As cyber fraud becomes increasingly sophisticated, businesses face heightened risks, particularly in financial processes involving Accounts Payable (AP). Employees in these positions are prime targets due to their access to sensitive funds and the authority to approve or alter payments. This vulnerability is compounded by outdated security measures and financial controls that often operate in isolation, lacking the contextual data essential for effective threat detection. According to the FBI, these shortcomings have led to an average loss of $1.5 million per organization impacted by such fraud.
Recently, threat actors have adopted advanced tactics to infiltrate businesses through various channels, including vendor accounts. They exploit layers beyond the usual day-to-day interactions, which can elude standard security measures. This evolution in approach includes innovative evasion techniques and the rise of social engineering as a significant threat to financial transactions.
Social engineering tactics, particularly those involving deepfakes, dominate the landscape of cyber threats. Research indicates that a staggering 90 percent of cyberattacks in 2024 utilized social engineering strategies. The rise of artificial intelligence has further exacerbated the problem, allowing malicious actors to launch more damaging attacks at an unprecedented scale. Deloitte’s report on digital fraud warns that the rapid proliferation of AI tools could escalate fraud losses in the United States to $40 billion by 2027, a substantial increase from $12.3 billion in 2023.
The lifecycle of fraud reveals the vulnerabilities that attackers exploit at each stage of the payment process. One prevalent tactic involves deepfake impersonation, where fraudsters create convincing communications that appear to come from high-ranking executives. Such schemes aim to manipulate employees into approving substantial fund transfers, often bypassing standard review processes. The FBI’s Internet Crime Complaint Center reported nearly $3 billion in losses due to Business Email Compromise (BEC) scams in 2023. Attackers often heighten the urgency of these requests by claiming overdue payments or imminent deadlines, which pressures targets to act quickly and bypass established protocols.
Furthermore, AI-generated phishing attacks have become widespread. Cybercriminals utilize AI to analyze personal data from social media and other sources, allowing them to craft highly personalized phishing emails that resemble their targets’ communication styles. This meticulous targeting makes detection difficult. In many instances, these campaigns can reach thousands of potential victims simultaneously.
In the payment initiation phase, criminals further exploit weaknesses by submitting fake invoices. They may impersonate legitimate vendors or modify actual invoices to redirect funds for personal gain. With finance teams often overstretched by the sheer volume of transactions, these fraudulent attempts can easily slip through unnoticed, resulting in significant financial losses.
During the processing stage, fraudsters may engage in account takeovers by using stolen credentials obtained from previous data breaches. This unauthorized access allows them to change payment instructions or create fraudulent transactions. Automated payment systems, like ACH transfers, can be manipulated to redirect funds, with subtle changes going unnoticed until significant harm has occurred.
To combat these threats, businesses need to adopt a comprehensive strategy that recognizes the multifaceted nature of social engineering, emphasizing that it extends beyond email threats. A robust defense should incorporate advanced contextual insights, proactive monitoring of roles with financial access, and the adoption of adaptable AI detection tools capable of identifying emerging threats. By acknowledging the evolving landscape of social engineering attacks, organizations can better protect themselves against sophisticated manipulation tactics aimed at exploiting human error and trust.
__
Shai Gabay Bio
A visionary entrepreneur, Shai Gabay has long been passionate about cybersecurity and fintech, developing expertise throughout his career. He is currently the co-founder and CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Previously, he held roles including General Manager at Opera, VP of Product and Services at Cynet, CIO at Cyberbit, and CISO at Discount Bank.
Shai earned a Bachelor’s Degree in Software Engineering from Shenkar College and a Master’s in Business Administration from Tel Aviv University. He was selected for the prestigious executive excellence program at the Hoffman Kofman Foundation, an initiative aimed at outstanding alumni of the IDF’s Elite Units. This program allowed him to study alongside prominent leaders and professors from renowned global tech firms and elite universities.
