Payments fraud: Past lessons, present threats, future defenses.

Payments fraud is defined as an intentional act to deprive someone or something of money or rights. As long as humanity has used currency-based payments systems, payments fraud has been a constant threat. According to Cambridge University Press link opens in a new window, one of the earliest examples of payments fraud dates back to ancient Roman marketplaces. Fraudsters created fraudulent “fourrée” coins to imitate pure silver “denarii” coins. Fourrée coins had a base metal core with a thin silver coating meant to disguise it as a denarii coin. To prevent fourrée coins fraud, money changers developed the first “fraud mitigation” practices. They lightly filed the rim to expose the base metal core, weighing the coin against a known standard or noting a duller ring when struck.

Centuries later, as trade expanded across regions and new payment methods emerged, fraud evolved alongside them. Carrying coins was both cumbersome and exposed merchants to potential theft. According to the Association of Certified Fraud Examiners (ACFE) link opens in a new window, Arab merchants devised the “sakk,” a financial tool akin to today’s checks. It consisted of a paper instrument that facilitated the deposit of money in a bank in one country and its withdrawal in another. By the 16th century, this innovation had spread across Europe. However, criminals identified and exploited the system’s flaw that handwritten checks were easy to forge and counterfeit. Fraud became so problematic that many regions prohibited this “modern” mode of payment. In 1762, British banker Lawrence Childs introduced the first printed checks, significantly reducing the risk of forgery and paving the way for modern check payments.

Since the start of the 21st century, the payments industry has shifted from paper-based systems to electronic execution and settlement. According to the Federal Reserve of Atlanta link opens in a new window, ACH transfers grew from $20 trillion in 2000 to more than $90 trillion by 2021. The Federal Reserve of Kansas City link opens in a new window attributes the growth to advances in technology and automation which provide convenience and reliability. However, this expansion has also created new opportunities for fraud. Fraudsters have developed new schemes such as creating fake vendors to infiltrate supply chain networks, using stolen information to access accounts, and impersonating coworkers to request payments.

Risks of modern banking are compounded by the removal of traditional human interaction from many payments processes. Detection relies on network-based monitoring and analytics. To adapt to new methods of fraud, maintaining the integrity of payments systems cannot simply be reduced to a checklist and must be integrated into business governance and operational frameworks with documentation, access controls, and audit trails. Advanced payments fraud mitigation tools now include tokenization-secured transaction architecture and AI-driven fraud detection models.

Figure 1
View PDF of Figure 1 PDF opens in a new window^{[PDF] footnote PDF video transcript}

In commercial payments fraud, access to sensitive data is often the critical first step for fraudsters. By obtaining information such as bank account details, vendor records, invoice formats, employee email credentials, or internal approval workflows, criminals can convincingly impersonate legitimate parties and manipulate payments processes. This allows fraudsters to craft realistic invoices, spoof executive communications, or alter payments instructions without raising suspicion. The more accurate and detailed the stolen information, the easier it becomes for fraudsters to bypass security measures and execute high-value, unauthorized transactions.

Fraud foundation.

Payments fraud does not always use advanced technology, but rather sometimes uses low tech and exploits human behavior. By tricking employees into making mistakes or ignoring warning signs, fraudsters can bypass even the most sophisticated security systems. For businesses, these schemes can result in account breaches, unauthorized transfers, stolen customer data, and costly downtime. In many cases, successful fraud depends less on technical skills and more on exploiting everyday vulnerabilities.

1. Physical information theft: Dumpster diving is one of the simplest, yet most effective fraud tactics. By physically searching through trash for sensitive information, fraudsters can find passwords, pay slips, bills, and payments details they can use for identity theft or social engineering. Despite its low-tech nature, it works because many people and businesses fail to securely dispose of confidential documents.

2. Social engineering: Psychological manipulation targets people, not technology. Common social engineering tactics include business email compromise (BEC), phishing and vishing (voice phishing). These schemes often create a sense of urgency to override skepticism and exploit victims’ weaknesses, desperation or inability to verify information.footnote ¹

3. Scareware: This represents the technological version of social engineering, using fake security alerts to trick users into giving up sensitive information or installing malicious software. By blending technical deception with psychological pressure, fraudsters push victims into acting out of fear, often bypassing their usual caution.footnote ² As an example, “WinFixer/XP Antivirus” link opens in a new window scareware campaigns used fake pop ups and bogus system scans to claim a victim’s PC was infected. Users were urged to “fix” the issue by purchasing a fake antivirus and entering personal data. While consumers made up a majority of the victims, businesses that were affected took larger losses on average.

4. Vendor/supply chain fraud: This occurs when an intermediary, hired to identify and manage suppliers for international manufacturing, engages in deceptive practices that harm the buyer. Agents can misrepresent supplier capabilities, alter payments details, inflate costs or take kickbacks.

Fraud monetization.

Information gained by exploiting human weaknesses fuels criminal activity against businesses. Fraudsters use stolen data to hijack existing accounts or coerce employees to execute ACH or wire transfers to fraudulent accounts.

1. Account takeovers (ATO): ATOs occur when fraudsters gain unauthorized access to a legitimate account, typically by using stolen credentials. Attackers validate credentials through targeted login attempts. Research shows some ATO attacks use bots for large-scale credential-stuffing, while other fraudsters have evolved into using “low and slow” credential cracking to avoid triggering detection and often attack on weekends when monitoring is reduced.footnote ³

Once criminals gain access to accounts, they attain control of accounts by changing recovery information, registering new devices, or adding fraudsters as authorized users. Fraudsters monetize the account by transferring money to their accounts.

• Real-life example: In November 2022, DraftKings suffered a credential stuffing attack link opens in a new window, where criminals used passwords leaked from other sites to log in to users’ sportsbook accounts. Once inside, they changed passwords, switched two-factor authentication to new phone numbers and initiated withdrawals. DraftKings said 68,000 users’ data had been exposed and roughly $300,000 was stolen. The company emphasized there was no evidence its systems were breached; the risk stemmed from password reuse across services.

2. Impersonation: By posing as trusted executives, employees or vendors — sometimes using spoofed emails, hacked accounts or forged documents — fraudsters can trick businesses into approving unauthorized transactions. These schemes frequently create a false sense of urgency or authority to bypass normal verification processes, leading victims to send funds to fraudulent accounts or disclose sensitive payment information.

• Real-life example: A 2020 Twitter vishing hack demonstrated advanced social engineering techniques when attackers contacted Twitter employees by phone, impersonating IT support staff. According to The Verge link opens in a new window, fraudsters created a sense of urgency around a “critical security update” and convinced employees to provide access credentials. This breach affected high-profile accounts, including those of Barack Obama, Elon Musk and Bill Gates, resulting in a cryptocurrency scam that netted over $100,000.

3. Vendor/supply chain fraud: Sourcing agents inflate costs, take kickbacks from manufacturers, or even switch agreed-upon factories to cheaper, lower-quality alternatives without the buyer’s consent. Such misconduct can result in defective goods, missed deadlines, and significant financial losses. The risk is particularly high in cross-border transactions where buyers rely heavily on the agent’s local knowledge and have limited ability to directly verify the supplier’s legitimacy.

• Real-life example: A case detailed by Harris Sliwoski link opens in a new window involved a U.S. company that engaged a sourcing agent in China to oversee the manufacturing of a highly specialized product. The agent presented a well-established and reputable factory, offering competitive pricing and strict quality control measures. The buyer, working from overseas, relied entirely on this agent’s local knowledge. The agent secretly switched manufacturing to a cheaper and lower-quality facility and kept the cost difference as profit. When the goods arrived, they were riddled with defects, failed to meet technical specifications, and were ultimately unusable for their intended purpose. The buyer not only lost a substantial portion of their investment but also faced reputational damage and supply chain disruptions.

Fraud mitigation strategies.

Institutions and merchants must implement a multi-layered approach in mitigating fraudulent transactions. No single method can address every type of fraud, but combining complementary tools significantly strengthens security. Solutions such as multi-factor authentication, dual authorization, and account whitelisting all target different vulnerabilities in the payments process. Together, these measures help detect suspicious activity early, reduce the success rate of stolen card data, and card verification shifts the balance of security in favor of legitimate transactions.

Multi-factor and biometric authentication: 3D secure is an authentication protocol for online payments that adds a step in the process where the customer is verified by their bank before approval. Visa link opens in a new window explains this process may happen silently in the background or may involve a brief prompt for the cardholder (face/touch ID, signing in to banking app, etc.). Since the bank checked and decided to approve or disapprove of the transaction, the liability for chargebacks falls onto them rather than the customer. This bank-side check allows for an additional layer of security and prompts to sign in or utilize face/touch ID helps introduce human verification measures into the authorization process.

Dual approval: Also known as dual authorization, describes a process in banking and financial transactions where two authorized individuals must review and approve a payment before it is executed. This control helps reduce fraud, errors and unauthorized transfers by helping ensure that no single person has full authority over the transaction. As explained by ProcessMaker link opens in a new window, dual approval is widely used in corporate banking to safeguard against internal fraud, strengthen compliance, and maintain operational integrity, especially for high-value or sensitive transactions.

Vendor whitelisting: This is a security approach in which only validated and pre-approved vendors or payees, including specific verified bank accounts, are permitted to receive payments or access certain systems. This process builds on vendor validation and payee verification practices, helping ensure that every recipient has been vetted for legitimacy before being added to the whitelist. Allowing transactions only to trusted, verified recipients can significantly reduce the risk of funds being sent to fraudulent accounts. As explained by UMA Technology link opens in a new window, whitelisting operates on the principle of default denial, meaning all accounts are blocked unless explicitly approved. This layered approach makes it a powerful defense against targeted attacks and social engineering scams in commercial B2B transactions.

Card verification: According to Visa link opens in a new window, the two key fraud mitigation tools for online or phone card payments are Address Verification Service (AVS) and Cardholder Verification Value 2 (CVV2). AVS checks whether the street number and ZIP Code entered by the customer matches the information on file with the cardholder’s bank. This helps merchants detect fraud when stolen card details are used without the correct billing address. CVV2 is the three- or four-digit security code printed on the back of cards, requested during remote transactions to confirm the buyer physically possesses the card. Together, AVS and CVV2 provide critical verification checks that help block unauthorized transactions and better protect businesses from payments fraud.

Emerging trends: Artificial intelligence (AI) and tokenization.

The payments fraud arms race is now entering the next phase. Two key trends are leading candidates to define the next phase: AI and tokenization. The creation of GenAI tools has simplified the process of creating deepfakes that can bypass human verification tests and pose significant risk to financial institutions and merchants. However, advances in AI technology will also prove to be crucial to the next generation of fraud mitigation, as synergy between AI driven models and dynamic tokenization will lead to constantly improving fraud recognition systems and data monitoring measures.

Bypassing human identification: The rise of deepfakes.

As GenAI tools have become more prevalent in recent years, fraudsters have found ways to use them in perpetrating increasingly sophisticated payments fraud. The U.S. Financial Crimes Enforcement Network (FinCEN) US. Financial Crimes Enforcement Network link opens in a new window has warned about the rising use of deepfakes in identity fraud. Deepfakes allow fraudsters to fabricate realistic personas that can pass biometric authentications to gain access to financial systems and merchant platforms. According to the Forbes Technology Council link opens in a new window, AI tools helped fuel a 700% increase in deepfake-related fraud attempts in the fintech industry in 2023.

As an example, in 2025, global design and engineering firm Arup became the victim of a sophisticated AI-enabled payment fraud scheme in Hong Kong. According to the World Economic Forum link opens in a new window, scammers used deepfake technology to convincingly impersonate the company’s Chief Financial Officer during a video conference. Believing the meeting was genuine, a staff member followed instructions to make multiple bank transfers, resulting in losses amounting to $25 million USD.

AI and tokenization: Developing the next fraud mitigation strategy.

Although AI has introduced a new threat in the world of payments fraud, it has also emerged as the analytical backbone of next-generation fraud mitigation systems. Machine learning models and neural networks consistently outperform static, rules-based systems.footnote ⁴ These models can process millions of transactions almost instantaneously by identifying anomalies invisible to manual approaches. Importantly, these models are adaptive and continuously refine their parameters to match evolving fraud patterns, making them more resilient to emerging attack tactics.

Industry leaders are applying AI not only for detection, but also for frictionless customer experience (CX). According to PYMNTS link opens in a new window, AI tools such as Featurespace utilize real-time behavioral biometrics and adaptive scoring to intercept suspicious transactions before authorization, without disrupting legitimate purchases. These tools also allow for contextual decision-making, risk-based authentication, and personalized fraud alerts, reducing false positives and enhancing customer trust.

Dynamic tokenization replaces sensitive account information with a token, or a random string of characters, for a specific transaction. Transaction-specific tokens expire immediately after use. This not only reduces the attack surface, it also integrates smoothly with AI-powered fraud analytics, allowing models to process tokenized data enriched with behavioral metadata without compromising privacy.footnote ⁵ By safeguarding payment information, tokenization helps businesses build customer trust, streamline operations, and reduce the cost of managing data breaches.

The synergy between AI and tokenization is a crucial aspect of the next generation of fraud mitigation. Tokenized transaction streams can be shared safely across institutions for collaborative AI model training, enabling industry-wide fraud pattern recognition without breaching data protection laws. Conversely, AI can monitor token usage patterns to detect anomalies and automatically revoke tokens that appear compromised. This dual-layer strategy strengthens defenses, ensuring that even if fraudsters bypass detection systems, the stolen data remains unusable.

What might the future hold?

From the earliest currency-based exchanges to today’s electronic payments systems, fraud has been a constant companion to innovation. Many of the most effective fraud schemes today are relatively low-tech, leaning on social engineering and other human vulnerabilities to gain access to systems and information. As technology evolves, AI tools can develop deepfakes that can bypass human verification measures. As fraudsters evolve the ways they access sensitive data, mitigation tactics will continue to evolve in step. Effective use of AI-driven fraud recognition models along with the use of dynamic tokenization are creating dual-layer protection that can effectively respond to emerging threats. Ultimately, the ongoing battle between payments fraud and fraud mitigation shows no signs of slowing.