News | 22 April 2026
Spotting the “New Generation” of Fraud
Annette Vivoni, Managing Director, Global Cash Management Sales in BBVA
In the rapidly evolving financial landscape of 2026, the intersection of Artificial Intelligence (AI) and Fraud Prevention has become the frontline of corporate treasury and data security. While AI empowers treasury teams with unprecedented predictive capabilities, it also provides fraudsters with sophisticated tools to bypass traditional defenses.
For Treasury Operations understanding this dynamic is essential for safeguarding global liquidity.
AI is a "double-edged sword" in treasury operations. On one hand, it acts as a powerful guardian; on the other, it fuels a new generation of highly convincing scams. Treasury Operations need to adapt and update their skill sets to prevent and spot potential fraud in their daily procedures.
AI can be a shield for predictive protection. By analyzing large amounts of data from your Treasury systems, AI can be used to detect anomalies. AI algorithms can analyze years of transaction data to establish a behavioral baseline of transactions for your company. It can instantly flag a payment that deviates from typical patterns, such as an unusual amount, a new destination, or an odd time of day. In addition, by leveraging ISO 20022 CAMT formats, AI can capture and analyze the rich data within your bank statements to identify inconsistencies that a human eye might miss.
AI has also been deployed as a success weapon for fraudsters. With the rise of deepfakes engineered by hoaxers who are now using Generative AI to launch social engineering attacks that are nearly impossible to detect through standard skepticism,- tactics such as vishing or voice phishing have evolved. Attackers can now use AI to clone an executive's voice or even create deepfake video calls to authorize "urgent" or "confidential" transfers. Fraudsters are also using hyper-personalized phishing by using AI to scrape public data and professional profiles to write emails that perfectly mimic the tone and context of your actual vendors or internal colleagues.
To stay ahead of these threats in 2026, treasury departments must constantly review and strengthen their internal protocols by adapting them to the newest fraud schemes. For example,it is essential to establish policies such as No urgent request received via digital channels (even video), so that no such request is acted upon without a secondary confirmation through a pre-agreed, out-of-band channel. This creates a “human firewall” protocol to flag and detect possible AI phishing attempts.
Also, access to e-banking platforms and systems must move beyond simple passwords and rely on a combination of advanced tools and rigorous protocols to access, validate and enable payment processes. Enforcing a strict dual control policy, whereby the person creating a payment and the person approving it are always different, in combination with an independent validation process, also help in detecting and neutralizing any potential BEC attempts.
Another line of defense is adopting new Verification of Payee (VoP) tools. VoP is a new security measure whose primary purpose is to verify the match between the account holder's name and the IBAN number before a transfer is finalized, helping to prevent fraud and accidental misdirected payments. VoP was introduced as part of the SEPA Instant Payments Regulation, which came into effect in October 2025. While it is part of the Instant Payments regulation, financial institutions in the Eurozone are mandated to provide this service for all payment types, not just instant ones. For the payer, using VoP is mandatory for individual transactions, though companies may have the option to opt out for file-based batch payments.
It is important to distinguish VoP from other similar services, such as the solution provided in Spain by Iberpay, which has been operational for several years. While VoP focuses on matching names to IBANs, Iberpay's solution validates the Tax ID (CIF) against the IBAN, offering a higher level of security in verification results. The UK also has a similar established service known as Confirmation of Payee (CoP) which mimics the EU’s VoP service supporting systems like Faster Payments, BACS Direct Credits and CHAPS.
For Purchase-to-Pay (P2P) teams, the primary hurdles for adopting Verification of Payee (VoP) services include ERP readiness, workflow validation, and added internal process complexity. However, by integrating these account validations into daily procedures, companies can add a critical security layer to the vendor payment process, effectively neutralizing Business Email Compromise (BEC) attempts.
In the United States, checks continue to be a favorite target by fraudsters due to their physical nature and vulnerabilities. Checks are 16 times more likely to be stolen through the mail and altered via check washing than electronic transfers. Thus, shifting away from physical instruments and transitioning to electronic payments via ACH or wire transfers facilitates a digital trail that is far harder for AI-powered forgery tools to manipulate. Companies can also implement check and debit blocks in their corporate accounts to restrict and automatically reject any unauthorized outflow of funds, thus forcing all payments through secure electronic transfers.
In 2026, fraud awareness is no longer about looking for spelling errors in an email; it is about verifying the identity and intent behind every transaction. By combining the AI-driven reporting of your Treasury and ERP systems with disciplined internal controls, your organization can enjoy the benefits of global liquidity while minimizing the risks of the modern digital frontier.
Ultimately, the most resilient treasury departments will be those that view security not as a static defense, but as a dynamic, ongoing conversation between human oversight and automated intelligence. As verification systems like VoP become the global standard, the goal for any corporate leader is clear: to build a 'zero-trust' payment environment where speed never comes at the expense of certainty. In this new era, the strongest firewall is no longer just code—it is the strategic integration of technology, policy, and a culture of relentless training and verification.
For Treasury Operations understanding this dynamic is essential for safeguarding global liquidity.
AI is a "double-edged sword" in treasury operations. On one hand, it acts as a powerful guardian; on the other, it fuels a new generation of highly convincing scams. Treasury Operations need to adapt and update their skill sets to prevent and spot potential fraud in their daily procedures.
AI can be a shield for predictive protection. By analyzing large amounts of data from your Treasury systems, AI can be used to detect anomalies. AI algorithms can analyze years of transaction data to establish a behavioral baseline of transactions for your company. It can instantly flag a payment that deviates from typical patterns, such as an unusual amount, a new destination, or an odd time of day. In addition, by leveraging ISO 20022 CAMT formats, AI can capture and analyze the rich data within your bank statements to identify inconsistencies that a human eye might miss.
AI has also been deployed as a success weapon for fraudsters. With the rise of deepfakes engineered by hoaxers who are now using Generative AI to launch social engineering attacks that are nearly impossible to detect through standard skepticism,- tactics such as vishing or voice phishing have evolved. Attackers can now use AI to clone an executive's voice or even create deepfake video calls to authorize "urgent" or "confidential" transfers. Fraudsters are also using hyper-personalized phishing by using AI to scrape public data and professional profiles to write emails that perfectly mimic the tone and context of your actual vendors or internal colleagues.
To stay ahead of these threats in 2026, treasury departments must constantly review and strengthen their internal protocols by adapting them to the newest fraud schemes. For example,it is essential to establish policies such as No urgent request received via digital channels (even video), so that no such request is acted upon without a secondary confirmation through a pre-agreed, out-of-band channel. This creates a “human firewall” protocol to flag and detect possible AI phishing attempts.
Also, access to e-banking platforms and systems must move beyond simple passwords and rely on a combination of advanced tools and rigorous protocols to access, validate and enable payment processes. Enforcing a strict dual control policy, whereby the person creating a payment and the person approving it are always different, in combination with an independent validation process, also help in detecting and neutralizing any potential BEC attempts.
Another line of defense is adopting new Verification of Payee (VoP) tools. VoP is a new security measure whose primary purpose is to verify the match between the account holder's name and the IBAN number before a transfer is finalized, helping to prevent fraud and accidental misdirected payments. VoP was introduced as part of the SEPA Instant Payments Regulation, which came into effect in October 2025. While it is part of the Instant Payments regulation, financial institutions in the Eurozone are mandated to provide this service for all payment types, not just instant ones. For the payer, using VoP is mandatory for individual transactions, though companies may have the option to opt out for file-based batch payments.
It is important to distinguish VoP from other similar services, such as the solution provided in Spain by Iberpay, which has been operational for several years. While VoP focuses on matching names to IBANs, Iberpay's solution validates the Tax ID (CIF) against the IBAN, offering a higher level of security in verification results. The UK also has a similar established service known as Confirmation of Payee (CoP) which mimics the EU’s VoP service supporting systems like Faster Payments, BACS Direct Credits and CHAPS.
For Purchase-to-Pay (P2P) teams, the primary hurdles for adopting Verification of Payee (VoP) services include ERP readiness, workflow validation, and added internal process complexity. However, by integrating these account validations into daily procedures, companies can add a critical security layer to the vendor payment process, effectively neutralizing Business Email Compromise (BEC) attempts.
In the United States, checks continue to be a favorite target by fraudsters due to their physical nature and vulnerabilities. Checks are 16 times more likely to be stolen through the mail and altered via check washing than electronic transfers. Thus, shifting away from physical instruments and transitioning to electronic payments via ACH or wire transfers facilitates a digital trail that is far harder for AI-powered forgery tools to manipulate. Companies can also implement check and debit blocks in their corporate accounts to restrict and automatically reject any unauthorized outflow of funds, thus forcing all payments through secure electronic transfers.
In 2026, fraud awareness is no longer about looking for spelling errors in an email; it is about verifying the identity and intent behind every transaction. By combining the AI-driven reporting of your Treasury and ERP systems with disciplined internal controls, your organization can enjoy the benefits of global liquidity while minimizing the risks of the modern digital frontier.
Ultimately, the most resilient treasury departments will be those that view security not as a static defense, but as a dynamic, ongoing conversation between human oversight and automated intelligence. As verification systems like VoP become the global standard, the goal for any corporate leader is clear: to build a 'zero-trust' payment environment where speed never comes at the expense of certainty. In this new era, the strongest firewall is no longer just code—it is the strategic integration of technology, policy, and a culture of relentless training and verification.