Payments fraud remained deeply embedded in US corporate life in 2025, with fraud attempts or attacks hitting more than three-quarters (76%) of organisations, while take-up of AI-based defences stayed unexpectedly low. That combination, laid out in the 2026 Association for Financial Professionals (AFP) Payments Fraud and Control Survey Report, points to a corporate payments environment where established threats are still landing, newer threats are intensifying, and treasury is carrying more of the burden of detection and response. 

While that headline figure of 76% is stark enough on its own, more revealing details sit underneath. Cheques remained the payment method most frequently exposed to fraud, cited by 58% of respondents, even though the instrument’s weaknesses are well understood. Business email compromise (BEC), meanwhile, affected 74% of organisations, a marked increase on 2023 and 2024 and one that moves the threat back towards the upper end of the past decade’s range. 

That matters because BEC is not a legacy issue that should be fading with better awareness. Data from previous AFP research shows that BEC affected 64% of organisations in 2015, rose to 74% in 2016, 77% in 2017 and 80% in 2018, then stayed elevated at 75% in 2019 and 76% in 2020 before easing to 68% in 2021, ticking back up to 71% in 2022, and then dropping to 63% in both 2023 and 2024. The jump back to 74% in 2025 breaks that relative calm and suggests fraudsters are again finding room to exploit weaknesses in payment approval chains, email controls and internal verification processes. 

Familiar vulnerabilities persist

One of the clearest messages in the survey is that fraud risk is being sustained by familiar payment habits and familiar control gaps. Cheques are the most obvious example of this. 

As noted, AFP found that 58% of organisations reported cheques as a payment method subject to fraud. Even so, 72% of organisations that use cheques said they plan to keep doing so for the foreseeable future. Among that group, 68% said vendor requirements were a reason. Those numbers tell a story that treasury teams know well: even when a payment method is operationally weaker, it often survives because supply chains, counterparties and legacy processes still demand it. 

That leaves organisations in a difficult position. The market has spent years talking about moving away from cheques, but the survey suggests that withdrawal in the US is commercially constrained. As long as cheques remain embedded in payables processes, they continue to act as an open flank in the control environment.

BEC poses a similar problem from another angle. It preys less on payment rails themselves than on the people and workflows around them. When fraud reaches 74% of organisations, the implication is that attackers are still regularly bypassing or pressuring human approval processes, often by exploiting urgency, impersonation or compromised correspondence. That makes the issue broader than a single control failure. It becomes a process design problem.

“Fraud prevention today is an operating model, not a single control,” said Chris Ward, Truist Head of Enterprise Payments. “The best outcomes come from strengthening the fundamentals - verification, disciplined approvals and timely detection - and using technology to reinforce trust as payments move faster.” 

Ward’s point here usefully shifts the focus away from silver-bullet solutions. Fraud pressure is rising in a payments environment that is already faster, more digital and more dispersed. Controls therefore have to work as a connected system, not as isolated checkpoints.

AI interest is high, adoption is not

The report’s second major tension is around AI. Only 17% of organisations said they are using AI to combat payments fraud. That is a strikingly low figure given the level of fraud exposure and given how much discussion there has been around AI’s potential role in detection, pattern recognition and anomaly monitoring. 

AFP says the slow adoption reflects concerns about cost, the perceived immaturity of the technology, and continued reliance on existing controls or external partners. Those reservations are understandable, but they also leave organisations in an awkward position. Fraud tactics are evolving quickly, including through deepfake risks and more sophisticated forms of impersonation, yet most corporates are still leaning on conventional methods.

The survey does provide some evidence that AI is delivering practical benefits where it is already in use. Among organisations using AI for fraud mitigation, 49% reported enhanced efficiency in fraud reporting, 45% cited improved detection of deepfake technology and 43% reported stronger real-time identification capabilities. In other words, the technology is producing measurable operational gains in exactly the areas where faster, more adaptive controls are becoming critical. 

A likely central issue for treasury over the next year is that gap between need and adoption. If only a minority of organisations are using AI, while a large majority are still facing attempted or actual fraud, then the market is still in transition rather than at a settled endpoint.

“AFP’s survey demonstrates how the treasury function has solidified its role as a primary line of defence against fraud,” commented Tom Hunt, director of treasury practice at AFP. “Integrating AI-powered technologies with traditional controls will ensure the profession stays ahead of evolving fraud tactics as a continuous improvement.” 

Treasury moves further to the front line

Hunt’s point is borne out in the survey data. Respondents said treasury was the department most likely to discover attempted fraud, at 83%, and actual fraud, at 55%. 

And treasury’s role goes beyond discovery. It monitors bank activity, manages controls and coordinates recovery efforts, often alongside accounts payable, banking partners and vendors. That captures a broader shift in how the function is now positioned inside many organisations. Treasury is no longer simply safeguarding liquidity and executing payments. It is increasingly expected to police payment integrity in real time. 

This evolution has practical consequences. A treasury team that is also acting as a primary fraud gatekeeper needs stronger visibility, tighter bank connectivity, better approval discipline and faster escalation paths. It also needs the authority to challenge requests, halt payments and insist on verification without being treated as an obstacle to business activity.

The AFP survey was conducted in January 2026 among 465 treasury practitioners representing US organisations of different sizes and sectors. Even within that relatively concise sample, the message is clear. Fraud is not receding or becoming easier to absorb. The enduring use of cheques, the sharp return of BEC and the slow uptake of AI all point to a corporate payments environment where legacy vulnerabilities and newer threats are overlapping rather than replacing one another. 

What emerges is a picture of a control landscape under sustained pressure. Fraud remains common, recovery is uncertain, and the teams closest to cash are being asked to do more with faster payments and more sophisticated threats. That makes treasury’s role more central than ever, but it also raises the bar for the systems, workflows and technologies needed to support it.