Corporations for years have had to cope with fraudulent payment requests, sometimes after embarrassing, costly incidents. The advent of artificial intelligence (AI) has both intensified this risk and offered assistance in early warning and prevention.
One of the most publicised cases of a deepfake was revealed in 2024 when an employee at a Hong Kong company was tricked by an AI-enhanced video conference that appeared to show the CFO instructing the colleague to send a series of payments to certain bank accounts. The recipients were thieves, who took in approximately US$25m before the scam was detected.
As corporate treasurers and their banking partners embrace new technologies to deploy faster payments and other digital solutions with AI components, experts warn that the good guys’ AI needs to stay at least a half-step ahead of the fraudsters’ AI.
Royston Da Costa, an independent treasury advisor, said step one in fraud-prevention is the “traditional treasurer mindset with regard to checking things”. Make sure all employees stay alert and use good judgment when opening emails or answering unusual phone calls. Digital solutions can add a layer of protection.
“Regarding AI, it’s really, frankly, going back to being grounded in good old treasury principles,” Da Costa told Treasury Today. The technology “can make us more efficient. But don’t lose sight of the very basic fundamental processes that we’ve always held dear in treasury.”
The oldest trick in the book is convincing a careless employee that the boss wants them to send a payment immediately. The current risk is that technology is helping criminals make fake payment requests seem believable.
“A lot of our customers are seeing that,” Jon Paquette, Chief of Strategy at Treasury Intelligence Solutions (TIS), said of the sophistication of the attacks. “AI is really making them a lot more realistic. They have a deeper level of knowledge of the company.”
It is better to delay a payment for a few hours or days than to regret a payment later.
“The obvious risk is that it’s going to be a fraudulent invoice,” Da Costa noted. “And the nature of instant payments or fast payments is that they’re going to go through a lot more quickly and be much more difficult to recall once they’ve been released.”
He encourages disciplined usage of segregated control processes.
“Someone calls you and says we need you to make an urgent payment. What is your process to validate that that’s a genuine request? There needs to be a clear process about what you do. … It shouldn’t be one person that does everything,” Da Costa emphasised. “Those days should be gone, especially after the CEO scams back in the day.”
A quick-turnaround payment request “shouldn’t be able to be completed without having the controls and checks like the ‘four-eyes principle’ or ‘six-eyes principle’ that most companies I think have adopted now.”
Paquette cites industry surveys indicating that about two-thirds of large companies have received AI-related fraud or deepfake requests. Yet, not even 20% of the companies are using AI for prevention.
“There’s definitely a lot of work to be done there,” Paquette said. He urges treasury teams to invest in account-validation, point-of-verification, anomaly-detection and other transaction risk-management software.
With the security solutions, however, “you don’t want to introduce operational gridlock” that causes too many legitimate payments to get flagged and delayed, angering vendors.
Da Costa suggests that treasury teams imagine worst-case scenarios and consider what additional technology may help.
“Look at your process. Identify the weak links,” he said. “You’ve got a multitude of fintechs out there that offer some very good cybersecure solutions for making payments. … These scams are getting more and more sophisticated, which is why we need the technology, and why, frankly, we need AI to help us.”
