Here’s a statistic that makes SME owners, managers, and employees sit up straight. According to the FBI’s 2025 Internet Crime Report, business email compromise (BEC) cost US businesses over $3 billion last year. That makes it one of the costliest cybercrimes on record.
AI has made these attacks even harder to spot. The question for accounts payable (AP) teams is no longer whether they can identify suspicious requests—it’s whether payment processes are robust enough to make fraud difficult, no matter how convincing the message looks.
Why AP Teams Are in the Crosshairs
Accounts payable sits at the intersection of trust and timing. AP teams manage invoices, supplier details, and payments under constant pressure to keep operations running smoothly. For attackers, that’s a perfect target.
Most successful BEC attacks don’t involve breaking into systems. The FBI’s IC3 consistently finds that BEC relies on impersonation: attackers pose as executives, suppliers, or internal colleagues to redirect payments or update bank details before anyone notices.
AI has made this impersonation scalable. Tasks that once required skill and time—researching, writing, tailoring messages—are now automated. By mid-2024, around 40% of BEC phishing emails were AI-generated, and that figure is only expected to rise.
What AI-Enhanced Fraud Looks Like
Emails that blend into normal workflow
Gone are the days of clumsy phishing emails. AI-generated BEC emails are grammatically correct, reference active projects, invoice numbers, and upcoming payments—all in the exact tone of the person being impersonated. For AP teams processing dozens of routine communications, these emails slip past the usual instincts.
Invoice and payment redirection
Attackers may intercept legitimate invoices and quietly change the destination account. They might re-issue an invoice with subtle modifications or claim that supplier banking details have changed. Everything around the message looks authentic, because often it’s drawn from real correspondence.
Voice cloning and executive impersonation
Email isn’t the only channel at risk. AI voice-cloning can replicate an executive’s voice from a short sample, leaving convincing voicemails or even making calls. For AP teams relying on verbal approvals, this erodes one of the last verification safeguards outside email security.
Why Traditional Checks No Longer Work
Security awareness training is still important—but AI has changed the game. Modern BEC emails can mimic familiar suppliers, reference active projects, and even include accurate invoice amounts. Placing the burden of detection solely on AP staff is unfair and ineffective.
The organizations that reduce risk don’t rely on sharper instincts—they build verification processes that work no matter how legitimate a request looks.
Building Process Around the Risk
Out-of-band verification as standard
Any request to change supplier bank details or approve urgent payments outside the normal cycle should require independent confirmation—never a reply to the same email thread. Call a supplier on a known number or confirm directly with a colleague. This breaks the impersonation chain, regardless of how convincing the original request appeared.
Layered access and authentication controls
Restrict access to financial systems and enforce MFA. Even if a vendor’s email is compromised, MFA adds friction that can stop fraudulent changes before money moves.
A culture that supports slowing down
Teams reduce risk when employees feel empowered to question requests, even from senior leadership. Pausing a payment to verify it isn’t obstruction—it’s smart process. Leadership modeling this behavior is critical.
The FBI’s 2025 report highlighted AI-enabled scams for the first time, logging $893 million in losses across 22,000 complaints. With consistent verification and a culture that encourages questioning, AI-enhanced fraud loses much of its edge. Technology evolves fast—but solid process controls don’t have to be complicated. They just have to be consistent.
Shift the Burden From People to Process
Worried about AI-enhanced BEC targeting your finance teams or clients? Our Managed IT and Managed Services in Brisbane and Mackay can help review your current controls, strengthen verification processes, and identify the gaps that matter most—before an incident does it for you.
Contact us today to protect your AP workflow and keep attackers from turning your invoices into their next payday.gaps are.
—
