Author: Kriszta Grenyo, Chief Operating Officer, Suff Digital
B2B payments fraud is no longer a tail-risk problem. According to the 2026 AFP Payments Fraud and Control Survey, 76% of US organizations experienced attempted or actual payments fraud in 2025, with business email compromise hitting 74% of respondents. So the question is no longer whether your business will be targeted. It is whether your accounts payable workflow has the verification steps to catch the attack before money moves. A business owner I know recently received an email from what looked like a long-standing supplier, claiming a banking change and listing new payment details. Two weeks and two large payments later, a routine call to the real supplier surfaced the deception. That story is increasingly normal.
Why B2B Payments Fraud Is Getting Harder to Catch
B2B payments fraud has shifted from crude phishing to high-quality impersonation that exploits real workflows. Generative AI now writes more convincing fraudulent emails, often referencing real ongoing transactions, real invoice numbers, and real supplier relationships. So the bar for detection has risen sharply.
Furthermore, the 2026 AFP press release on payments fraud notes that just 17% of organizations leverage AI to combat payments fraud, even as attackers use it heavily on the other side. That asymmetry matters. A defender using only manual controls is now fighting an attacker armed with AI tooling, social engineering scripts at scale, and a steady supply of leaked credentials from prior breaches.
How Business Email Compromise Bypasses Standard Checks
Business email compromise starts with information gathering. Attackers monitor company communications, often through a compromised account or through publicly available information about company structure and supplier relationships. Once they understand the payment workflows, they impersonate a trusted party: a supplier, a senior executive, or a financial institution.
The most effective BEC attacks do not arrive through obviously suspicious emails. They arrive at busy periods, reference real ongoing transactions, and create a sense of urgency that bypasses the instinct to verify. So B2B payments fraud now succeeds because it fits the existing workflow rather than disrupting it. The gap it exploits is the absence of a reliable out-of-band verification step. When a supplier update or an unusual payment request runs entirely through email, there is no independent confirmation that the instruction came from a legitimate source.
Invoice Redirection and Vendor Impersonation at Scale
Invoice redirection is a variation on the same theme. Fraudsters intercept or replicate legitimate invoices and alter the payment details before the invoice reaches the recipient. In some cases, attackers gain access to a real supplier’s email account and send fraudulent invoices directly from the supplier’s legitimate infrastructure, which makes detection extremely difficult.
Vendor impersonation now operates at scale. Attackers build convincing replicas of supplier websites, email domains, and communication styles, then target multiple businesses simultaneously. The latest AFP data shows vendor imposter fraud rose to 45% of organizations in 2024, up 11 percentage points from the prior year. So B2B payments fraud through vendor impersonation has become one of the fastest-growing categories of attack. Organizations without email authentication protocols such as DMARC and DKIM are particularly exposed, because attackers can send emails that appear to originate from legitimate company domains. So this is the kind of B2B payments fraud that scales with attacker effort, hitting dozens of targets from one compromised infrastructure.
Where SMBs Most Often Leave Themselves Exposed
A few patterns consistently appear in post-incident reviews. Payment instructions received via email get treated as authoritative without independent verification. A single email requesting a bank account change, even if it looks legitimate, should never trigger a payment without a confirming phone call to a known contact number, not the number provided in the change request.
Furthermore, accounts payable processes often lack segregation of duties. When the same person who receives payment instructions also initiates and approves the payment, there is no checkpoint to catch anomalies. So B2B payments fraud succeeds in part because the workflow itself contains no break point. According to US Bank’s analysis of payments fraud trends, enterprises with $1 billion in revenue were more susceptible to BEC scams in 2024, but smaller organizations carry the bigger relative loss because they lack recovery infrastructure. That asymmetry is what makes B2B payments fraud particularly damaging at the SMB level.
Why Verification Calls Stop Most Fraud Attempts
Implement a policy that any change to supplier payment details triggers a verification call to a pre-approved contact number, not the number provided in the change request. So this single step prevents the majority of invoice redirection and BEC fraud targeting accounts payable functions.
Equally, the verification number must be the one you already have on file from previous trusted communications. Attackers routinely include their own phone numbers in change request emails, which means a confirmation call to that number simply confirms the fraud. So in practice, B2B payments fraud is mostly defeated by disciplined call-backs rather than expensive software. Our coverage of why open banking is quietly fixing B2B payments shows how more secure rails are emerging, but verification discipline still sits firmly at the human layer.
How Segregation of Duties Closes the Single-Point Gap
Create a segregation of duties policy for payments above a defined threshold. The person initiating the payment should not be the same person approving it. The threshold will vary by business size, but even a relatively high limit creates meaningful protection against large single-transaction fraud.
So this control matters most precisely where B2B payments fraud is most damaging: the high-value, time-sensitive payments where pressure tactics work best. Many banks also offer fraud controls around first-time payees, payment velocity limits, and call-back verification for large transactions. These are often underutilized because the default settings prioritize convenience over security. Equally, B2B virtual cards bring meaningful fraud reduction for AP teams that adopt them as a complementary payment method, since virtual cards saw just 5% fraud incidence in 2024 versus 63% for checks. Our coverage of late payment crises and the CFO guide to surviving them reflects the broader pressure on AP teams to move fast, which fraudsters exploit.
What to Do This Quarter to Harden Your Process
Implement email authentication protocols. DMARC, DKIM, and SPF records make it significantly harder for attackers to impersonate your email domain or your suppliers’ domains. Many smaller businesses have not implemented these because they are technical configurations that require IT involvement. The investment is worthwhile.
Furthermore, review your accounts payable procedures with B2B payments fraud risk specifically in mind. The question is not whether your process is efficient but whether it creates opportunities for fraudulent instructions to get through without a human verification step. According to Payments Dive coverage of the AFP report, the FTC fielded $2.08 billion in bank transfer fraud across 47,336 incidents last year, far higher than check fraud losses. Our piece on expense management architecture shifts covers how AP teams are restructuring around these realities.
Ultimately, building friction into payment processes is the most reliable defense available. That friction is an operational cost, but it is far smaller than the cost of a successful fraud event. The businesses hardest to defraud are not the ones with the most sophisticated technology. They are the ones that have built simple, consistent human verification steps into their payment processes. B2B payments fraud rewards the organizations that treat verification as a default rather than an exception.