• Modern payment scams are increasingly AI-driven and sophisticated, with business email compromise (BEC) attacks alone costing U.S. businesses $2.78 billion in 2024.
  • Red flags like urgent payment requests, lookalike email domains, and last-minute bank detail changes signal potential fraud attempts.
  • Protect your business by training employees, verifying payment changes through trusted channels, and using banking tools like Positive Pay and transaction alerts.

Small businesses are increasingly facing payment scams that can significantly impact their cash flow and threaten daily operations. Payment fraud attempts target 79% of organizations annually, with business email compromise (BEC) resulting in $2.78 billion in losses in 2024 alone.[1,2] For small businesses, the average cost per incident is around $129,000 per successful attack.

What makes these attacks particularly dangerous is their sophisticated nature. They often appear legitimate until it's too late, and recovering the stolen funds can be challenging. Below, we help you understand how these scams work and best practices that could help protect your business

How These Scams Work

Criminals often use artificial intelligence to create convincing communications, with nearly 83% of phishing emails showing some use of AI in 2025.[3] Scammers research your business through LinkedIn and public filings to craft authentic-looking messages. 

Modern payment fraud exploits the trust relationships your business relies on daily. The most common types of scams include:

  • Fraudulent vendor invoices: Scammers pose as legitimate suppliers and request payment to altered bank accounts.
  • Fake invoice duplication: The same invoice appears multiple times for automatic processing.
  • Wire transfer fraud schemes: Criminals intercept legitimate payment instructions and redirect funds to fraudulent accounts, often targeting large vendor payments or real estate transactions
  • BEC: Allows criminals to monitor real business communications and insert themselves into vendor relationships.

How Exactly Does BEC Fraud Work?

In BEC fraud, scammers send an email message pretending to come from a source you know, such as a vendor or your company’s CEO.[4] To do this, they may use:

  • Spoof email addresses that are slightly different than legitimate ones
  • Spearphishing emails that ask for confidential information. The information is then used to carry out a BEC scam
  • Malware to gain access to information on your computer

BEC attacks grew by over 50% between 2023 and 2024, with organizations facing a 70% chance of receiving at least one vendor email compromise attack each week.[5]

An Example of a Scam

As an example, your accounts payable team might receive an email from what appears to be your longtime office supply vendor. The email requests payment for a recent order, with updated banking details attached. The invoice looks identical to previous ones, complete with your company's purchase order number.

Red Flags To Watch For

Recognizing warning signs is essential for maintaining financial security. According to the FTC, scammers create artificial urgency and fear to prevent you from verifying their claims before acting, such as “immediate payment required.”[6] Some other things to look for are: 

Payment Changes

  • Sudden vendor payment information updates via email
  • Requests for payment methods other than standard procedures
  • New bank account details that weren't confirmed through a phone call or other secure method

Communication Tactics

  • Requests for secrecy around payment changes
  • "Lookalike" email domains with subtle character changes
  • Communications outside normal business hours

Visit the FTC's Scams and Your Small Business: A Guide for Business for a more comprehensive list of best practices.

Tips to Help Protect Your Business

The FTC says your best defense is an informed staff.[6] Training employees to recognize red flags and establish verification protocols is crucial for strong financial controls. Other things you can do are:

Implement Dual Controls

Establish approval processes for outgoing payments above predetermined thresholds. This prevents single points of failure that fraudsters exploit.

Verify Through Secondary Channels

Always call vendors using previously established phone numbers to confirm changes in banking details. Never call phone numbers in suspicious communications.

Use Banking Technology

Some banking technologies that can help stop scams in their tracks are:

  • Positive Pay servicesProvide automated verification of checks and ACH transactions.
  • Real-time payment alerts: Notify you immediately of wire transfers or large transactions.
  • Spending controls and transaction limits: Require additional authorization for unusual payments.

Maintain Vendor Records

Schedule periodic reviews of vendor arrangements, confirming contact information and payment procedures. This proactive approach prevents fraud while uncovering opportunities to improve payment terms.

Secure Your Business's Financial Future

Modern payment fraud requires a multi-layered defense strategy combining employee training, strong verification procedures, and advanced banking technology. By recognizing red flags, implementing dual controls, and maintaining updated vendor records, you can significantly reduce your vulnerability to these costly attacks. 

Working with a financial institution that prioritizes fraud prevention can help protect your bottom line. PNC offers comprehensive fraud protection tools, including Positive Pay, ACH blocks and filters, and customizable permission settings that control transaction authorization. These tools create multiple verification points, significantly reducing fraudulent payment exposure while keeping your business running smoothly. 

Talk with a PNC small business advisor today about implementing comprehensive fraud protection services aligned with your business's needs and growth plans.