Keith Parsons barely pauses when asked for examples of organizations being victimized by financial fraud. Consider these three stunning incidents that occurred within about a week's time this summer:
- A participant in an HVAC company's 401(k) plan lost $790,000 when a hacker adeptly cleared all safety and verification measures.
- A large institution wired $385,000 to a bogus account after it received a payment instruction change order from a German equipment vendor.
- A law firm reported that a six-figure settlement check was altered after it was stolen out of a U.S. Postal Service mailbox.
"We're absolutely seeing fraud across every channel and every business line, through ATMs, mobile banking, account takeovers, identity theft, mail theft, check fraud, alterations and forgeries," said Parsons, director of financial crimes, BOK Financial®. "Financial fraud has always been there and always targets businesses, but lately, we've been seeing different rings, groups and organizations committing more fraud at higher volumes."
According to the Association for Financial Professionals (AFP) annual payments fraud survey, 71% of organizations in the U.S. were exposed to some sort of illegal payment activity in 2021. The overall figure represented a seven-year low, but Parsons said his office has seen a sharp rise in activity since last October, with 500-600 incidents per month—at least double the 250 he'd seen on a monthly basis over the previous 20 years.
Shannon Habermehl, a BOK Financial treasury services market manager, said it's possible that the number of businesses and people scammed could be higher as many victims hesitate to share their experience.
"Many will say it hasn't happened to them, but as we talk, they'll say 'well, there was this one time,'" she said. "There are so many choices and channels for making payments in the current environment that cybercriminals have many more ways to compromise accounts and accesses."
Given the abundance of scams, skims and deceptions, Parsons and Habermehl encourage businesses to bolster their financial protection with five key measures.
1. Before you "reply," pick up the phone
How secure is your company email? Habermehl puts it simply: "Assume a cybercriminal is reading all of your emails every day, seeing who you communicate with, how you communicate and what you're sharing in those emails."
Amid such a heightened sense of wariness, view any payment-related email skeptically. Follow up on any change of accounts notice or request for payment with an old-school phone call to your contact via the phone number within your records, not the contact number on the potentially compromised email.
If making that extra call seems inefficient, "so does losing $1,000 or $1 million," Habermehl said. Parsons added that once you authorize a payment, the money's gone, whether it's a bogus recipient or not.
2. Employ your bank's resources
For virtually 100% protection, Parsons urges organizations to use bank tools such as Check Positive Pay with Payee Match and ACH Positive Pay, services that are offered by BOK Financial, Bank of Albuquerque, Bank of Oklahoma and Bank of Texas. These only allow payments to be completed if the amount and recipient have been identified in advance or confirmed by the bank.
"This puts the customer in control because they either tell us what they've sent out in a day or clear the list of pending payments we've compiled," he said. "If anything is altered, changed or doesn't match up, it doesn't get paid."
3. Save some trees—and headaches
Businesses continue to overwhelmingly rely on physical checks, despite the open door they offer to criminals. The AFP survey revealed two thirds of all payment fraud attempts in 2020 and 2021 were check-related.
"Every time you put a check in the mail, you're potentially providing your banking account information to a criminal, including the account name, account number, bank routing number and a perfect specimen of the authorized signature," Habermehl said. "We encourage companies to shift checks out of the mail system and away from those who handle checks, from the printing and envelope stuffing to the envelope opening and depositing."
Instead, process as many payables as possible through ACH or corporate card payments, she said.
4. Reshuffle your card sense
As long as you don't lose the physical card and are queried for approval on every potential purchase, Parsons encourages using a credit card as much as possible, since it offers the most protection against unauthorized purchases.
Meanwhile, Habermehl recommends businesses ditch any debit cards, since they offer direct access to funds in the business bank account.
5. Get the conversation going
Noting that the AFP survey reported that nearly three-quarters of fraudsters target either the accounts payable or corporate treasury departments, Habermehl stressed that solid internal controls rely on robust internal communications.
"Staff members of one team might feel uncomfortable reaching out to another department to verify payment information out of fear that they might look unskilled at their job, they could be intimidated to ask questions of someone considered 'busy,' or perhaps they don't want to be perceived as telling someone how to do their job," she said.
To combat that discomfort, she recommends departments meet and collaborate on internal control processes and procedures that will help protect the company. In smaller companies, where an owner or single manager handles the finances, she added that looping someone else into the cash flow oversight is valuable.
Vigilance pays
Parsons and Habermehl both said the proactive approach is beneficial as they frequently hear from clients who have stymied fraudsters.
If your business is victimized, report it to your bank as soon as possible since allowable return deadlines are tight for fraud. And file a police report. As with all white collar crime, the theft may fall lower on the priority list than violent crime, but Habermehl said the details from your loss could be key to solving a criminal case with local, state or federal officials.
Learn more about BOK Financial's online security or call 844-517-3308 to report suspicious activity on BOK Financial-related accounts. The Cybersecurity and Infrastructure Security Agency also keeps an up-to-date list of current threats.
. © 2025 BOKF, NA.