2025 AFP Payments Fraud and Control Survey Report-Comprehensive Report PDF Free Download
1 / 17/17
100%
Treasury Services
Defending yourself against the Fraud Epidemic
Association for Financial Professionals Fraud and Control Survey
Statistics
2025 AFP Payments Fraud and Control Survey Report-Comprehensive Report
Protecting from Fraud
•79% of organizations were victims of attempted or actual fraud in 2024, down slightly from
80% in 2023. The one-percentage drop point is not very encouraging (65% in 2022- fraudsters
have not been deterred by the anti fraud protections)
•63% Checks (65% in 2023)
•30% Wires (24% in 2023)
•38% ACH Debits (33% in 2023), 21% Credit cards (20% in 2023), 20% ACH Credits (19% in
2023)
•63% of organizations have been subject to attempted or actual Business Email Compromise
(BEC). One significant change seen in this year's survey is the decline in “classic” BEC scams
•Increased vigilance has reduced this from a high of 80% in 2018
•34% of organizations reported financial losses as a result of Business Email Compromise
•79% of BEC Fraud is from spoof emails, 45% vendor impersonation and 24% from invoice fraud
•59% of payments fraud is discovered by treasury staff
•35% of organizations discovered fraud within a week of the incident, 21% within one or two
weeks, 16% took an additional two weeks, and 25% took a month or longer
The information provided in this presentation is for general informational purposes only and is not intended to be legal advice.
While we strive to ensure the accuracy and completeness of the information, we make no guarantees regarding its applicability
to your specific situation. For personalized legal advice, please consult a qualified attorney.
Sources of Attempted Fraud
2025 AFP Payments Fraud and Control Survey Report-Comprehensive Report
Sources of Attempted/Actual Payments Fraud Attempts (Percentage of Organizations
Experiencing Payments Fraud)
Controlling Check Fraud
2025 AFP Payments Fraud and Control Survey Report-Comprehensive Report
Effectiveness of Fraud Control Procedures and Services used to Protect
Against Check Fraud
Controlling ACH Fraud
2025 AFP Payments Fraud and Control Survey Report-Comprehensive Report
Effectiveness of Controls in Mitigating ACH Debit Fraud (Percent of
Organizations)
The Threat Landscape:
Business Email Compromise
Business Email Compromise
According to the FBI, BEC is one of the most financially damaging crimes. Scams via email exploit the
heavy reliance organizations have when conducting business in both their professional and personal
lives.
In a typical BEC scam, criminals use social engineering techniques to compromise emails messages so
that those messages appear to come from a known source making a legitimate request. For
example:
•A vendor your company regularly deals with sends an invoice requesting payment. Similarly, the
email may appear to come from the CFO with an urgent message about paying an overdue bill.
•A company CEO asks their assistant to purchase a dozen gift cards to send out as employee rewards.
•Emails are sent to the finance department requesting an update of bank account details for
payments or to change wiring instructions entirely.
Fraudsters utilize a variety of methods to commit payments fraud via BEC:
•Spoofing an email account of website
•Sending spear phishing email (Spear Phishing: Targeted at specific individuals or organizations using
personalized details)
•Using malware to infiltrate a company’s network and gain access to legitimate email threads about
bills and invoices
•Educate your staff about the fraud risks inherent in their daily processes.
Training, training and more training!
•Create a culture that empowers employees to ask questions, be curious.
•Confirming a request for funds transfer by executing a callback to a verified
and authorized contact at the payee organization using a phone number
from a system of record
•Stronger internal controls prohibiting payments imitation based on emails
or other less secure messaging systems
•Employ dual approval for funds movement
•Requiring authorized signoff of senior management for transactions over a
certain threshold
•Limit the amount of public information available about your company's
internal operations.
•Conduct all banking on a dedicated machine used for no other task.
•FOLLOW YOUR OWN PROCEDURES!!!!!!
Business Email Compromise:
Mitigation Best Practices
Business Email Compromise:
Security and Compliance Measures
•Review emails forwarded outside of your organization
•Color-coded emails with colored banners or other methods of distinction, indicating
they are external
•Intrusion detection systems that flag emails with extensions similar to company
emails (example: where “rn” could be in the place of an “m”)
•Prohibiting, or at least quickly detecting, emails where the “reply” email address is
different than the “from” email address shown
•Utilizing bank/vendor solutions that captures beneficiary information managed by
the beneficially for refunds/returns
•Train associates on all vendor management policies.
•Empower employees to ask questions when in doubt.
•Know your vendor.
•Plan how your vendor will connect with you.
•Require verbal confirmations.
•FOLLOW YOUR OWN PROCEDURES!!!!!!
The Threat Landscape:
Ransomware
Ransomware Statistics and Facts
Ransomware attacks have surged significantly in early 2025, both in frequency and impact, compared to previous years. Here's
a detailed year-over-year comparison and key trends (source: cyble.com):
Year-Over-Year Growth in Ransomware Attacks
Global Increase: In January 2025, there were 590 recorded ransomware attacks, up from 574 in December 2024. This marks a 107% increase compared to
January 2024 (285 attacks) and a staggering 388% rise from January 2022 (121 attacks). (source: surfshark.com)
U.S. Surge: In the first five weeks of 2025, the U.S. experienced 378 ransomware attacks, a 149% increase from 152 attacks during the same period in
2024. (source: cyble.com)
February Peak: February 2025 saw an all-time monthly high of 886 ransomware attacks globally, a 119% increase from February 2024 (403
attacks). (source: reddit.com)
Ransom Payments Decline Despite Attack Surge
Payment Reduction: Total ransomware payments decreased by approximately 35% in 2024, dropping from $1.25 billion in 2023 to $813.55
million. (chainsnslysis.com)
Victim Response: Less than half of the ransomware incidents resulted in victims making payments, indicating a growing trend of organizations refusing to
pay ransoms. (source: chainanlysis.com)
Modern ransomware attacks often combine multiple tactics to maximize impact:
Double and Triple Extortion: Attackers encrypt data, exfiltrate sensitive information, and threaten public release or launch Distributed Denial of
Service (DDoS) attacks to pressure victims . (source: en.Wikipedia.com)
Encryption-less Ransomware: Some groups, like Clop, focus solely on data theft without encrypting files, relying on the threat of data exposure for
extortion . (zscaler,.com)
Ransomware-as-a-Service (RaaS): Platforms like LockBit and Medusa provide ransomware tools to affiliates, lowering the barrier for launching
attacks .(source: cyble.com)
AI-Driven Social Engineering: Cybercriminals are increasingly using AI-generated content, including voice phishing (vishing), to deceive victims and
gain unauthorized access . (source: zscaler.com)
FBI Tips and Preventative Measures
1. Regularly Back Up Data
Maintain offline, encrypted backups of all critical data. Test backups regularly to ensure they work. Do not store backups on the same
network as the data they back up.
2. Patch and Update Systems Promptly
Apply security patches and software updates as soon as they are released. Prioritize critical vulnerabilities, especially in:
•Operating systems
•Web browsers
•VPNs
•File transfer software (e.g., MOVEit, Citrix, etc.)
3. Use Multi-Factor Authentication (MFA)
Enforce MFA for all remote access and privileged accounts. This significantly reduces the effectiveness of credential-stealing attacks.
4. Segment Your Network
Limit access between networks so ransomware can’t spread easily. Use firewalls and network segmentation to contain threats.
5. Limit User Privileges
Apply the principle of least privilege—users should only have access to systems they need. Admin accounts should be separate from
regular user accounts.
6. Disable Unused Services and Ports
Close unnecessary RDP (Remote Desktop Protocol) and SMB ports. Disable macros in email attachments and Microsoft Office files
when possible.
7. Educate and Train Employees
Run regular phishing awareness training. Teach staff to recognize and report suspicious emails and links.
8. Use Antivirus and Endpoint Protection
Install reputable antivirus software on all devices. Enable automatic updates and real-time protection features.
9. Monitor and Log Network Activity
Use intrusion detection systems (IDS) and log analysis to detect early signs of intrusion.
10. Create an Incident Response Plan
Prepare for a ransomware event with a documented plan. Include how to isolate affected systems, notify stakeholders, and contact
law enforcement.
Source:
FBI Internet Crime Complaint Center (IC3): www.ic3.gov
FBI Cyber Division and CISA Joint Alerts (2024–2025)
The Threat Landscape:
Beware of Online Risks
The Threat Landscape…..
Social Engineering
Most Prevalent Types of Social Engineering Attacks
1. Phishing- What it is: Fraudulent emails that appear to come from trusted sources (e.g., your bank, HR, IT).
Goal: Trick users into clicking malicious links or giving up login credentials.
2. Vishing (Voice Phishing) - What it is: Phone calls pretending to be from tech support, banks, or government agencies.
Goal: Get victims to share passwords, credit card numbers, or make wire transfers.
3. Smishing (SMS Phishing) - What it is: Fraudulent text messages claiming there's an issue with your account or package.
Goal: Get you to click a malicious link or reply with sensitive info.
4. Pretexting - What it is: The attacker creates a fake identity or scenario to gain your trust (e.g., pretending to be an IT admin needing login access).
Goal: Collect personal information or gain physical/digital access.
5. Baiting- What it is: Offering something enticing (like a free gift or a USB stick labeled “confidential”) to trick you into installing malware or revealing data.
Goal: Infect systems or gain entry.
6. Tailgating (Physical Social Engineering) - What it is: An attacker physically follows someone into a secure area by pretending to have lost their badge or holding the
door open.
Goal: Gain unauthorized access to restricted locations.
7. Quid Pro Quo - What it is: An attacker offers a service or benefit (like fake IT help) in exchange for access or information.
Goal: Get victims to disable security settings or reveal sensitive info.
Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might
pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re
impersonating, their motivation is always the same — extracting money or data
Instead of hacking technology, social engineers exploit human behavior, such as trust, urgency, fear, or curiosity.
Tips and Preventative Measures
1.Phishing (Email Scams) -Be Skeptical of Unexpected Emails: Avoid clicking on links or downloading attachments from unknown senders. Check for Red Flags: Look
for generic greetings, spelling errors, and mismatched email addresses. Verify Requests: If an email requests sensitive information, confirm its legitimacy through a
separate, trusted channel. (Source: Imperva – Social Engineering Prevention)
2. Vishing (Voice Phishing) - Question Unsolicited Calls: Be cautious of callers requesting personal information or immediate action. Hang Up and Verify: If in doubt,
hang up and contact the organization directly using official contact information.
3. Smishing (SMS Phishing) - Avoid Clicking on Links: Do not click on links in unsolicited text messages. Verify Messages: Contact the purported sender through official
channels to confirm the message's authenticity.
4. Pretexting - Verify the Story: Scammers may pose as authority figures or colleagues. Always confirm their identity independently. Limit Information Disclosure:
Only share information necessary for the situation and with verified individuals. (Source: Network Right – Social Engineering)
5. Baiting - Avoid Unsolicited Offers: Be cautious of free downloads or gifts, especially if they require personal information. Don't Use Unknown USB Devices: Plugging
in unknown USB drives can introduce malware to your system. (Source: Imperva – Social Engineering Prevention)
6. Tailgating - Secure Access Points: Ensure that doors to restricted areas close securely behind you. Challenge Unfamiliar Individuals: Politely ask unknown persons
for identification if they attempt to enter secure areas without proper credentials. (Source: Dynamic Edge – Understanding Social Engineering)
7. Quid Pro Quo - Be Wary of Unsolicited Help: Scammers may offer assistance in exchange for access to your systems or information. Verify Support Personnel:
Confirm the identity of individuals claiming to offer technical support before granting access or sharing information. (Source: TechBullion – Social Engineering Tricks)
Recommendations
1.Initiate Background Checks on ALL employees and contractors
2.Have a Fraud Plan and test it routinely, run simulations and drills
3.Conduct an Assessment to know how money leaves your business
4.Leverage Bank Account Design Structure to increase risk controls
5.Mandate Process Controls including dual control and segregation of duties
6.Manage Employee Access based on necessary job functions
7.Isolate a Computer for banking and payment initiation
8.Inspect Bank Accounts Daily and reconcile "frequently"
9.Use Fraud Prevention Services like Positive Pay, Payee PPay, ACH Blocks
& Filters, Firewalls, Spam Filters, Anti –Virus scans etc.
10.Pick up the Phone to authenticate ALL requests
11.Notify the Bank and Law Enforcement if you are under attack (see IC3.gov)
12.Cultivate a Risk Management Culture to further ensure controls
12 Risk Mitigates Every Business Should Perform
The information provided in this presentation is for general informational purposes only and is not intended to be legal advice.
While we strive to ensure the accuracy and completeness of the information, we make no guarantees regarding its applicability
to your specific situation. For personalized legal advice, please consult a qualified attorney.
