Blog

AI social engineering and payment fraud: why your AP team is the new attack surface

Published May 28, 2026 · About 10 min read

It wasn't a hack. There was no malware. No compromised password. No alert from IT. The accounts payable specialist at a mid-sized professional services firm followed every process she'd been trained on. She received an email from a vendor she'd paid dozens of times before. The email said the vendor's banking details had changed, included a PDF on company letterhead, and asked her to update the records before the next payment run.

She updated the records. The next payment — $214,000 — went to a fraudster's account. By the time anyone noticed, the money was gone.

This is not a story about weak passwords or unpatched software. It's a story about trust. And in 2026, artificial intelligence has made exploiting that trust faster, cheaper, and more convincing than it has ever been before.

The real attack surface in 2026 isn't your systems. It's your team's judgment.

For years, cybersecurity has focused on technical defenses: firewalls, multi-factor authentication, email filters, endpoint protection. These tools matter. But they address the wrong problem when it comes to payment fraud.

Most payment fraud doesn't break into your systems. It walks in through the front door — in the form of a convincing email, a believable PDF, or a phone call that sounds exactly like the person you expect to hear from. The target isn't your network. It's the moment a human being on your finance team decides to approve a payment.

That moment — the “approve” click — is the most valuable thing a fraudster can reach. And AI has made reaching it dramatically easier.

What AI does to social engineering

Social engineering has always been the art of exploiting trust. A skilled fraudster could research your company, learn your vendors' names, study your payment patterns, and craft a believable request. The problem was scale: doing this well took hours. You could only target a handful of companies at a time.

Generative AI has collapsed that constraint entirely. In 2026, a fraudster can use publicly available tools to:

  • Research your vendor relationships from your website, LinkedIn, press releases, and company filings — automatically
  • Draft a convincing impersonation email in the exact tone and style of your real vendor, including their name, signature line, and typical phrasing
  • Generate supporting documents — invoices, letters, updated W-9s, bank change request forms — that are visually indistinguishable from legitimate ones
  • Personalize each attack with the target employee's name, their manager's name, recent invoice details, and even references to real contracts

Microsoft's Security Blog reported 10.7 million business email compromise attacks in Q1 2026 alone — a 26% surge in March. IBM's Cost of a Data Breach Report found that 16% of all data breaches in 2025 involved AI-generated attack content. This isn't a future threat. It is the current operating environment for every finance team processing payments today.

Why this is specifically a payment fraud problem

Not all social engineering leads to financial loss. But the AP approval workflow is uniquely exposed for three reasons.

1. AP teams are trained to be responsive

A vendor chasing a late payment or requesting a bank update expects a quick response. That responsiveness — which is a professional virtue — becomes a vulnerability when the urgency is manufactured.

2. Payment decisions are hard to reverse

Unlike a data breach that might be contained, a fraudulent wire transfer or ACH payment is gone the moment it clears. Reversal rates for business payment fraud are low. The FBI estimates recovery in BEC cases at under 30% when funds reach a foreign account.

3. The requests look exactly like legitimate ones

A traditional fake invoice had visual tells: off-brand logos, unusual formatting, misspelled vendor names. An AI-generated document trained on your real vendor's previous communications has none of those tells. The behavioral signals — correct vendor name, matching invoice numbers, plausible amounts — all pass the human eye test.

The 2026 Abnormal AI Attack Landscape Report identified that vendor email compromise (VEC) now accounts for 61% of all BEC attacks. VEC is distinct from standard BEC: rather than spoofing a vendor's email address, the attacker compromises the vendor's actual email account. Your AP team receives a request from the vendor's real email, from a real account they've corresponded with for years. There is no “check the sender address” defense that catches this.

A scenario your AP team has probably already faced

A vendor your firm has worked with for two years sends an email in late March. The timing is slightly off from their usual pattern, but only by a few days. The email is professionally written — better, actually, than most of their previous communications — and explains that they recently switched banks as part of a company restructuring. They've attached an updated ACH form on their letterhead.

The AP specialist who handles this vendor has been with the company for six years. She knows the vendor. She checks that the email address matches the one in the system. She reviews the form. Everything looks right. She submits the bank update. It gets approved by her manager, who does a quick review and signs off. The following week, a $180,000 payment goes out.

Three weeks later, the real vendor calls about the overdue invoice.

The email came from a real, compromised vendor account. The document was AI-generated using publicly available information about the vendor's company. The attack was planned over six weeks of passive email monitoring after the vendor's account was quietly taken over. Nobody did anything wrong — and the money is gone.

Variants of this attack pattern were documented in multiple cases in 2025 and are accelerating in 2026. For a detailed case study with a real accounting firm scenario, read how BEC is targeting accounting firms and what stops it.

What doesn't stop this

It is worth being direct about the defenses that do not catch this class of attack.

ControlWhy it fails against AI social engineering
Email filtersDon't catch VEC — the email comes from a legitimate, uncompromised address
Employee trainingHuman pattern-recognition fails at the scale and quality of AI-generated attacks
Two-person approvalBoth approvers are looking at the same convincing documentation
Invoice-to-PO matchingAmounts and line items are all correct — only the destination account is wrong

What these attacks share is that they bypass every control designed to verify what is being paid — and go directly after where the money is going. The bank account number is the one thing most AP processes treat as low-risk once a vendor is established.

What actually stops it

The controls that reliably interrupt AI-powered social engineering attacks on payment workflows share a common principle: verify at the point of payment, not just at the point of vendor onboarding.

A fraudster who has compromised a vendor relationship or manufactured a convincing impersonation has already passed the onboarding check. They are in your system. The only remaining gate is pre-payment verification — a check that happens at the moment the payment is queued, not weeks or months earlier when the vendor was first set up.

Effective pre-payment verification looks at behavioral signals, not document signals. Specifically:

  • Has this vendor's bank account changed recently? (Bank account changes within 30 days of a payment are the single highest-risk signal in the entire AP workflow.)
  • Does the payment amount, timing, or destination deviate from this vendor's established pattern?
  • Is there any anomaly in the payment request — a new email sender, a different contact name, a change in communication style — that doesn't match historical data?

These are signals that a trained human reviewer might catch on a good day. Pre-payment verification software catches them on every payment, every day, regardless of volume. This is precisely the gap that Vantirs closes: rather than relying on your team to recognize an AI-crafted request at the moment of approval, Vantirs cross-checks every payment against vendor behavioral history and flags deviations before the payment clears.

The organizational blind spot

There is a structural problem that makes this harder than it should be: most organizations assume someone else is watching.

Your IT or security team assumes your finance team has controls in place for payment approval. Your finance team assumes IT is monitoring for fraudulent email activity. In practice, neither team has full visibility into the payment workflow at the moment of fraud — the instant a convincing email triggers an AP approval.

Trustmi's recent research put it plainly: fraud exploits the gap between finance and security, where neither team has clear ownership. This is especially acute at accounting firms and SMB finance teams, where there may be no dedicated IT security function at all. The AP team is the security team, whether or not anyone has acknowledged that.

Recognizing this gap is the first step. Closing it requires a control that lives inside the payment workflow itself — not upstream in email security, not downstream in forensic accounting after the loss, but at the precise moment a payment is queued for approval.

What CFOs and finance leaders should do this week

The threat doesn't require a dramatic response. It requires a targeted one.

  1. Audit your bank change process.How does your team verify a vendor bank account update? If the answer is “we check the email looks right and the form looks right,” that process will not hold against AI-generated documentation.
  2. Map your highest-risk payment moments. New vendors in the first 90 days, bank account changes, and high-value one-time payments to established vendors are the three scenarios where fraud is most concentrated. What happens at each of those moments in your current workflow?
  3. Ask who is watching.Specifically: who reviews payment anomalies in real time, before funds clear? If the answer is “we'd catch it on the next reconciliation,” the answer is too slow. By reconciliation, the payment has cleared.
  4. Consider pre-payment verification. The cost of a fraud prevention tool that checks every payment against behavioral baselines is a fraction of the cost of a single fraudulent wire. For a checklist of the controls your team should have in place, see the vendor verification checklist for accounting firms.

Frequently asked questions

What is AI social engineering in the context of payment fraud?

AI social engineering uses generative AI tools to craft highly convincing fraudulent emails, documents, and impersonations targeting finance teams. In the payment fraud context, attackers use AI to generate fake invoices, bank-change request forms, and vendor communications that are visually and behaviorally indistinguishable from legitimate ones — bypassing standard document review controls entirely.

How can accounts payable teams detect AI-generated fraud attempts?

The most reliable detection layer is behavioral, not visual. Since AI can replicate document appearance perfectly, AP teams should compare every payment instruction against vendor payment history: Is the bank account new or recently changed? Is the amount outside the vendor's normal range? Did the request arrive outside the vendor's typical billing cycle? These signals come from your accounting system, not from the document — and AI cannot fabricate your payment history.

Why is vendor email compromise (VEC) harder to detect than standard BEC?

In vendor email compromise, the attacker gains access to a real vendor's email account rather than spoofing it. The fraudulent request arrives from a legitimate email address your team has corresponded with for years. Controls like "check the sender address" provide no protection. The only reliable signal is a change in payment routing — a new bank account or ACH destination — that doesn't match your verified vendor history.

See how Vantirs flags high-risk payments before they clear

AI has made social engineering attacks faster and more convincing. Pre-payment verification is the control that doesn't depend on human judgment at the moment the request arrives. Book a live demo to see how Vantirs catches the signals your team can't.