Anti-Fraud Practices Your Bank Should Teach Every Small Business Customer
By Kathryn Albright, EVP at Columbia Bank
Simple Subscribe
Subscribe Now!
As someone who’s spent more than three decades in the banking and payments space, one thing is clear: Fraud prevention is a daily priority for banks and their clients.
My team spends a great deal of time managing fraud prevention and related activities with our business clients. It’s one of the first topics that customers want to address when we’re introduced and remains a constant theme throughout our engagements.
On Columbia Bank’s Client Advisory Boards, fraud is the number one thing that they say “keeps them up at night.”
That’s largely because of the accelerated pace of fraud attempts and its increasing level. Tech advancement is helping businesses with countless tasks, but it’s also presenting them with new problems in that they must redesign everyday payment workflows.
AI deepfakes, for instance, drive increasing risk, and businesses are falling victim to process gaps. In order to prevent these pitfalls, businesses have to rely on behavioral controls, not just technology.
I’ve identified some operational lessons that executives should keep in mind.
Need to Know:
- Fraud prevention is becoming a daily operational discipline. Banks can easily spend one-third of client interactions on fraud prevention and recovery.
- Organizations are losing 5% of revenue to fraud each year, with each case lasting roughly 12 months before detection, according to the Association of Certified Fraud Examiners.
- Business email compromise remains the most common entry point for payment fraud, often using urgent wire requests timed late on Fridays or before holidays.
- Check fraud is resurging, as intercepted and so-called “washed” checks can easily cause tremendous losses for businesses. In fact, in 2024, 79% of organizations reported actual or attempted payments fraud, according to a report from the Association of Financial Professionals.
- Deepfake voice scams are on the rise, with banks reporting multiple incidents per month involving AI-generated voices impersonating clients — and with alarming believability.
- Implementing simple controls such as dual payment approvals within banks’ digital banking applications, Payee Positive Pay, Positive Pay, and ACH Positive Pay are straightforward ways to reduce risk.
Fighting Business Email Fraud
One of the most common frauds is compromise of business emails.
• Business email compromise — BEC for short — and funds transfer fraud accounted for 58% of all cyber incidents last year, according to a report from cyber insurer Coalition.
• The FBI’s latest Internet Crime Complaint Center report stated that a “staggering” $8.5 billion had been lost to BEC between 2022 and 2024.
Attackers replicate email addresses and email signatures and may send a request via email late on a Friday afternoon, requesting a large dollar amount be paid immediately. Or, leading up to a three-day weekend, clients will receive a high urgency email instructing them that they have to get a wire out ASAP.
Key point: Slow down! There are many precautions organizations can take around BEC. We advise clients to stop before they do anything to carefully review the email, the email sender, and the tone, and pick up the phone and call the client at their business number to validate that they originated the request.
In one recent case, we helped a client save more than $600,000 on a fraudulent wire transfer simply by pausing and digging deeper into the email request.
Read more:
Why Check Fraud is Surging Again
Check fraud is another persistent fraud threat that too many businesses fall victim to.
Case study: We recently had a customer write a hefty quarterly tax payment to the IRS in the fall and put it in the mail. Even though it wasn’t common for our customer to mail payments, there was an operational issue that forced them to do so.
The check was cashed. Yet a few months later, the IRS notified the firm that they had a not made their payment and now owed thousands of dollars in penalties.
Clearly, the check was intercepted in the mail and the payee name was washed.
We worked with this client to get the check and present it to the bank of first deposit in an attempt to recover the funds. Something we always recommend in these scenarios is to set up Payee Positive Pay with their bank. With checks or ACH items, any form of payment needs coverage.
Unfortunately, this isn’t just a historical issue. Nasdaq’s Verafin reported an increase of 11% in incidents of check fraud in 2025 — despite check volume decreasing by 7%.
Why it matters: It’s safe to say most businesses may assume that check fraud is an old trick on its way out, but intercepted and altered checks remain among the most common fraud vectors.
Many businesses think, “Hey, that won’t happen to us.” Sure enough, some businesses fall victim to some sort of loss.
Columbia Bank tries to get ahead of that with our customers, sharing in-depth account diagnostics with them, identifying where they have gaps, and working with them to implement solutions to prevent fraud before it happens.
Read more: ‘Know Your Agent’ is a Must When Autonomous Payments Can Be Fraudsters’ Entry Point
Vendor Payment Changes: An Underestimated Fraud Culprit
We’ve seen a significant uptick in customers being targeted with vendor payment updates where they’re asked to change routing numbers and account numbers.
How it goes: A purported supplier will reach out to our customer, saying, “We’ve changed banks. Please send all future transactions to this new routing and account number to avoid late payment penalties.”
Inevitably, businesses fall victim to this because it looks so real. Sure enough, the real supplier will notify them they’ve missed payments and ask if there’s a liquidity issue. ACH is a heavily used channel from a fraud perspective.
Key insight: A routine administrative task could be costly. Fraudsters increasingly target vendor payment updates rather than the payment itself.
Next Steps:
• Before updating payment instructions, always require vendor callback verification.
• Create approval workflows for any changes to vendor banking details.
• Monitor for payment destination changes, and flag, particularly if they seem unusual.
• Implement periodic audits of vendor banking records.
Read more: Four Ways Banks Can Turn Fraud Into a Loyalty Play
Deepfakes Are Changing the Fraud Game
Another area where the fraud threats are increasing is AI deepfakes.
The way it was: Formerly, if you received a call and you recognized someone’s voice, it was as simple as that.
The way it is: Today, you can’t assume that hearing someone’s voice confirms their identity. You must always rely on multi-factor identity verification, especially when it comes to high-dollar transactions.
Deepfake technology and the increasing level of innovation with AI make traditional safeguards far less reliable than in years past. Impersonation fraud is responsible for 1 in 20 identity verification failures, according to verification software company Veriff.
Key insight: Educate clients about deepfake risks and train your customer contact center teams to detect what a voiceover sounds like and ensure multiple forms of authentication.
No payment approvals should occur via a telephone call alone.
As fraud continues to evolve, banks will play a key advisory role. Fraud prevention is not just a set of cybersecurity safeguards, but an operational discipline where detection and prevention require a combination of behavior change and technology implementation.
The risk of fraud will never fully disappear, but its impact can be managed. Organizations that prioritize education, operational controls, and early detection will be the best poised for success.
The new fraud playbook requires institutions to take even greater steps to prevent incidents, provide consistent education for businesses on fraud scams and mitigation tactics, and help clients navigate the increasingly complex payments landscape.
Read next: A Credit Union’s Five-Point Anti-Fraud Strategy Pays Off
