A new year often brings new and exciting opportunities for businesses. Maybe it’s hiring new employees, launching a product line, or rolling out a fresh marketing campaign. One thing it’s also sure to bring are new tactics used by fraudsters. In some cases, it might be a completely new scheme; in others it may be deploying technology (like AI) to improve an existing approach.
Regardless, fraudsters aren’t going to take their foot off the gas in 2026. TransUnion highlighted that US businesses lost an average of 9.8% of their revenue to fraud in 2025, a 46% jump from 2024. Scammers will be looking to make similar gains this year.
Here are three of the top threat types we’re monitoring this year, and suggest your business does the same.
Account Takeover (AT).
What is it? When a fraudster illegally gets into your account and uses it as if they were you.
Businesses are reporting increasingly sophisticated account takeover attempts, and the impact hits quickly. Fraudsters use AI‑driven social engineering to lure business employees into giving up credentials or MFA codes, and by the time unusual activity is noticed, the criminal has already bypassed authentication and taken control of a business’s bank account.
From the bank’s side, it looks like a trusted customer logging in and moving money — often in high-value, real‑time transactions where the opportunity to intervene is small to non-existent. Each incident sparks frustration, reputational risk, and an operational scramble to lock down accounts, investigate, and claw back funds — which is often not possible.
How to protect your business against AT fraud: Build a culture of skepticism, at least when it comes to receiving phone calls regarding your business’s bank accounts. Bank’s will never call and ask that you provide or verify sensitive information (usernames, passwords, etc.). Only when you call your bank should such information be provided if requested. It’s OK to be suspicious. Hang up and call your bank directly on a known number.
Authorized Push Payment (APP).
What is it? When a fraudster tricks you into willingly sending money from your account to theirs.
A push payment is a type of transaction where the payer actively initiates and “pushes” money to the payee. In other words, you send the money out from your account to someone else.
In the case of APP fraud, criminals use text messages to impersonate vendors, executives, employees, or even government agencies and pressure you into initiating a push payment. When an employee willingly sends (“pushes”) company funds to a scammer, believing the request is legitimate, the funds can be long gone by the time a business realizes what has happened. And from the bank’s perspective, the transaction itself looks clean.
How to protect your business against APP fraud: Don’t click. Just like when an email is suspicious you don’t click on links, when a suspicious text message is received or a message comes from an unknown number, don’t click any links or respond. Trust your instinct and contact the entity directly that the message claims to be representing.
Vendor Payment Redirection.
What is it? When a fraudster tricks you into sending money to a fake bank account by pretending to be a legitimate vendor.
Also known as invoice fraud, fraudsters impersonate a trusted supplier and convince a business to send legitimate payments to a new (fraudulent) bank account. This often begins with a compromised email account — either the vendor’s or the business’s —allowing criminals to monitor conversations, learn payment schedules, and time their requests to further avoid any suspicion.
Like other tactics, scammers are enhancing these attacks with AI. They can replicate a vendor’s writing style, generate realistic invoices, and even impersonate phone calls confirming the change in payment details. Because the request aligns with normal business activity, employees may process the change without realizing anything is wrong. By the time the real vendor asks about a missing payment, the funds have already been moved and are difficult or impossible to recover.
How to protect your business against vendor payment redirection: Never accept changes to payment instructions based on email alone. Require a secondary verification step — such as calling a known, trusted contact at the vendor using a phone number on file (not one provided in the message). Establish clear internal procedures for updating vendor banking details, and train employees to treat any “urgent” or last minute change requests as a red flag.
Fraud Stops With You.
As fraud tactics continue to evolve, staying informed and proactive is one of the most effective ways to protect your business. Building strong internal controls, encouraging healthy skepticism, and educating employees can significantly reduce your risk. The threats may be persistent, but with the right practices in place, your business doesn’t have to be an easy target. For more guidance and resources on safeguarding your business, visit our Business Security page. Also, your Relationship Manager is always available to discuss possible risk or exposure to your business.
Want more fraud education tips like this? Sign up for our fraud education newsletter to get content like this right to your inbox.