More than three quarters of organisations say they were affected by attempted or actual payment fraud in 2025. And that does not include the cases that went undetected.
Not every attack was successful. Well-trained employees identified many attempts in time. The figure remains concerning, especially as artificial intelligence is not only making corporate tools more efficient, but also the tools used by fraudsters.
The recent debate around Claude Mythos shows how quickly AI models are developing. Systems that only a few years ago struggled to produce coherent text can now help identify complex vulnerabilities in software environments.
In the fight against cyber fraud, this can be useful. Providers can detect and close weaknesses before they are exploited. But the same capabilities can also help attackers scan public systems more systematically and exploit known or newly discovered vulnerabilities faster.
What once required highly specialised expertise can now be attempted with a much lower barrier to entry. With agent-based AI systems, a single attacker can test many variants in parallel. If one attempt fails, the next can follow with little additional effort. Until someone has a bad day. Until an unprotected payment file ends up in the wrong place. Until a process fails because it had too many gaps from the start.
With AI, payment fraud is becoming more scalable, faster, and harder to predict. The question is no longer only whether a company will be targeted. The more important question is how well the payment process holds up when it happens.
Companies are particularly exposed during periods of reduced staffing. In holiday periods, already lean treasury and finance teams often have to operate with fewer people. Substitute approvers are assigned at short notice, responsibilities shift, and approvals may need to be reviewed under time pressure. The four-eyes principle may remain formally in place, but the professional assessment of a payment is not always equally strong. The audit trail can also lose value if roles, substitutes, and actual responsibilities are not clearly reflected.
Fraudsters exploit exactly these situations. When several attack methods are used at the same time, such as fake emails, manipulated payment data, social engineering, or compromised credentials, traditional safeguards are often no longer enough. Payment security must therefore be layered.
A professional payment solution can provide an additional layer of protection that remains in place even when teams are operating with reduced capacity. This can include mandatory multi-factor authentication, duplicate payment warnings, clear process rules, defined payment templates, and checks that restrict certain beneficiaries, countries, currencies, or amounts. Automated sanctions screening in the payment process can also help identify risks earlier.
Independent management of signing rights and substitute approvals is equally important. It allows companies to manage temporary cover flexibly without weakening control, traceability, or auditability.
The payment process itself is only one part of the equation. Companies should also rely on providers whose solutions meet high security standards. In the age of powerful AI tools, this means fast patching processes, continuous review of code quality and third-party components, regular penetration testing, system hardening, strict access controls, continuous monitoring, and robust malware protection.
Payment fraud can never be ruled out completely. But companies can influence how easy they are to attack, how quickly suspicious activity is detected, and how clearly they can reconstruct what happened if something goes wrong.
The real cost question is therefore not solely: What does a secure payment solution cost?
It is also: What does it cost if the payment process is not secure enough?
