Business payments face a highly variable threat environment today. Organizations no longer have the luxury of tackling payments fraud and risk in isolation, keeping old siloes intact. Collaboration across teams and even companies is seen as a top trend for 2026, among other key developments.
Criminals are growing more sophisticated, with external actors exploiting insiders here, and cracks between business silos offering fresh attack surfaces there. Recent trends show that the total average annual cost of insider incidents per financial institution (FI) is climbing steadily, and that’s a direct result of delayed detection and fragmented risk management.
Per the FBI’s Internet Crime Complaint Center (IC3) 2024 report, released in 2025, Business Email Compromise (BEC) fraud alone cost companies $2.8 billion in 2024. BEC moved up from 7th place on the IC3 list in 2023 to the number two spot just one year later.
A stark reality for 2026 is the blurring of lines between internal and external threats. In parts of the world, internal staff have found themselves forced to cooperate with external crime rings under coercion and threats. Elsewhere, unintentional employee actions like inattention or compromised credentials are creating serious exposure to payments fraud.
“Recent reports1 shows that less than 1% of users/employees are responsible for about 88% of data loss,” according to Bottomline’s Tomer Shenhar, who has spent his career turning hard-won industry lessons into practical, forward-looking strategies for combating fraud and risk in B2B payments.
The impact of today’s “hybrid threat landscape” is compounded by legacy technology and organizational blind spots, Shenhar says. “Employees juggling decades-old green-screen systems alongside modern cloud or SaaS-based tools can find it nearly impossible to create a unified risk picture,” he adds. Siloed teams and outdated detection tools slow down response times, extending the window of vulnerability, and ultimately inflating the financial and reputational costs of fraud incidents.
For these reasons, the need to shift from a reactive model to a proactive, holistic approach is urgent as emerging fraud threats fueled by AI innovation race into the picture. Risk management in 2026 is about more than deploying new tools; it's a matter of integrating every available resource, empowering every team, and maintaining a relentless focus on both intentional and unintentional threats.
Hybrid Fraud: Insider-Outsider Collusion
Shenhar makes it clear that the emerging fraud landscape isn’t defined solely by shadowy outsiders or malevolent insiders acting on their own. Increasingly, the most damaging incidents stem from collusion between internal and external actors. This is the world of insider risk management (IRM), and it’s a vital line of defense against bad actors.
“A rogue employee can team up with an outsider, a fraud ring or whoever,” Shenhar says. He noted that in South America, for one example, employees and their families have recently been pressured by fraudsters to commit payments fraud under threat of harm.
Scenarios like that put an enormous strain on conventional defenses, which tend to assume sharply defined boundaries between friend and foe. But the scenario just described puts an honest employee in an almost impossible position.
Beyond deliberate bad actors, Shenhar points to the larger pool of innocent employees who create vulnerabilities without meaning to. Whether it’s weak passwords, misdirected emails, or an unwitting click on a phishing email, one mistake can cause a calamity.
Powerful new attacks are finding their targets because organizational responses remain too siloed. “Recent reports show the average loss of insider incidents per financial institution or bank has been increasing over the past five years. Speed of detection is what drives the increased cost. The slower you are, the greater the losses,” Shenhar said.
Legacy Limitations and the Data Visibility Challenge
The gap between old systems and new threats is growing. Many FIs still rely on certain aging technologies while simultaneously adopting modern, web-based solutions. Shenhar says immense risk is hidden in the disconnect between systems.
“Say you have your mainframe or green screen system that’s been there since the 1990s or early 2000s, and you have an ERP system in a modern web application,” he said. “You want to monitor and collect data on both to say, ‘Hey, this employee is going here and there,’ to get an accurate picture of what’s going on,” be it intentional or accidental.
Bridging these different views is essential. Shenhar prescribes advanced analytics, which reveal subtle shifts over time that can indicate when an insider is moving toward fraud. He’s also a strong advocate of compiling and following anti-fraud playbooks with detailed plans rehearsed by teams from fraud, security, risk, and other parts of the company.
“Move beyond silos. Move beyond reactive approaches to proactive approaches,” he says. “Use behavioral monitoring and non-invasive approaches so that you have enough data across your multiple different systems to bring it all together and see the full picture.”
Artificial Intelligence, Identity, and Access
As AI-driven automation increases, new questions arise about how to authenticate and monitor non-human actors. Authentication protocols that work for people, including multi-factor authentication (MFA) and biometrics, don’t work with algorithms. “The industry is still developing standards for AI agent authentication. The is a brand new challenge,” he says, “and the big question now is how do you validate an AI agent in a login or a payment in that scenario?” Shenhar urges fresh monitoring methodologies in these cases.
“In the future, we will monitor entities,” he says. “An entity could be an employee, it could be an AI agent, it could be something across internal systems. As long as we can uniquely identify that entity, we can apply things like behavioral analytics, monitoring, reporting, auditing, and all forms of access to systems by that entity, and correlate everything into a well-defined visual replay capability.”
Intentional and Unintentional: Addressing Both Sides of Fraud
The security community tends to divide threats into accidental and intentional. While most firms invest in education and data loss prevention (DLP) to stop the accidents, Shenhar focuses on criminal intent. “Unintentional includes things like data leaks and mistakes,” he says. “But for intentional fraud, for someone who’s financially motivated to do harm, perhaps an internal employee or outside contractor, behavioral profiling, visual audit capabilities, and monitoring system access non-invasively” are decisive factors for 2026.
Importantly, neither type of threat can be deprioritized. “It’s not that one of them is more important than the other. They’re both important. And again, not [removing data siloes] is harming organizations right now. But I predict that this is going to become more holistic across fraud types [in 2026],” Shenhar says.
Regulatory and Strategic Pressures
Legislation is tightening around fraud prevention. In the U.K. and EU, for example, regulators are imposing harsher penalties on companies that fall down on fraud, with regs including the Failure to Prevent Fraud Offence. As for the U.S., Shenhar warns companies to get out ahead of compliance, or risk getting both defrauded and penalized.
“Look for your compliance and internal security policy gaps,” he says. Technology and expertise are needed, but organizational buy-in is everything. “Expert models and deep understanding of the threat landscape are not going to go away anytime soon,” he adds, noting that chasing “shiny new” fraud solutions can cause organizations to miss a clue because they skimped on the fundamentals.
Ultimately, real progress will come not just from better platforms and tools, but from genuine collaboration, clear policies, and regular “drills” on cyber safety.
“Change management is always key. Organizational alignment involves actually having a policy, then making sure your policy adheres to all the different risks and threats the organization is exposed to,” Shenhar says, adding that policies must be practiced.
For firms still crafting a 2026 fraud strategy, Shenhar’s message isn’t complicated: take an integrated approach, update both technology and processes, and ensure every team is engaged. When in doubt, tap a dialed-in payment service provider like Bottomline. This will put your organization in the best position to outmaneuver tomorrow’s threats.
1 Gartner’s Protection From the Risk Within: Managing Insider Risk, 2004