AP Fraud in 2026: What AP Directors Need to Know

February 23, 2026

Share

The fraud landscape facing AP teams has fundamentally shifted. According to IOFM's latest survey of 150+ AP leaders, fraud attempts have nearly doubled in six months, jumping from 33% to 58% of teams reporting incidents. More alarming: 13% were attacked within the week before the survey. This isn't a future threat; it's happening now.

Detection Blind Spot: Death by a Thousand Cuts

Fraudsters have changed tactics. They're abandoning the "big heist" approach in favor of frequent, smaller attacks designed to fly under your radar. Today, 69% of fraud attempts are under $10,000—up from just 44% six months ago. Meanwhile, frauds exceeding $100,000 have plummeted from 19% to just 5% of attempts.

This shift exploits a common AP prioritization strategy: focusing resources on large discrepancies while letting smaller anomalies slide. Monthly $10,000 frauds can ultimately drain more cash than a single $100,000 incident, and the volume of attempts increases the odds that something gets through. 

Bottom line: Fraudsters’ strategic adaptation is exploiting approval thresholds and detection systems optimized for large transactions. 

How They're Getting In

Business email compromise (BEC) remains the dominant attack strategy, accounting for 47% of all attempts, up from 39% six months earlier. 

An automation gap  equals a fraud control gap. For teams that are highly (defined as requiring hands-on intervention for more than half your invoices), you're  especially vulnerable. Manual teams report BECs as their primary threat, while more automated operations see BEC rates drop to just 33%. 

Check fraud accounts for 41% of attempts (up from 31%), followed by bank account change requests at 27%. Internal employee fraud, while serious, represents less than 10% of incidents.

What's Working

The encouraging news: 73% of fraud attempts are being stopped. Your team's best defense? Email address vigilance. Two-thirds of caught frauds were flagged due to email inconsistencies. Other reliable red flags include high-urgency language (46%), unusual bank account requests (46%), and changes in vendor behavior (35%). 

As an AP Director, you need to reassess your fraud prevention strategy for this new reality. Small, frequent attacks require different controls than occasional large schemes. If you're still highly manual, automation isn't just an efficiency play  it's a security imperative.  

The Control Gap

IOFM  has identified six essential fraud controls, yet the average AP team only implements four. Here's what you should have in place, in order of current adoption:

Segretation of duties (most common) prevents any single person from controlling the payment cycle end-to-end. Vendor bank account verification through independent channels stops BEC schemes from succeeding. Fraud awareness training keeps your team current on evolving tactics—fraudsters are getting more sophisticated, and one-time training isn't enough. 

Positive pay with your bank matches payments against approved lists before clearing. Dual approval for vendor setup (used by only 55% of teams) prevents fictitious vendor creation. Multi-factor authorization for high-risk transactions is the easiest control to implement, yet it's the least utilized. 

If you're not  using all six essential controls, you're leaving your organization vulnerable. 

There's no reason to wonder if fraudsters will target your team. Based on these numbers, they likely already have. The only question is whether your controls are strong enough. 

Subscribe to our Monthly Insider

You may unsubscribe from our mailing list at any time. Diversified Communications | 121 Free Street, Portland, ME 04101 | +1 207-842-5500