Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here
What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
AP Automation AP Automation For Real Estate Payments Hub
Payouts Automation Payments Processing Receivables Automation Payments Hub
Paymode Pay Vendors Receive Payments Partner With Us
Connectivity Services Message Transformation & Enrichment Message Vault
Global Cash Management Hub Digital Banking
Global Cash Management Hub
Make your payments secure with Bottomline's fraud solutions, designed to protect you from security threats with multi-layered security, machine learning, and AI.
Payments Fraud Defense Internal Threat Management Partners
Payments Fraud Defense Internal Threat Management Payments Verification Payments Verification for Businesses Sanctions Screening Partners
Who We Serve
Empower your bank with Bottomline's digital banking, B2B payments, and cash management solutions and own the primary customer relationship.
Our Company
All Resources
Expand your knowledge and stay up-to-date on the latest industry news with helpful white papers, datasheets, industry reports, learning articles, and more.
Episode Transcript
Owen McDonald: Welcome to The Payments Podcast. I'm your host, Bottomline managing editor Owen McDonald. Our task today is to size up cybercrime for 2026. Multiple studies confirm what we already know. B2B payments fraud is rising.
On average, nearly 65% of companies say business email compromise is the number one method of attack. And as golden oldies like paper checks slowly fade out, AI deepfakes are starting to make their mark. But the forces of good are fighting back and winning more often. Joining us to offer 2026 fraud and risk outlooks, we've got Bottomline's Eric Choltus and Marc Salinas, both experts when it comes to fighting financial fraud. Marc Salinas, Eric Choltu, welcome to The Payments Podcast.
Eric Choltus: Thank you. Happy to be here.
Marc Salinas: Appreciate it, Owen.
Owen McDonald: We're delighted you are here. Let's, get right into it. This one is for you, Eric. With real-time rails accelerating globally, where do you see banks moving too slowly to counter AI-enabled fraud? What fraud defenses will matter most in '26, and are banks actively adopting these defenses?
Eric Choltus: Wow, okay. Starting off with big questions! Let me think about this. I work with banks every day, every week, in talking about fraud strategically and defensively and tactically.
I would say where where banks lag is probably in a few areas. Number one, their speed at noticing and mitigating attacks. That's the first. I've seen some banks take months, and in that time millions of dollars can end up as fraud losses. And so the speed at which they notice and react and put in mitigation plans, is one big area where banks lag.
The second, is around siloed point solutions. Banks have multiple solutions that they've accumulated over the years at multiple different points in the process, but they don't speak to one another. They're disconnected, and fraudsters can take advantage of that.
I would say another area is relying on detection too late in the payment life cycle. If you do it too late in the in the process, yes, you can still detect, but it's more expensive and more difficult to claw back those transactions.
And then probably the last area I'd say where banks really lag is around the set and forget mindset. Regardless of the tool that they're using (whether it's rules-based, AI-based, or both) the model-drift is a real thing, and keeping the models tuned on a regular basis is absolutely key. So that's where I see banks lagging in their approach.
And to the second part of your question around defenses that will matter most, it's around coordinated analytics. To my point around the the disconnected point solutions, it's really making sure that there's coordinated analytics across the point solutions.
It's making sure that you have a fraud solution that's future-proof that can be augmented with third-party tools that exist in the market today, but also those that'll be coming out tomorrow.
Another area of defense is around accounts payable automation (AP). The solutions that have closed vendor networks that banks and corporates can depend on.
And then probably last, but not least, is consortiums of information that allow banks and corporates to share information.
Owen McDonald: Okay. That is a lot of information and very valuable. Now, with corporates assuming more liability for outbound payments fraud, Marc, how do you expect banks to alter their support in 2026 so that fraud controls can be embedded into workflows without sacrificing efficiency?
Marc Salinas: Well, first off, I'll second your point about corporates assuming more liability for fraud. Those checks - they're not fading as fast as we'd like in the US. And we're seeing a big uptick in banks of all sizes providing, and strongly encouraging, even the smallest clients to adopt more traditional solutions like reverse positive pay, where their lower volume check writers are given the opportunity to review all the checks they write for fraudulent activity. These traditional solutions have been around for a while though they're pretty reactive. And while they can help form an effective first line of defense, fraudsters find new and creative ways around them.
They're exploiting the fact that traditional monitoring is really just too far downstream. Plus, when combating techniques such as account takeover (ATO), banks really need to protect more than just the outbound payment work flows to truly protect their customers. So, to fully defend against outbound payment fraud, banks really need to increase interdiction efforts at the top of the funnel. They need to monitor and correlate activity end-to-end, beginning with login and looking at in-session behaviors before payment origination even begins.
So, do login factors, such as the source and the time of the login, and things like the response to an MFA challenge. Do those indicate that the user is trustworthy? Does activity in the user session prior to originating the payment - things like changing a payee's account number - do those suggest fraud? That information really provides critical context that may identify what's otherwise a harmless-looking payment as being fraudulent. And leading banks are really using things like that to consider factors far beyond mere fluctuation and things like historical payment patterns.
There's a timeliness component to effective fraud prevention as well. Banks need to be able to act on potential fraud immediately, putting payments on hold in real time before the funds leave the bank and holding those funds pending the outcome of their investigation. As banks are layering in more levels of focused and and specialized fraud controls, we're also seeing investigative teams place more value on speed and efficiency, when trying to complete their investigations. So tools like visual link analysis, the ability to go in and record and to replay a potential fraudsters actual activity across various source systems can really help out here, as can the ability to access and manage a consolidated view of all the fraud cases across all the various fraud solutions that banks may be layering in. Finally, as Eric alluded to: data is king.
And these consortiums are really beginning to combine and use very large volumes of it, representing a significant fraction of the overall payment volumes in some markets. So these consortiums are using this to gain earlier and more actionable insight into emerging threats and to really refine their risk indicators very quickly in response. So, I think this is an area that should create a lot of new value going forward.
Owen McDonald: Back to you, Eric. In commercial banking and payments, account takeover is a dreaded form of fraud. What behavioral and context dual signals do you believe will be the most reliable indicators of account takeover attempts in '26? And in what ways are banks possibly underestimating these signals as they pass through, and should they be, and what should they be paying more attention to?
Eric Choltus: Account takeover is a fascinating space. I use that term because it's really interesting to watch the creativity on the fraud side that's happening in account takeover, the creative ways that they are deceiving legitimate users into providing their information or believing that they're talking to a legitimate call center support person. But on the flip side, there's a lot of reliable methods to detect and stop account takeover as well. And this is a relatively new area of growth, at least in commercial banking. It's an area that was very prevalent in retail banking, and now we're really seeing it grow on the commercial side.
To answer your question about reliable indicators: I would say there's a lot of reliable signals of digital impersonation, like fake websites, credential stuffing, remote access. You can look at device fingerprints and device intelligence for new or unfamiliar devices. You can look for location anomalies by looking at the geolocation of IP addresses. You know, fancy terms essentially, but what you're looking for is did Owen log in from New York ten minutes ago and now is logging in from Tokyo? We call that impossible travel, for example.
Looking at behavioral biometrics. That's another fancy term, but a really, really powerful capability looking at a user's interaction to how they're moving their mouse, how they're typing on the keyboard, and does that match the normal patterns that we would expect for that user. So those are really reliable indicators.
The key is detecting and ingesting those indicators, and having a tool that can use those to stop a fraudster in their tracks. So, I guess to conclude, the underestimated signals to where you ended up your question - banks really can depend and look at help desk social engineering a little bit more. What I mean by that is call center resets remain a a weak link despite heavy investment in digital controls there. Fraudsters calling into a call center to reset their information and those call desk employees just going ahead and following the instructions is a weak link - and there are tools today that can prevent that.
Owen McDonald: Alright. Marc, as banks embed more fraud detection into authorization workflows, what areas of regulatory scrutiny do you expect will intensify in 2026, especially around AI decisioning and third-party governance?
Marc Salinas: Well, before we even get to AI, US banks are, of course, focused on the upcoming NACHA 2026 fraud monitoring rule, which is designed to strengthen fraud detection for ACH. So this new rule requires ODFIs (Originating Depository Financial Institution) to deploy processes and procedures to identify potentially fraudulent ACH originations. But, you know, it's also designed to help ensure that RDFIs (Receiving Depository Financial Institutions) receiving the ACH volumes review their inbound payment streams to look for anomalies, including things like new and multiple source accounts. Deadlines are coming at us pretty quickly in March and June '26, and we're, of course, partnering with our US customers on timely compliance there.
As for AI, incorporating it into fraud detection certainly brings its own set of regulatory considerations around things like transparency, around governance, around bias, around data privacy. We think our bank's customers are going to be a really important stakeholder here as they will increasingly be sensitive to and demand to know/have banks explain how AI is impacting the decisions they're making, including around fraud detection.
Regulators like the FCA in the UK and the CFPB in the US, they're going to continue to play a really key role in holding these banks accountable for maintaining proper governance and, really, for demonstrating that their use of AI and fraud decisioning isn't contributing to unlawful bias or to discrimination. As a key partner to these banks we're also seeing growth in the number of FIs (Financial Institutions) who are formalizing their risk management approach, including us as a third party in their reviews and compliance efforts. We're seeing larger banks, not surprisingly, take the lead, and really adopting a wide range of approaches so far, from the pretty conservative to those who seem to be adopting AI more aggressively.
Owen McDonald: Organized fraud rings operate now as well-coordinated multinational corporations. Eric, what practical steps can banks take to preserve their internal ecosystem against that threat without just adding more point solutions? Is this where a partner might be asked to help out? Tell me about that.
Eric Choltus: That's a great question. There's a lot of things that banks and their customers or corporates can do to combat fraud.
So, first, just a point on the tools: one key thing is selecting a fraud monitoring solution that can grow with you - not only in volume, but in the extensibility to connect with solutions as they emerge. New solutions are coming up all the time. And so selecting a platform that can leverage APIs to to connect with new solutions as they come up is absolutely critical.
But beyond that, there are so many small, but powerful, things that banks and corporates can do. So I'll just point to a few. So for example, within a typical treasury management solution, there's typically capability for what we call dual approval or four eyes. That's a really powerful method to combat fraud because if it's, for example, a fraudster that is now impersonating the user and puts in a fraudulent wire for approval, then if there's a completely separate person that's reviewing that transaction before it goes out (as part of the dual approval), that's a really simple but powerful way to monitor for fraudulent transactions. It's not foolproof, but it's powerful.
The other thing that can be useful is different MFA methods. We know that fraudsters can bypass MFAs (multi-factor authentications), but by incorporating them at different points in the process. You can incorporate it at login, but you can also incorporate it later on in the process. If the person is executing suspicious actions inside the payment system, or if they are approving a transaction, you can ask for another MFA or stepped-up authentication. It's a powerful way to slow down a fraudster, and also to challenge them, especially if you're giving them different MFA methods throughout the process.
And then probably another couple of areas I would point to. We've talked about consortiums already, a couple times, but that's another powerful way for banks to leverage data and collaboration across banks to share information. And then last, but not least, I would point to continuous education. Most banks are pretty good about this, but it's important to do it on a regular basis, training their own staff and training customers on emerging fraud tactics, impersonation tactics, and social engineering. And having them do simple things like, for example, color-coding external emails or making it very clear that emails coming in from external parties are labeled as such, as a powerful way to detect business email compromise for example.
Owen McDonald: Last question, and I'd like to hear from both of you on this. Tell me about the importance of, and ironically you've both touched on this already in this interview, shifting fraud detection upstream for both banks and corporates. Why is that suddenly appearing on everybody's agendas? And, is this another place where partners can play an important role? Marc, let's hear from you first.
Marc Salinas: Well, yeah. I tipped my hand earlier. I definitely agree that shifting fraud controls upstream is essential to countering the more focused and more sophisticated threats we're seeing targeting business payments. Obviously, the earlier the better. It reduces both cost and complexity for the banks trying to combat this fraud. The ability to catch it early, for example, when a session is in the act of being compromised or when a device is flagged as anomalous, as Eric said, this reduces the number of transactions that ultimately reach clearing and settlement systems unnecessarily. And, you know, this isn't just a theoretical risk we're talking about here. I mean PwC's survey, their 2025 commercial banking survey for fraud, it reported a five-fold increase in fraud attacks on corporates over the last couple of years. So this is very real and coming at us very quickly.
Eric Choltus: And I'll add to that. I mean, the way we're seeing this impact, banks and corporates, we're already seeing it happen. We're seeing it on the regulatory side, for example, like the the UK's failure to prevent fraud regulation or, in North America, the NACHA 2026 operating rules are already pushing banks and corporates to screen for fraud regularly and at multiple different points in the process. And so like Marc mentioned, upstream controls are important, but it means for corporates that they have to invest in fraud analytics and identity verification earlier in the life cycle, even sometimes within their ERPs.
You know, one of the trends that we're seeing larger corporates move forward with is what's called embedded banking, where the treasury management system is built right into their ERP. But what that means is now the corporates have to invest in, not only the embedded banking capability right in the ERP, but also the fraud checks right there, within the ERP, and at multiple points in their processes within procurement and payroll and all their treasury workflows. It's a large impact to companies and to banks to detect fraud and to do it as early as possible in the process.
Owen McDonald: Digital fraudsters are using AI and pressing their advantage in ways we've never seen before. Fortunately, the business payment sector is quick in the uptake, which gives us all hope for a more fraud free year in 2026. My thanks to our exceptional guests, Bottomline's Marc Salinas and Eric Choltus. To our audience, the smartest people in B2B payments, thanks for listening. Hit subscribe.
Catch us again on your favorite podcast platforms, including Apple, Spotify, Blubrry, iHeartRadio, and YouTube. Bye for now.
The Payments Podcast, from Bottomline.
Make and receive secure digital payments conveniently through Paymode, the market leading B2B payments network trusted by over 600,000 verified businesses.
Enhance your AP team's future with faster ACH and virtual card payments, paired with effortless invoice management to make your business better.
Automate accounts payable while simplifying and securing end-to-end AP processes by eliminating manual steps and insecure paper methods.
