The payment process is the financial Achilles’ heel of the global supply chain and a risk area too often overlooked by finance and security leaders.
Why should today’s cybercriminals bother with ransomware or selling stolen Personally Identifiable Information (PII) on the dark web when they can use AI-powered social engineering to trick finance teams into wiring money directly into their accounts?
As supply chains grow more complex, attackers are targeting the intersection of human workflows, third-party vendors, and large financial transactions. It’s a blind spot that traditional email security doesn’t flag and it’s costing companies millions.
According to The World Economic Forum’s Global Cybersecurity Outlook (GCO) 2025, nearly half of global organizations now cite the malicious use of generative AI as their top cybersecurity concern—making it a top boardroom issue across industries.
Social Engineering Scams Follow the Money
Large companies, from the CFO to their finance and accounts payable teams, handle thousands of invoices, interact with countless vendors, and operate in flux due to global supply chain shifts. This creates the perfect storm for attackers to insert fake invoices, impersonate executives demanding urgent payments, or compromise vendor communications to redirect funds.
The way that most cybercriminals redirect funds is called social engineering. In fact, social engineering is involved in 98% of cyberattacks. Simply put, social engineering scams exploit human vulnerabilities to manipulate people, or targeted victims, to disclose personal information or take steps that compromise their security, and more often, the security and finances of their employer’s business.
It’s a direct attack on cash flow. These attacks target the purse strings: employees with vendor-facing roles, including finance teams and executives, that have access to funds and can approve or modify payments. And it works. According to the AFP’s 2025 Payments Fraud and Control Survey, 79% of organizations were targeted by payments fraud attacks in 2024.
Social Engineering Techniques and Payment Process Vulnerabilities
Business email compromise (BEC) remains one of the most effective, and costly, forms of social engineering. These attacks often evade traditional email security filters, exploiting the fact that email is still the primary communication channel in financial workflows—from vendor onboarding to invoice approvals.
But the tactics are shifting. According to the AFP, executive impersonation is declining (down to 49%), while vendor impersonation is rising—now cited by 60% of respondents. That’s a sign that attackers are adapting, opting to blend more subtly into day-to-day supply chain operations.
This trend represents a more targeted threat known as Vendor Email Compromise (VEC) which is when attackers impersonate or compromise real vendors to redirect payments. Unlike classic BEC, these attacks don’t originate from inside your company but instead they exploit trusted partners.
Generative AI makes these impersonations even harder to detect. Attackers now mine breached inboxes, social media, and press releases to craft emails that mimic a specific person’s tone and context, making phishing messages appear shockingly real.
And it’s not just email. AI-generated deepfake voices and video clones are being used to simulate live interactions. In one case, Human Resource Director Magazine reported that a finance executive nearly wired $500,000 after attending a video meeting with a convincing deepfake of their CFO.
Urgency is another powerful lever. Messages claiming a payment is overdue or tied to an urgent deal prey on an employee’s instinct to act fast, especially in high-pressure environments.
Lastly, attackers exploit the scale and repetition of finance operations. With thousands of invoices processed every month, small changes such as a slightly altered bank number can slip by unnoticed. And when those emails reference real vendors and replicate trusted templates, fraud can move through the system undetected.
Protecting the Payment Process
According to the World Economic Forum, one in three CEOs now cite cyber and espionage and intellectual property theft as top concerns yet many still underestimate the operational and financial damage caused to payment fraud itself.
As generative AI accelerates the scale and sophistication of fraud, protecting the payment process is no longer just a finance or security issue – it’s a business survival issue. Attackers are slipping through the cracks not because defenses are weak, but because defenses are misaligned. Most security strategies still treat email as the only line of attack, when in reality, the entire payment process from vendor onboarding to bank account changes is being exploited.
Organizations must act now to reframe how they understand and defend against social engineering threats. That means investing in end-to-end visibility, aligning cross-functional teams, and deploying behavioral AI to catch what traditional tools can’t see.
Fraud is no longer about breaking in but rather it’s about blending in. And unless businesses start securing the systems that move money, not just the inboxes that talk about it, they’ll remain vulnerable to the costliest cyber risk hiding in plain sight.
