With some estimates saying that more than half of all cyberattacks are now coming from organized crime, not lone fraudsters, the stakes of B2B payment security are higher than ever. That’s a challenge for all, and certainly for the complex Commercial Real Estate (CRE) sector.

At the 10th Annual U.S. Bank Commercial Real Estate Treasury Conference: Creating the Future Now executives gathered in Minneapolis seeking solutions to critical obstacles for the CRE industry today, most notably the safety and security of their payments processes.

Fighting criminal attacks was a focus for attendees. On the panel “Fighting Fraud,” U.S. Bank VP, Financial Risk and Compliance Officer Kasia Harvell got to the point with a message for the industry.

“We are doing ourselves a disservice by not understanding how sophisticated and complex these organizations are,” she said, echoing numerous studies. One is Verizon’s 2023 Data Breach Investigations Report, which said 55% of cyberattacks have organized crime ties.

“It's no longer just one person. It is a well-organized machine, very similar in structure to a corporate entity with groups of individuals very diligently working quotas, recruitment, research and development,” she said.

“When we talk about fraud, please understand that the opponent is formidable.”

The Feds agree. In its 2024 Report on the Cybersecurity Posture of the United States, the Office of the National Cyber Director (ONCD) said that in an evolving tech landscape, “...malicious state and non-state actors are exploiting its seams with growing capability and strategic purpose, continuing to aggressively conduct malicious cyber activity that threatens U.S. national security, public safety, and economic prosperity.”

 

Check Fraud, Social Engineering Scams, and Data Theft

With most banks, FIs, and corporates having upped their fraud detection game substantially in the past four years, panelists noted a return to basics among fraudsters. According to FinCEN, paper check fraud is up a dizzying 385% this year.

“We have seen things as simple as a Notification of Address Change for the USPS where fraudsters change the business address and have payments redirected to them instead of the actual business,” said Katie Elliott, Bottomline Senior Risk and Fraud Officer.

She added that “Almost every single fraud that occurs involves some form of social engineering.”

“They already know a lot about you,” Harvell said, adding that social media teaches fraudsters all about you, your business, and your business partners. “My advice to everybody is use a little bit of professional distrust or skepticism,” she said.

U.S. Bank Deposit & Payment Solutions Relationship Manager Josh Christopher also noted how fast compromised data, such as check images, can end up for sale on the dark web. “We often see repeat attacks as information is used, then sold to other fraudsters. This further highlights how critical traditional fraud prevention services like Payee Positive Pay continue to be – exposure is not a matter of if, but when.”  

 

Proactive B2B Payments are the Future

The Harvard Business Review said in July that “U.S. banks face a reckoning: Over the next two years, more than $1 trillion in commercial real estate (CRE) loans will come due.”

That urgency explains why CRE lenders, developers and stakeholders need to cut costs. What better way to start than tightly protecting funds movement and monetizable data?

“We see a lot of trends. We see what is happening in the marketplace just by virtue of moving funds,” Harvell said. “I think understanding that fraud is not an event, it's an ongoing risk, and having that attitude, having that mindset, is extremely important.”

Harvell also gave nod to AP automation as a preferable substitute to handling payments in-house, a capability made possible at U.S. Bank by their AP Optimizer solution, which is powered by Bottomline and their Paymode network. Harvell asked Bottomline’s Katie Elliott what a business can do if they don’t belong to a secure B2B payments network like Paymode.

“Being more proactive than reactive is key,” Elliott said. Warning that even large companies with sophisticated defenses can be caught off guard by a cyber sneak attack, she added that B2B payments that take place on corporate networks will remain vulnerable for some time to come. Business payments on a secure outside network, however, are unaffected if your site goes down. It exemplifies “proactive.” Christopher added, “Managing the onboarding of new suppliers and the maintenance and storage of beneficiary information in-house present often-understated risks in the AP process. Internal controls and ongoing training are critical to protect beneficiary data and prevent fraudulent payments from going out the door.” 

Panelists agreed that educating internal teams about phishing, business email compromise (BEC), deepfakes, counterfeits, and signs of a cyberattack are non-negotiable exercises to complete. Partners like Bottomline – whose Paymode closed-loop B2B payments network has processed over $2 Trillion without fraud – can also help to automate the AP process and prevent fraud.