AI-Driven Payment Fraud Threats: When the Attack Learns Faster Than the Defense

A New Threat Category — or an Old One Transformed?

There is a temptation, when discussing artificial intelligence and fraud, to treat AI-driven threats as a distinct category of attack — something separate from, and in addition to, the BEC schemes, vendor impersonation tactics, account change fraud, and internal risk that the preceding articles in this series addressed. That framing is partly right and importantly wrong. AI has produced at least one genuinely new attack capability that did not meaningfully exist before: the real-time synthesis of a convincing human likeness for use in live deception. That is new in kind, not just in degree.

But the larger and more practically urgent truth is that artificial intelligence is not primarily creating new fraud categories. It is supercharging every existing one — making BEC attacks more linguistically polished and contextually specific, vendor impersonation more operationally credible, account change fraud harder to interrupt at the human judgment layer, and internal fraud schemes more difficult to detect in pattern data. AI is, in the fraud context, predominantly an amplifier: a force multiplier applied to attacks that organizations were already struggling to defend against.

The Deloitte Center for Financial Services projects that fraud losses in the U.S. facilitated by generative AI will climb from $12.3 billion in 2023 to $40 billion by 2027, a compound annual growth rate of 32%. Finance leaders who are already focused on BEC prevention, vendor authentication, and payment controls are working on the right problems. The AI dimension does not change those problems — it makes them more urgent and raises the stakes of incomplete implementation.

This article addresses what AI specifically adds to the fraud threat landscape for accounts payable and disbursement functions: how generative AI transforms existing attack vectors, what the genuine AI-specific capabilities are, how the fraudster's infrastructure has industrialized, and what prevention looks like in an environment where the traditional human-judgment safeguards are under sustained technological assault.

What Generative AI Does to the Attack Vectors You Already Know

Each of the fraud categories addressed earlier in this series is meaningfully transformed by generative AI tools. Understanding the transformation — not just acknowledging that AI makes fraud "more sophisticated" — is what enables a practical prevention response.

BEC and Social Engineering: The End of Grammar as a Defense

The most immediate and widely documented effect of generative AI on payment fraud is the elimination of the linguistic signals that once helped recipients identify fraudulent communications. The poorly worded email, the grammatical error, the awkward phrasing that felt slightly off — these were imperfect but real detection cues. They were imperfect because sophisticated human attackers had always been capable of fluent prose, and they were real because a large volume of BEC attacks came from non-native English speakers operating at scale.

Generative AI has eliminated that residual signal. In 2025, up to 83% of phishing emails were AI-generated — produced by large language models that write in native-quality English, adapt to the communication style of the organization being targeted, reference real transaction details and personnel, and produce output that is indistinguishable in tone and structure from legitimate internal correspondence. An AI-generated BEC email is not slightly better than a human-written one. In many respects it is better: more consistent, more contextually calibrated, and produced at a volume and speed no human writing team could match.

VIPRE Security Group reports that 40% of BEC emails are now AI-generated. Approximately 53% of accounting professionals experienced deepfake AI attacks in 2024. For AP and treasury functions, this means that the linguistic plausibility of a payment request or banking change instruction is no longer a reliable indicator of legitimacy. A message that reads perfectly — that references the right vendor name, the right invoice amount, the right payment timing — may be entirely fabricated.

The prevention implication is reinforcement, not revision, of the controls already established: out-of-band verification requirements, mandatory independent callbacks, and the organizational norm that no payment instruction is acted on solely on the basis of how credible it looks in email.

Vendor Impersonation: AI-Assembled Intelligence at Scale

The vendor impersonation attacks addressed earlier in this series require reconnaissance — research into the target organization's vendor relationships, payment schedules, personnel, and communication patterns. That research has historically been the constraint on attack volume and specificity: a sophisticated impersonation requires investment that limits how many targets can be pursued simultaneously.

AI removes that constraint. Large language models can process publicly available information — procurement records, company websites, LinkedIn profiles, SEC filings, press releases, social media — and produce operationally detailed attack packages at a speed and scale that no human research operation could replicate. An AI system capable of simultaneously researching and targeting hundreds of organizations can produce vendor impersonation communications that reference the specific contractor working on a specific project, at the specific stage of a specific payment cycle, addressed to the specific AP staff member who handles that vendor relationship.

GenAI-enabled scams rose by 456% between May 2024 and April 2025. The volume increase is not incidental. It is the direct result of AI eliminating the human labor cost that previously constrained attack frequency. For AP functions, this means that the probability of encountering a targeted, contextually specific vendor impersonation attempt is rising steadily — and that the contextual specificity of the attack can no longer be interpreted as evidence of an insider threat or a targeted campaign. It may be the output of an automated system that processed publicly available data.

Document Forgery: Industrial-Grade Counterfeiting

Earlier articles noted that bank letters, vendor invoices, and W-9 forms provided as supporting documentation for banking change requests are not independent verification — they are evidence that something was submitted, not that the submission is genuine. AI makes this point more urgent.

Generative AI image tools can produce professional-quality forged documentation — bank letters on authentic-looking institutional letterhead, invoices with accurate formatting and logo replication, W-9 forms completed with plausible identifying information — at essentially no marginal cost per document. The quality of AI-generated forgeries now routinely exceeds what was achievable through manual document alteration even by sophisticated operators, and the production time has dropped from hours to seconds.

A prominent Nigerian cybercriminal recently posted a video showing a fully automated AI chatbot communicating directly with a victim as part of a social engineering attack — demonstrating that not only documentation but the entire interaction chain can be automated. For AP functions, this development underscores why submitted documentation was always an insufficient verification mechanism, and why the migration to independent, account-ownership-level verification — through platforms like VendorInfo — is increasingly a necessity rather than a best practice.

The Genuinely New Capability: Synthetic Human Presence

The preceding section addresses AI as an amplifier of existing attacks. The genuinely new capability that AI has introduced is the synthetic replication of a specific human being's likeness — voice, face, and in the most advanced cases, real-time interactive video — convincing enough to deceive a target who believes they are communicating with a person they know.

Nobody on the call had been real: not the CFO, not the colleagues — every face he saw and every voice he heard were AI deepfakes built from publicly available footage.

This is not a marginal improvement in impersonation quality. It is a categorical shift in the attack surface, because it defeats the human judgment check that has always been the last defense against social engineering: the intuitive sense that something is wrong, informed by direct sensory experience of the person one believes one is speaking with. When that experience can be fabricated in real time, the intuitive check is no longer reliable.

Voice Cloning

AI voice cloning can replicate an individual's voice from a sample as short as three to five seconds of publicly available audio. The cloned voice can be used in real-time phone calls to impersonate executives, vendors, or colleagues, delivering payment instructions or banking change requests with the apparent authority of the person being impersonated. A deepfake attack occurred every five minutes in 2024.

The 2019 case in which a UK energy company CEO's voice was cloned and used to instruct a subsidiary's CFO to transfer €220,000 to a Hungarian supplier was, at the time, treated as a remarkable outlier. It is now the baseline. Voice cloning attacks on finance functions are documented at scale, and Pindrop's 2025 Voice Intelligence and Security Report logged a 1,300% jump in deepfake fraud attempts during 2024, going from an average of one per month to seven per day.

Deepfake Video: The Arup Case

The most documented and consequential single AI-driven payment fraud incident to date is the January 2024 attack on Arup, the London-based engineering firm. The case warrants examination in some detail because it establishes what AI-enhanced fraud looks like at its current ceiling — and because the control failure it exposed is not exotic. It is the same control failure that runs through every article in this series.

A finance employee at Arup's Hong Kong office received an email appearing to come from the company's CFO, requesting the deployment of multiple confidential transactions. The employee initially suspected a phishing attempt, but his skepticism was overcome when he joined a video call on which the CFO and several colleagues appeared. He did not realize that everyone on the call was a deepfake.

The perpetrators had harvested publicly available video and audio of Arup executives from webinars, press interviews, and online conference recordings. That material trained the deepfake models. Nobody on the call had been real: not the CFO, not the colleagues — every face he saw and every voice he heard were AI deepfakes built from publicly available footage.

Following the instructions given during the deepfake video conference, the employee made 15 transfers totaling $25 million to five different Hong Kong bank accounts controlled by the scammers. The fraud was only discovered later when the employee followed up with Arup's actual headquarters. The stolen funds have not been recovered.

Arup's Chief Information Officer, Rob Greig, described the attack to the World Economic Forum not as a technical breach but as "technology-enhanced social engineering." No systems were compromised. No credentials were stolen. No network was penetrated. After the incident, Greig tried to deepfake himself in real time using free, open-source tools. It took him about 45 minutes. His version wasn't particularly convincing, but the floor for "good enough to fool somebody" keeps dropping while the ceiling keeps rising.

The control that would have prevented the Arup loss is the same control that prevents every other payment fraud in this series: a mandatory, out-of-band verification requirement for any payment instruction, applied without exception to any instruction that arrives through any channel — including video. The deepfake did not defeat a technical control. It defeated the human assumption that a video call with recognizable colleagues is sufficient authorization for a $25 million transfer. That assumption was never sound. AI has made it dangerous.

The Fraud-as-a-Service Infrastructure

AI-driven fraud is not exclusively the domain of sophisticated nation-state actors or well-resourced criminal organizations. One of the most significant developments in the current threat landscape is the commoditization of AI fraud capabilities through a service economy that makes them accessible to any actor with the motivation and a modest financial commitment.

Point Predictive monitored conversations related to AI and deepfakes in fraud channels on Telegram in 2023 and 2024. The volume of messages grew from 47,000 in 2023 to over 350,000 in 2024 — a more than seven-fold increase. These channels are marketplaces: they offer voice cloning services, deepfake video generation, AI-generated phishing kits, and automated social engineering tools. The barrier to entry for a sophisticated, AI-enhanced payment fraud attack has fallen to a point where it is now a consumer product, not an enterprise capability.

Current fraud trends show a 180% increase in "sophisticated fraud" compared to 2024, using enhanced deception techniques, social engineering, and AI-generated identities to circumvent fraud prevention systems. The sale of these capabilities by fraud-as-a-service providers has meant that even unsophisticated criminals now have access to highly effective fraud techniques.

For finance leaders assessing their exposure, this development changes the threat model in one critical respect: the organization does not need to be a high-value, high-profile target to face AI-enhanced attack. The industrialization of fraud capabilities means that attacks are deployed at volume across all organization sizes and sectors. The AP function of a mid-size nonprofit is not exempt from AI-generated vendor impersonation because it is not a Fortune 500 company. It is subject to the same attack infrastructure, applied at scale.

AI in the Detection Stack: Fighting the Threat with the Tool

The preceding discussion addresses AI as a fraud vector. It is also, when properly deployed, a fraud detection capability — one that is increasingly necessary given the volume and velocity of AI-enabled attacks.

Traditional rule-based fraud detection operates on fixed parameters: flag transactions above a threshold, flag new payees, flag payments outside business hours. These rules are necessary but no longer sufficient. A sophisticated AI-generated attack is specifically designed to stay within the parameters that trigger rule-based alerts — timing the transaction to fall within normal business hours, calibrating the amount to fall just below the approval threshold, and using vendor relationships that have existing transaction history.

Machine learning-based anomaly detection approaches the problem differently. Rather than applying fixed rules, it models the normal pattern of each vendor relationship, each payment workflow, and each approval chain — and flags deviations from those established patterns even when the deviation does not cross a fixed threshold. A vendor whose average invoice amount has been $47,000 for eighteen months suddenly submitting an invoice for $220,000 is anomalous against the relationship history, even if $220,000 is within the organization's standard payment authority. A banking detail change submitted two days before a large scheduled payment is temporally anomalous. An invoice submitted from an email domain registered three weeks ago is historically anomalous.

AI-based anomaly detection can operate at the transaction volume of a large AP function in real time — surfacing exceptions for human review that a manual review process operating at the same volume could not catch. The AFP's 2025 survey found that treasury is cited as the department most likely to discover attempted fraud (83%) and actual fraud (55%), playing a critical role not just in detecting but in responding to fraud. AI-assisted monitoring integrated into the AP and treasury workflow gives that detection function the reach and speed that the current attack environment requires.

Platforms like VendorInfo apply this principle at the vendor data level: automated monitoring of vendor master records for changes that fit the pattern of fraudulent manipulation — banking details modified before scheduled payments, new vendors with contact information matching existing records, TIN data inconsistent with business registration — and flagging them for review before payment is initiated rather than after. This is AI detection in service of the procedural controls the earlier articles established, not in replacement of them.

The Specific Prevention Framework for AI-Driven Threats

The prevention framework for AI-driven fraud is not a departure from the controls established in earlier articles. It is those controls, applied with the explicit recognition that no communication channel — including live video — can be treated as inherently trustworthy, and extended with several AI-specific additions.

Treat All Channels as Potentially Compromised. The foundational shift required by the AI threat environment is the recognition that verification cannot be based on channel authenticity. An email can be spoofed. A phone call can be voice-cloned. A video call can be deepfaked. A document can be AI-generated. This does not mean that these channels cannot be used — it means that they cannot be the basis of authorization for significant financial transactions. Authorization requires independent verification through a separately confirmed channel, using contact information the organization independently controls.

The out-of-band verification protocol established in the Phony Bank Account Change article applies with equal force here: any payment instruction that arrives through any channel — including video, including a voice call from a number that appears to be a known executive — must be confirmed through a verified, independently maintained contact before action is taken. The Arup loss would have been prevented by a single phone call to a number in the company's own records.

Establish a Code-Word or Challenge Protocol for High-Value Transactions. For wire transfers and large ACH payments above a board-established threshold, a pre-shared code word or challenge phrase known only to authorized parties and not transmitted through any digital channel provides a verification layer that AI cannot replicate without prior knowledge. This control is simple, requires no technology, and defeats deepfake video and voice attacks that have no access to the code. The OWASP Guide to Preparing and Responding to Deepfake Events specifically advocates for this procedural defense for high-value transfer requests.

Implement Mandatory Payment Delays for Non-Routine Requests. Any payment request that is urgent, non-routine, or involves an amount or payee outside the normal pattern for the relationship should be subject to a mandatory review delay — typically 24 to 48 hours — before execution. AI-enhanced fraud attacks specifically exploit urgency and time pressure as social engineering tools. A structural delay removes urgency as a variable and creates a window for the independent verification that time pressure is designed to prevent. The average loss per deepfake incident in 2024 was nearly $500,000, climbing to $680,000 for large enterprises. A 24-hour delay is a proportionate cost.

Train for the AI Reality, Not the Prior Model. Training programs that ask staff to identify phishing by looking for poor grammar, suspicious attachments, or unfamiliar sender names are teaching people to detect the attack that existed five years ago. The attack that exists today uses grammatically flawless prose, comes from domains that appear legitimate, and may arrive with supporting documentation that looks indistinguishable from genuine materials. Training must be updated to focus on what AI cannot replicate: the verification process itself. The trained behavior is not "identify the suspicious email" — it is "verify independently, regardless of how legitimate the request appears." The AFP's survey found that integrating AI-powered technologies with traditional controls will ensure the profession stays ahead of evolving fraud tactics as a continuous improvement — and that the controls must include both detection technology and trained human behavior.

Critically, training must address video calls explicitly. The Arup case is now a teaching document. Staff who understand that a video call — even one featuring recognizable colleagues — cannot be the sole authorization for a significant payment are equipped with the specific knowledge that would have prevented a $25 million loss.

Restrict Video and Audio as Payment Authorization Channels. As a structural control — not just a training recommendation — organizations should establish explicit policy that live video conferences and phone calls are not sufficient authorization for payment initiation or banking information changes above defined thresholds. These channels can be used to discuss and review; authorization requires confirmation through the verified, documented protocol that governs all significant disbursements.

Monitor for AI-Generated Content Indicators. AI-detection tools can be integrated into email security and document review workflows to flag communications and documents that bear the statistical signatures of AI generation. These tools are not perfect — the arms race between generation quality and detection accuracy is ongoing — but they provide a useful additional signal layer for communications flagged by other anomaly detection systems. No single tool should be treated as definitive; AI content detection is one input into a multi-layer review process, not a decision-maker.

Protect the Digital Footprint That Trains Deepfakes. AI deepfakes of executives and finance staff are built from publicly available audio and video — conference recordings, webinar footage, LinkedIn videos, press interviews, earnings calls. Organizations should be deliberate about what they publish. Not all of this content can or should be restricted; some is required by regulation or business necessity. But a policy of minimizing the publicly available audio and video of the specific individuals most likely to be impersonated — CFOs, controllers, treasury staff, anyone whose voice or likeness might be used in a deepfake payment instruction — is a reasonable and low-cost risk reduction measure.

The Asymmetry of the AI Fraud Threat

There is an uncomfortable asymmetry in the AI fraud landscape that finance leaders should name plainly. The attacker who deploys generative AI against a payment function benefits from all the advantages of the tool without any of its compliance costs: they iterate without governance review, deploy without change management, and operate without the organizational friction that responsible AI adoption requires. The organization defending against AI-enhanced fraud faces those costs in addition to the costs of defense itself.

Over 75% of U.S. firms experienced payments fraud in 2025, while AI adoption for fraud mitigation lags — a gap that reflects both the newness of AI detection tools and the organizational friction that slows their adoption relative to the speed at which attackers deploy AI offensively. The lag is not inevitable, but closing it requires the same leadership commitment that the rest of this series identifies as the foundational element of any effective fraud prevention program.

The response to that asymmetry is not despair. It is the combination of things that this series has argued for throughout: structural controls that do not depend on detecting the attack before it arrives, professional knowledge that equips the people managing disbursements with the specific competencies the threat environment demands, and platforms that bring verification and monitoring capabilities to the vendor information management process in a way that individual organizations cannot replicate manually at scale.

Resources

VIMCOE's Accredited Vendor Information Professional certification provides the professional foundation for AP staff operating in this environment — equipping them with the knowledge of what a sound vendor information management process looks like, why each element of it matters, and how the controls that prevent AI-enhanced fraud are the same controls that have always defined professional-grade vendor management. VendorInfo provides the operational infrastructure: a platform that removes the manually handled steps in vendor onboarding and banking information management that AI-enhanced attacks most effectively exploit, replacing them with verified, auditable, independently confirmed data that is resistant to the social engineering and documentation forgery that AI has made more powerful.

The Constant in a Changing Threat Environment

The threat will continue to evolve. The tools available to fraud actors will improve. The deepfake quality that seemed alarming in the Arup case in early 2024 is already being surpassed by systems available in 2025. The AI-generated phishing email that seemed sophisticated in 2023 is now baseline. The pace of development favors the attacker in the short term, because offense is easier to deploy than defense is to adapt.

But the constant in the fraud prevention equation has not changed: payment fraud succeeds by manipulating a human decision-maker into taking an action they would not take if they had complete and accurate information. Every AI tool in the attacker's arsenal is in service of that manipulation — making the false appear true, the fraudulent appear legitimate, the urgency appear genuine. The controls that work are the controls that interrupt that manipulation before it produces an irreversible outcome: the verification requirement that creates a second opinion, the structural segregation that makes a single point of compromise insufficient, the documented process that makes deviations visible.

Those controls are procedural. They are structural. They are professional. They are, ultimately, human. And they are the subject of every article in this series.