We’re all familiar with the saying, “It’ll probably get worse before it gets better.” That notion became an expression because it’s often correct, in an 80/20, Pareto Principle kind of way.
It’s certainly true with payments risk, and with related data security. Things are tough today.
With the business payments attack surface achieving record scale and scope just as generative AI goes into wide use by fraudsters – with diabolical efficacy – it’s a time of analysis, testing, and innovation. As second half 2025 gets in gear, here’s a primer taken from select Bottomline coverage on fraud trends in a time of strict data governance.
“Fraud Fusion”
Bottomline Chief Information Security Officer (CISO) Chirag Patel recently spoke about "fraud fusion" as an innovative approach to cybersecurity that breaks down traditional silos between cyber and fraud teams, encouraging openness and collaboration.
In a recent internal interview, Patel said “Fraud fusion is about [in-house departments or different companies] bringing different elements together to create something stronger and more effective than they could achieve on their own. This means cyber and fraud teams collaborating in a shared environment, using sharing intelligence, tools, and strategies rather than operating in silos.”
“In the case of actual fraud fusion centers, think of these as Mission Control Centers for digital threats,” he said. “Just as NASA brings together specialists from different disciplines to solve complex problems in space missions, fraud fusion centers unite experts from cyber, fraud, and risk domains to tackle sophisticated digital threats. This approach is gaining traction because attackers don't think in terms of organizational silos. Fraudsters look for any vulnerability to exploit. Our defense mechanisms need to match this integrated approach.”
The Fraudster Within
Commenting on the “fraud convergence” between cybersecurity, fraud, and behavioral risk, Ruud Grotens, Head of Fraud and Financial Crime Solution Consulting at Bottomline, pumped up the role of Insider Risk Management (IRM) solutions in a recent article.
“Modern Insider Risk Management (IRM) solutions, according to the SPARK Matrix by QKS Group, are moving beyond rules-based alerts,” Grotens said. “They now integrate psychological indicators, sentiment analysis, and historical behavioral data to produce more accurate risk assessments. Identity-centric risk modeling allows systems to assign dynamic risk scores and adapt to evolving user behaviors.”
“This shift treats insider threat management (ITM) as an integrated, holistic program, rather than yet another siloed function. It’s not enough to monitor for policy violations—organizations must interpret behavioral deviations within broader operational environments, focusing on intent and context,” according to Grotens.
Fraud Fighters Forward
From ultra-modern AI deepfakes to old cheater chestnuts like Business Email Compromise (BEC), it’s dangerous out there, and high-value business payments are a prime target.
Laying out a long list of exactly how to protect B2B payments from spiking fraud attacks, Katie Elliott, Senior Risk and Fraud Officer for Paymode at Bottomline, advises companies to “…move communication and handling of sensitive payment and bank account information into a secure portal. Ideally, any approval of payments and changes to a vendor or internal account number would have to be secured by multi-factor authentication, which keeps bad actors out and forces your team to slow down.”
“A secure portal and B2B payments network like Bottomline’s Paymode, where every member business is validated, is a sensible choice,” Elliott said.
She added, “A bad actor will find it extremely hard to gain access and, where bank account changes are protected by multiple layers of security and monitoring, it becomes extremely difficult to rush a change through. The employee gets the time to think about the change and a secure partner can put roadblocks in the way of any fraud attempts that prey on that cheap, easy, and fast triangle.”
The Tokenization Transformation
When most people hear "tokenization" they think of credit and debit card security—specifically, PCI DSS compliance. But as Mark Bish, Principal Product Manager at Bottomline explained in a recent podcast and blog post, there's a more advanced and business-focused form of tokenization that's gaining traction.
Tokenization shrinks the attack surface simplifies and secures this process by using tokens that are meaningless outside the payment system. When it's time to make a payment, the token gets matched with the verified account data behind the scenes, Bish said.
This can be done via an API integrated into front-end systems or through a user interface for lower-volume systems like payroll. The result? A clean, secure payment file that contains only tokens, payment amounts, and dates—no sensitive data.
As Bish notes that while we can’t stop cyberattacks, out, we can limit the damage considerably. By removing sensitive data from your systems, tokenization ensures that even if attackers gain access, there's little of value for them to steal.
And Now… Our Favorite Stat of the Month
“67% of security executives say generative AI has expanded the cyberattack risk surface, with deepfake-driven impersonation fraud now the most reported fraud type globally.”
–The PwC 2025 Global Digital Trust Insights Report