Payment fraud reaching new horizons, says Eftsure

In its Cybersecurity Guide for CFOs 2026, the software platform reveals that traditional controls are no longer up to standard when it comes to cyber crime, and finance teams are paying the price.

Cross-border B2B payments were forecast to exceed US $259 trillion by 2027, with cyber crime losses projected to be US $10.5 trillion by the end of the year. Finance teams were having to choose between delaying crucial payments, performing risky manual checks, and approving with limited validation, the report said.

And with contemporary cyber crime industrialised and borderless by default, it was becoming increasingly difficult to manage.

“Cybercriminals and organised crime syndicates are constantly adapting to fraud defences,” Eftsure CTO David Higgins told Accounting Times.

“Australia has not been completely successful in stemming business-to-business scam losses – those numbers continue to increase”.

“Many efforts have been focused on minimising scam risks for consumers – while these efforts are commendable, it means that many organisations are still at risk.”

There was, as Eftsure termed it, an 'international verification desert' – an absence of state-provided, global infrastructure to verify cross-border payments. In addition, global finance leaders were having to navigate an inconsistent patchwork of regulations and often-changing requirements, including sanctions and privacy laws.

In Australia, one of the biggest issues remains privacy regimes that restrict how much supplier data can be stored, which complicates payment verification and exposes finance teams to continued fraud efforts.

One flow-on effect is the need to rely on manual verification in international payment processes, which was leaving gaps that cyber criminals found their way into, Eftsure said. Altered bank details or contacts could slip almost seamlessly into workflows that, at best, delay the process, and at worst, leave the organisation vulnerable to theft.

Higgins urged not to assume that all scam attempts would be crude.

“Cybercrime syndicates may be white-collar professionals, armed with the latest in technology, data, and in-depth knowledge about organisational processes and procedures," he added.

This was the case for the form that fraud could take, too. According to Higgins, threats no longer only appeared as emails or text messages with obvious attempts at fraud. The process could involve, he said, “infiltrating a vendor’s email systems and communicating with a target organisation for months.”

“By the time the malicious actor is asking an account’s employee to make a fraudulent payment or switch payment details to a mule account, the employee may have been communicating with this phony 'vendor' for ages in an email chain that shows no warning signs.”

The risk with third-party transactions is also significant, the report said. Vendor compromise could lead to payment fraud in the form of invoice manipulation and payment redirection that can bypass manual checks.

According to Higgins, finance leaders misunderstood their role in defending against cyber crime.

“Most cybercrime is financially motivated, which means AP and finance employees end up being the most common targets.”

“The best security team in the world cannot stop a vendor organisation from being compromised or a convincing email from landing in an AP employee’s inbox.”

The increased sophistication of fraud attempts was also partially due to artificial intelligence. Not only could AI-enabled scam tactics feature large language models that help research targets, polish communications, and sharpen tactics – especially social engineering and phishing – but developing tech in voice replication and deepfake videos was heightening the risk.

Black-market LLMs such as WormGPT and FraudGPT are becoming more rampant and better positioned to assist scammers.

So, how can CFOs deal with technology that makes scamming easier than ever and outdates “traditional forms of verification”?

According to Higgins, it starts with training that went beyond “box-ticking modules or exercises” and provided “routine, role-specific training” for employees to fully grasp common tactics and warning signs.

He added: “Processes like segregation of duties, in which multiple people are required to access sensitive systems or actions, diffuse risk across different staff.”

Higgins also highlighted the importance of regular pressure-testing and thinking like a scammer to confirm vulnerabilities, technology that standardises and strengthens procedures and auto-flags abnormalities, and security partnerships.

He urged companies to “work with your vendors and partners to understand shared risks and the need for working together to protect legitimate business’ money.”

The issue remained, however, that no jurisdiction's payment compliance worked the same way, and this was complicating the already complex field of overlapping regulations. A payment compliant in one region may violate sanctions in another jurisdiction.

As such, global data-sharing efforts were increasingly relied on to target still-existing gaps in verification. Co-ordinated action in the ANZ region, such as the ongoing rollout of Confirmation of Payee (CoP), was showing the growing potential and importance of international risk mitigation.