onboarding or a subsequent change to payment details. Attackers know this. They time their attacks to coincide with quarter-end pressure, year-end close, or vendor consolidation projects when finance teams are already overloaded. The verification standards that apply to opening a corporate bank account should apply to onboarding any vendor receiving more than a defined threshold per year, but they almost never do.
Practical onboarding controls run a defined sequence, and they are the foundation of any B2B payment fraud prevention programme. Company registration documents verified against the originating registry rather than emailed PDFs. Bank account ownership confirmed through a small test deposit or via account-verification rails. Beneficial ownership checks on suppliers above a threshold. Tax identification cross-checked against government sources. None of this is exotic. It is the same diligence applied to KYC for financial institutions, repurposed for accounts payable. The operational discipline is what differs.
Why B2B payment fraud thrives on change-of-banking-details requests
The single most exploited vulnerability in B2B payment fraud is the change-of-banking-details request. A finance team receives an email from a known supplier contact, attaching a letterhead document with new bank details, asking for future payments to route there. The email looks normal. The signature looks normal. The bank details get updated. Three months of payments flow to the attacker before anyone notices.
The control that defeats this is independent verification through a channel the attacker does not control. A phone call to the supplier’s known contact at the number on file from before the change request, not the number provided in the new request. A face-to-face confirmation when possible. A signed change form authenticated against documents collected during onboarding. The principle is simple: never confirm a request through the same channel that delivered it. The execution is where most teams fail, because the verification step adds friction and feels redundant for trusted suppliers, until it does not.
AI is now a defensive tool, not just an attack vector
The same machine learning that powers attacker toolkits sits inside modern fraud detection platforms, which is shifting the B2B payment fraud defence picture quickly. Pattern recognition across transaction history flags the request that looks normal in isolation but anomalous in context: a vendor that always invoices in dollars suddenly requesting euros, a payment amount slightly above its historical pattern, a supplier whose invoicing cadence shifts without a corresponding contract change. These signals would never reach a human reviewer’s desk through manual processes. AI surfaces them in real time.
Implementation is the difficulty. AI models need clean transaction history, vendor master data, and communication metadata to operate effectively. Companies that bolt fraud detection onto fragmented ERP systems get noisy false positives. Those that integrate the model with consolidated payment data see meaningful catch rates. FintechBits’ analysis of how fintech companies balance AI automation with human expertise covers the calibration problem in regulated finance contexts. The Decta breakdown of the biggest payments innovations of 2026 notes that AI-driven security has moved from optional layer to default expectation across enterprise payment infrastructure.
Approval workflow is where culture meets control
Dual-approval workflows for payments above a threshold are well-understood, but they are also where most B2B payment fraud incidents quietly slip through. The problem is that most are configured loosely, with thresholds set high enough that significant fraud risk slips beneath them. A $40,000 fraudulent invoice in a workflow with a $50,000 dual-approval threshold clears with a single signature. The right threshold for any given organisation depends on its loss tolerance and transaction profile, but the default settings shipped by ERP vendors rarely align with either.
Beyond thresholds, the segregation between payment initiation and payment approval has to be real. When the same person who creates a vendor record also approves the first payment to that vendor, the dual-control principle exists only on paper. FintechBits’ piece on open banking and B2B payments covers how account verification rails are now being baked into approval workflows directly, removing some of the burden from finance teams while strengthening the underlying control.
B2B payment fraud is not going to slow down. The economics favour attackers, the tools available to them are improving faster than most defences, and the structural weaknesses in vendor onboarding and approval workflows have been documented for years without being closed. The companies treating B2B payment fraud prevention as a continuous operational programme rather than a one-time policy update are the ones absorbing fewer losses. The cost of getting the controls right is meaningfully smaller than the cost of one successful attack at scale.