Commercial payments fraud has moved well beyond the back office and is now firmly on the agenda in every bank boardroom. As attacks become more sophisticated, using AI-driven scams and social engineering, the risk to banks has never been higher.
In a recent conversation, Bottomline’s fraud experts, Andrew Leon and Dalit Amitai, sat down to talk through what they’re seeing in the market and how banks can respond. Their insights reveal why a generic, one-size-fits-all approach falls short, and why specialization is critical for protecting high-value transactions, ensuring compliance, and preserving customer trust. Below are some of the key points from that discussion.
Andrew:
I speak with countless banks, and they all tell me the same thing. Commercial fraud has become far more sophisticated and can lead to multi-million losses that cripple operations. On top of that, compliance with frameworks such as NACHA and ISO 20022 is non-negotiable, and failure to meet these standards can result in severe penalties and reputational damage. In both instances, trust is on the line. It only takes a single breach to erode brand equity for years, which is why resilience and proactive defense matter so much. I’m often asked, “What’s really happening out there, Andrew, and what can banks do about it?” Let’s dig into that.
Commercial banking fraud poses unique challenges because of the low volume and high-value nature of the transactions. Unlike retail banking, which typically involves high volume and smaller value transactions, commercial fraud impacts entire businesses and their users. When a bank suffers a commercial fraud loss, trust diminishes not only with the financial institution but also across multiple stakeholders.
This risk is heightened by the way fraudsters often target multiple users over a longer stretch of time. For example, attackers may start by compromising a CFO’s email account, then go on to impersonate accounts payable staff to authorize multiple fraudulent wire transfers over several weeks.
Addressing these types of risks requires a specialist-led approach. It must account for the distinct behaviors and patterns of each individual business user, rather than the simpler monitoring applied to smaller, single-user retail transactions. Specialists in the commercial banking space will adopt a multi-layered strategy that analyzes enterprise-level factors such as user logins, payment transactions, behavioral trends, and release points to deliver full protection.
Dalit:
That concern is absolutely valid, and recently published examples illustrate this. There’s the $35 million deepfake audio scam in a Hong Kong-based multinational where attackers used an AI-generated voice to impersonate an executive and trick a finance team into wiring funds. In another case, spoofed CFO emails led one firm to authorize multiple fraudulent wire transfers totaling millions of euros. And even tech giants aren’t immune, with two of the world’s largest technology companies collectively losing $121 million after paying fake vendor invoices. These cases highlight how sophisticated tactics bypass generic controls and exploit workflow gaps. That’s why strong commercial expertise, shared intelligence across banks, and integrated real-time workflows are critical, because not all customers face the same class of threats.
The fraud patterns in commercial payments differ from those in consumer transactions, requiring tailored strategies and intelligence to address unique vulnerabilities. As a hosting provider, Bottomline harnesses fraud signals across its entire network to develop advanced detection models, helping banks stay ahead of evolving threats. This includes insights into emerging business email compromise (BEC), account takeovers (ATO), and other attacks, along with prebuilt risk indicators and benchmark performance rates. These shared insights help banks strengthen their defenses proactively rather than reactively.
Just imagine the impact that strong bank-to-bank intelligence sharing could have had in preventing some of those high-profile commercial fraud attacks. When banks work together through a trusted partner, they can spot threats sooner and respond more effectively than they could on their own.
Andrew:
The largest concern I hear is that providers trying to cover both retail and commercial banking fraud often fall short in developing strategies that truly address the cost and complexity of commercial fraud.
Consumer and corporate fraud cannot be treated the same. The stakes, risks, and transaction values differ dramatically, and so do the approaches required. Non-specialist or dual-focused vendors often miss those nuances. General-purpose solutions tend to lack the deep expertise required for the commercial space, which leads to missed anomalies in transactions and an increase in false positives. Their workflows are generic and fail to enforce essential controls such as new or changed payees.
On top of that, broad-market vendors can be slower to adapt and keep pace with emerging scams in commercial banking, leaving institutions vulnerable to compliance gaps and operational inefficiencies.
Dalit:
You’re quite right, Andrew. Those gaps are exactly why banks benefit from working with a prescriptive, commercial payments-focused partner. Such partners will deliver stronger detection models that identify anomalies in spoofed or even deepfake-driven requests, something that generic or consumer-focused solutions often miss.
The controls that specialized providers put in place are designed to reflect real-world workflows. They give fraud and operations teams step-by-step guidance for spotting and handling business fraud incidents like impersonations or vendor-related scams, which helps them act quickly and limit the damage. It’s critical that fraud detection solutions align with regulations specific to commercial banking, such as the 2026 NACHA rules for non-consumer ACH originators.
This approach works well in the commercial banking space and delivers strong results. Banks see the benefits sooner, stay aligned with commercial banking mandates, and achieve measurable ROI. Those results reflect the value of partnering with a team built around commercial payments.
Andrew:
Banks also express concerns about the growing sophistication of AI-driven fraud and the increasing volume of threats. With these challenges, they frequently ask what steps they can take immediately to protect their assets, business, and reputation.
My advice is simple. Act decisively to safeguard high-value transactions and maintain trust. Start by reviewing your existing fraud controls and identifying gaps in ACH, wire, and RTP workflows. Next, look for partners with deep expertise in commercial payments who can support you with a practical, guided approach. From there, put in layered defenses that combine login monitoring, anomaly detection, dual approval, and the ability to stop a payment before it leaves the bank.
AI-powered detection is essential, but it can’t stand alone. Effective fraud prevention in commercial payments needs the right mix of AI, expert human oversight, known fraud scenarios, and solid statistical and behavioral models. Working together, those elements strengthen detection accuracy and speed, addressing the complexity of commercial payment fraud far better than any single approach.
To stay ahead, banks should also focus on seamless integration between customer-facing platforms and back-office risk prevention systems. After all, the goal is to strengthen fraud defenses without disrupting service or creating unnecessary friction. When digital banking platforms, fraud prevention tools, and payment rails work end-to-end, both the bank and its commercial clients stay protected without slowing operations or increasing risk exposure.
Finally, by taking a layered approach and bringing that insight together, banks can work more efficiently, detect fraud more accurately, and respond faster. That puts them in a much stronger position to stay ahead of emerging threats like AI-driven business email compromise.
Dalit:
That’s excellent advice, Andrew. At Bottomline, we focus on commercial payments because it’s a space where specialization genuinely matters. Fraud is changing quickly, and broad, one‑size‑fits‑all tools aren’t built for that pace. One thing our conversation makes clear is that effective fraud prevention starts with specialization.
Banks that choose prescriptive, commercial-focused solutions gain more than technology; they gain expertise, shared intelligence across banks, and resilience. Combining that with strong detection models and regulatory alignment helps institutions protect high-value transactions, maintain compliance, and preserve customer trust. I think the most important thing I want banks to hear is this: the time to act is now, because specialization remains a bank’s strongest defense against sophisticated fraud.
Andrew:
Yes, and I think the most valuable advice I can share is not to wait for the next attack to reveal weak spots. Start by reviewing your current commercial fraud controls and looking for gaps in your high-value payment workflows. Then find a partner who truly understands the complexities of commercial banking fraud and can offer the right guidance tailored to your needs.
Ready to take the first step? Our team is here to help. Bottomline brings specialist expertise and shared intelligence from across the banks we work with, giving you a clearer view of emerging threats and how to address them. Contact us and we’ll walk you through the first actions to reduce risk.