Payments fraud is not slowing down. More importantly, it is no longer behaving the way most organizations expect.

For years, corporate treasury teams have responded by strengthening controls—adding approvals, tightening validation, and reinforcing oversight. Yet despite these efforts, payments fraud continues to persist, adapt, and, in many cases, succeed.

The findings from the Association for Financial Professionals 2026 AFP® Payments Fraud and Control Survey Report point to a deeper and more nuanced reality. Payments fraud is not simply a failure of controls. Increasingly, it reflects a failure of coordination.

It emerges in the gaps between systems, functions, and signals across payment and communication channels, where connections fail to keep pace.

That distinction matters. If fraud is a coordination problem, then relying on stronger controls alone will not be enough.

Fraud begins where signals don’t connect

One of the most revealing insights from the AFP survey is not just where fraud occurs, but how it unfolds.

Email remains the primary entry point, with business email compromise (BEC) incidents affecting roughly 70% to 74% of organizations in 2025. But fraud does not remain confined to email. It moves, often seamlessly, across channels.

A fraudulent request may begin with a compromised or spoofed email that appears to come from a trusted sender or vendor, as highlighted in the AFP survey. It may then be reinforced by a follow-up phone call or text message on a mobile device that adds urgency or legitimacy. Finally, it enters the payment workflow, where the real vulnerability often lies.

At this stage, the request is processed through standard steps: vendor details are reviewed or updated, payment instructions are entered, and approvals are routed through established hierarchies. Much of this process relies on routine validation and familiarity. As the AFP survey indicates, a significant share of organizations still rely on manual validation of beneficiary payment information, particularly in ACH-related workflows, creating openings for altered instructions to pass initial checks.

The transaction looks right. It references known vendors, aligns with expected formats, and moves through the same pathways as legitimate payments. Controls are applied. Approvals are granted. The process is followed.

And yet, the context is missing.

Even multi-step approvals can fail when urgency overrides verification or when call-back procedures are not consistently executed. As AFP notes, fraudulent payments are often processed “in the normal way with all approval steps.”

At each step, the request can appear valid. Each control, applied in isolation, may be satisfied.

But the risk does not reside in any single step. It resides in the sequence.

Traditional control frameworks begin to show their limits. They are not built to detect sequences. They are designed to validate transactions at specific points in the process, not to identify patterns that evolve across channels and interactions. That is precisely where fraud finds its opening.

The real risk: Impersonation fraud at scale

If coordination gaps define the environment, impersonation is the method that exploits them most effectively.

According to the AFP survey, nearly 80% of email fraud involves impersonation of vendors or third parties, while close to 60% involves threat actors posing as senior executives to redirect funds in 2025. These are not opportunistic attacks. They are deliberate attempts to replicate trusted relationships.

What has changed is the level of precision.

Malicious actors are no longer sending generic requests. They reference real transactions, mimic legitimate communication threads, and use domains that differ by only a letter or two. In some cases, even genuine email conversations are intercepted and repurposed.

The result is a form of fraud that blends into normal business activity because it closely mirrors the organization’s own communication patterns.

This is no longer deception in the traditional sense. It is imitation at scale, designed to bypass not systems, but human judgment operating within familiar norms.

Where payments fraud lands: The operational front lines

The AFP survey data also underscores where these attacks ultimately land and where they are most likely to succeed.

Accounts Payable (AP) remains the department most exposed to imposter fraud, with 80% of organizations identifying it as highly vulnerable to BEC attacks, according to the AFP survey. Treasury is also a primary target for email-based fraud, cited by roughly 50% of respondents. In addition, AFP survey data shows that nearly one-third of procurement and sourcing departments, as well as C-suite executives, are exposed to fraudulent emails.

This is not incidental.

Fraud concentrates at the points where external communication intersects with internal execution. These are the areas where information must be interpreted, decisions must be made, and time pressure often overrides caution.

At the same time, treasury remains the department most likely to discover payments fraud, identifying 83% of attempted fraud and 55% of actual fraud cases, as per the AFP survey. This dual role is significant.

Treasury is not just a control function. It operates as the superintendent of payment security, the central node in the organization’s risk detection network, connecting, interpreting, and mitigating threats across payments, banking activity, and broader operational processes to protect the organization.

Fraud detection is improving, but coordination still lags

There is evidence that organizations are becoming more effective at detecting fraud. AFP survey data shows that 34% of organizations identify fraud within one week, and most do so within a month.

But detection, while necessary, is no longer sufficient.

The critical question is what happens next.

When fraud is identified, 78% of organizations seek assistance from their banking partners, while 66% involve internal security or compliance teams. This reflects the inherently multi-party nature of fraud response.

And that is where coordination challenges re-emerge.

Delays in escalation, fragmented ownership, and inconsistent reporting pathways can all reduce the likelihood of recovery. Even when fraud is detected early, the absence of a coordinated response can allow losses to materialize, or prevent them from being recovered.

In this environment, the gap is not just about how quickly fraud is detected. It is about how effectively the response is aligned.

Why controls alone are not enough

In 2025, companies strengthened payment fraud controls significantly. Multi-level authorization, call-back verification, adoption of advanced technologies, continuous monitoring of payment systems, and enhanced validation processes, as noted in the AFP Payments Fraud and Control Survey Report, are now widely embedded across treasury and payments operations.

These measures are necessary. They are effective. But they are not sufficient.

The AFP survey shows that actual or attempted payments fraud activity continues to affect more than three-quarters of organizations. Not because controls are absent, but because fraud no longer operates within the boundaries those controls were designed to protect.

Controls are inherently static. They are applied at defined points in time and often within specific channels.

Fraud, by contrast, is dynamic. It evolves in real time, moves across channels, and adapts to organizational behaviour.

This mismatch creates a persistent vulnerability where even well-designed controls can be bypassed, not because they fail, but because they are applied in isolation.

From control frameworks to coordination frameworks

The implication for treasury is not incremental. It is structural.

Fraud prevention must evolve from a control-centric approach to a coordination-centric framework.

This means connecting signals across channels, rather than evaluating them in isolation. It requires embedding verification within the broader context of transactions, rather than relying solely on procedural updates. It also demands that treasury, AP, accounting, risk, IT, and compliance operate as an integrated network, not as separate silos.

Speed is equally critical. Detection and response must occur as part of a coordinated sequence, particularly in the early stages of a fraud attempt, where outcomes are still reversible.

In practice, this represents a shift from validating individual transactions to understanding patterns of behaviour.

To conclude, payments fraud is no longer a series of isolated control failures. It is a systemic risk that moves across functions, channels, and decision points, often faster than organizations can detect or respond.

The findings from the 2026 AFP® Payments Fraud and Control Survey make one point clear.  Fraud persists not because organizations lack controls, but because the connections between those controls remain incomplete.

For treasury, this represents a fundamental shift in mandate. The role is no longer limited to safeguarding transactions or enforcing controls at specific points in the payment lifecycle. It is to operate as the connective layer, linking signals across payment and communication channels, aligning functions across the enterprise, and ensuring that risk is understood as part of a broader pattern.

This requires moving beyond control strength toward control cohesion. It requires integrating detection, verification, and response into a coordinated sequence rather than a set of parallel processes. It also requires speed, because in payments fraud, the window between detection and impact is often measured in hours, not days.

In payments fraud, the risk is not what you see. It is what you fail to connect.

Because in an environment where fraud operates as a network, defence must operate as one too.