Infamous 1940s stick-up man Willie Sutton never actually said he robbed banks “because that’s where the money is.” It was made up. Then as now, however, it is a fair point. Which is to say it’s evil, yes, but it’s also true. Thieves are good at sniffing out opportunities.

Cybercrooks also have favorite targets that rise and fall in popularity. Some specialize in retail, others in corporates, and so on. These days, a rising chorus of unhappy voices say bad guys are hunting more lucrative game: high-value, low-volume B2B payments.

Hijacking a business account with a successful phishing attack that morphs into an account takeover (ATO) can be like hitting the lottery for fraudsters. And while fraud typologies haven’t changed that much, the scale and quality of attacks is constantly improving, and ‘professional’ fraud rings are not intimidated by bank-grade security.

As banks and financial institutions grapple with advancing threats, having comprehensive, multi-layered security approaches are essential to stopping fraud now.

 

Commercial Banking Fraud is On the Move

Commercial banking fraud has distinct characteristics that set it apart from retail fraud scenarios. Retail banking fraud typically involves smaller dollar amounts across many accounts and transactions, commercial fraud targets fewer transactions with significantly higher values—often in the hundreds of thousands to millions of dollars per incident.

“This shift is particularly concerning because commercial banking transactions typically have different liability structures than retail banking,” says Eric Choltus, Director of Product Management at Bottomline.

“In commercial banking, customers often bear more responsibility for losses, unless they can prove the bank failed to implement reasonable measures”, he adds.

That’s changing, particularly in regions like the UK and the EU, where regulatory frameworks are now holding banks accountable for more commercial fraud losses. The timing is bad, as the sophistication of attacks has increased dramatically, with fraudsters leveraging AI for a new generation of highly convincing fakes on a massive scale.

Professional fraud rings now employ artificial intelligence tools trained on large language models (LLMs) to create ultra-realistic phishing swindles. "What used to be scams with obvious grammar errors and spelling mistakes are now convincing communications," Choltus says. "Access to AI technology has made it easy for fraudsters, even if English isn't their primary language, to create convincing text, images, and videos with deepfakes."

 

The Power of Layered Security

To combat a devious and well-equipped enemy, financial institutions must implement comprehensive security strategies that span the entire transaction journey.

A layered approach provides multiple barriers against fraudulent activities at different stages of the banking process. "A layered approach is absolutely critical," Choltus says. "It has to go through the entire spectrum from beginning to end."

This approach includes:

  1. Layer One: Scam Detection and Education - Implementing scam detection technologies (for example, those that help detect phishing websites), and educating customers on how to recognize and avoid them.
     
  2. Layer Two: Bank Policies – Requiring dual authentication on high value transactions and limiting self-admin privileges. Requiring out-of-band verification for high-risk changes.
     
  3. Layer Three: Authentication Security - When fraudsters attempt to log in with stolen credentials, multi-factor authentication (MFA) serves as a critical barrier, but that alone won’t cut it, as fraudsters can often pass these challenges. This layer also involves analyzing login attributes such as IP addresses and device fingerprints.
     
  4. Layer Four: Session Monitoring - Monitoring user behavior within digital banking sessions to identify suspicious activities and patterns, such as accessing unfamiliar screens or changing user privileges.
     
  5. Layer Five: Transaction Monitoring – Every scam ultimately ends up in an attempted monetary transaction. So, evaluating all aspects of the payment in real-time is critical, but so is correlating it to prior suspicious login or session activity.
     
  6. Layer Six: Leveraging Payment Rails with Tightly Controlled Vendor Networks - Accounts Payable automation networks tightly control beneficiary information and limit the effectiveness of ATO and business email compromise (BEC) scams.
     
  7. Layer Seven: Investigation Efficiency Tools - Equipping bank investigators with the latest and greatest tools is also key. The ability to replay a user session screen by screen can be invaluable. Integrating third-party intelligence right into the fraud monitoring system saves investigators from having to use multiple systems.

The key to an effective layered approach is finding the right balance between security and user experience. "You don't want to enable 100 different layers and create a painful experience for your clients," Choltus says.

"You want to maximize protection while minimizing friction."

What makes this method markedly more powerful is the collection and correlation of data across different components of a digital banking session. By evaluating logins, user activity, biometrics, and payment patterns together rather than in isolation, banks and financial institutions can more effectively identify and block many types of scams, Choltus says.

 
Collaborative Defense: The Role of Payment Service Providers

Payment service providers (PSPs) play a crucial role in helping banks and corporates detect and prevent fraud through collaborative efforts and advanced technologies.

Partnerships are becoming more important by the day as fraudsters get better at their illegal trade. "It takes a village to fight fraud," Choltus says, paraphrasing a well-known quote. "Banks, PSPs, and fraud solution providers need to work together."

PSPs like Bottomline serve as consultative partners, helping banks not only execute transactions but also develop comprehensive fraud strategies. Choltus says an important innovation for a collaborative approach is the concept of ‘fraud consortiums,’ which aggregate data from multiple banks and FIs to identify and stop fraud more effectively.

"Consortiums use data from multiple banks to help distinguish between safe and risk beneficiaries," Choltus says, adding that shared intelligence helps all participating institutions strengthen their defenses against common threats.

For smaller banks with limited resources, partnerships are particularly valuable. Modern API-based platforms enable smaller FIs to deploy the latest fraud-fighting tools without massive infrastructure investments. "The extensibility of these solutions allows banks to integrate third-party tools and future-proof against new threats," Choltus says.

There’s a lot to look forward to in B2B payments, but Choltus predicts that the fraud situation may worsen before it improves, particularly for smaller financial institutions.

While big banks are acting fast to close security gaps, many smaller FIs are still playing catch-up. The cautious, reactive mindset of some banks—often applying new security measures only after experiencing losses—continues to create vulnerabilities that fraudsters exploit.

The most effective strategy for preventing ATO and its fraudulent precursors (phishing, BEC) involves connecting and correlating data across different components of a digital banking session, implementing behavioral biometrics to detect unusual patterns, and maintaining a comprehensive approach that integrates multiple security layers, Choltus says.

By adopting these strategies and embracing collaborative and layered defense mechanisms, banks can better protect themselves and their customers from the growing threat of ultramodern fraud attacks.