How to Protect AR Teams From Payment Diversion and Phishing Fraud

Your customer wires the full invoice amount on time. Your books show an open balance. Both statements are true — because the funds never arrived. A fraudster intercepted the payment instructions, swapped the bank details, and collected the money instead. By the time anyone notices, the window for recovery has closed.

‍

Payment diversion fraud has quietly become one of the most operationally damaging threats facing B2B finance teams. Credit and AR departments, long focused on evaluating customer financial health, are now functioning as the last line of defense against sophisticated impersonation schemes. The risk has shifted: it is no longer just about whether a customer can pay, but whether payment reaches the right destination.

‍

Business Email Compromise (BEC) and phishing attacks have evolved beyond generic spam. They now target the specific workflows of AR teams — wire instruction updates, banking detail changes, and invoice delivery — because these are the processes that move money.

‍

The reality of payment rerouting

Fraudulent credit applications — where a bad actor fabricates a business identity to obtain goods — are a recognized problem with established controls. Payment rerouting operates differently. The customer is real. The invoice is real. The intent to pay is genuine. Only the destination account is fraudulent.

‍

This is what makes the attack so effective: it bypasses the credit risk controls entirely. Internal fraud screens look for bad customers. They are not designed to catch a legitimate customer wiring funds to a spoofed account. By the time the discrepancy surfaces — usually when a collector follows up on an open invoice — the wire has settled and the funds are gone.

‍

These attempts are not isolated events. Phishing attacks against finance departments have become a persistent operational reality, requiring daily attention rather than periodic awareness campaigns.

‍

Why AR is the primary target

Understanding why attackers focus on credit and AR functions makes the defenses more intuitive.

‍

The urgency bias. AR professionals are trained to resolve payment friction quickly. DSO is a visible metric, and clearing a payment barrier is treated as productive work. When someone contacts the team claiming to have trouble completing a wire, the instinct is to help immediately. Fraudsters study this dynamic and frame their requests to create urgency — a payment deadline, a banking system change, a portal issue. The "helper" mindset, which serves customers well under normal conditions, becomes a vulnerability under social engineering.

‍

Email as the primary channel. Despite the availability of secure portals, the vast majority of B2B invoice communication still moves through email. Email is inherently easy to spoof, and once a fraudster mimics a domain or compromises a single inbox, they can insert themselves into an existing thread. The visual credibility of a legitimate-looking email chain is enough to bypass skepticism during a busy workday.

‍

Manual validation workflows. When a request arrives to update banking information, many organizations still process the change manually and validate it by replying to the same email thread that originated the request. This is a circular check. It confirms that the person who sent the suspicious email is still answering — not that the request is legitimate.

‍

Disconnected internal systems. The team handling cash application often operates separately from the team managing credit master data. A suspicious domain flagged during new customer onboarding may never reach the collector who is about to send invoice copies to a spoofed address. When systems do not communicate, warning signals stay siloed.

‍

A defense framework for finance leaders

Closing these gaps requires a combination of process controls, channel management, and data discipline. The shift in mindset is from "trust but verify" to "verify before acting."

‍

Out-of-band verification

The most effective single control against payment diversion is the out-of-band (OOB) verification protocol. The logic is simple: never confirm a banking change through the same channel that delivered the request.

‍

When a request arrives to update wire instructions or banking details, the receiving team should pause, locate the customer's contact information from the ERP or system of record — not from the email signature — and call a known contact directly to confirm the change verbally before updating any master data. This one step breaks the digital chain that makes BEC attacks successful. The fraudster controls the email thread; they cannot control a phone call to a number already on file.

‍

This process should be documented as a mandatory policy, not a discretionary best practice. Teams should have clear authority to pause any banking update until verbal confirmation is obtained, regardless of how urgent the requester claims the situation is.

‍

Centralized communication channels

Moving sensitive conversations out of individual inboxes and into authenticated environments reduces the attack surface. When customers retrieve invoices and submit payments through a secure portal, they are interacting with a verified system rather than responding to an email that could be intercepted or spoofed. System-generated notifications — when they are necessary — should originate from a platform with proper authentication controls and direct users back to a secure login rather than prompting action from within the email itself.

‍

Digital footprint analysis during onboarding

Modern credit management includes evaluating digital signals that fall outside the traditional credit report. When onboarding a new customer or reviewing an existing relationship, the email domain and web presence deserve scrutiny.

‍

A common fraud tactic involves registering a domain that closely resembles a legitimate company's — for example, company-payments.com instead of company.com. Checking domain registration age through standard WHOIS tools can surface this: an established business seeking significant credit terms is unlikely to have a website registered within the past few weeks. Similarly, credit applications submitted from generic email providers (Gmail, Yahoo) for large B2B transactions should trigger a manual review before any terms are extended.

‍

Company Radar can accelerate this verification step, scanning for bankruptcies, legal issues, financial red flags, and domain anomalies across multiple real-time sources — providing a more current picture than bureau data alone and flagging the types of signals that precede fraud.

‍

Strategic impact beyond the immediate loss

Implementing these controls is not just about preventing a single fraudulent wire. The implications extend across the finance function.

‍

Revenue protection. Traditional credit risk focuses on bad debt. Payment diversion is a different category: revenue that was earned, invoiced, and collected — but never received. Every dollar lost to payment rerouting must be regenerated at full sales cost. Preventing diversion protects revenue that credit controls alone cannot recover.

‍

Customer trust. When a fraudster impersonates your company's billing department, your customer experiences the fraud firsthand — and the association with the incident attaches to your organization regardless of where the control failure originated. A documented security posture signals to customers that you are a trustworthy partner.

‍

Operational capacity. Recovering from a fraud event consumes disproportionate internal resources: legal review, bank investigations, insurance documentation, and extended dispute conversations with affected customers. Prevention preserves the team's capacity for core work rather than damage control.

‍

Your fraud defense checklist

As AR functions modernize, the credit review process should incorporate a security review alongside the financial one. These are the starting points:

‍

• Audit your banking change procedure. Does your process require a mandatory phone call to a verified contact before any update is made to banking master data? If not, implement it now.
• Review your intake channels. Are credit applications and payment inquiries handled through open email? Consider a portal-based workflow that authenticates users before surfacing sensitive information.
• Train on urgency resistance. Remind the team that pausing to verify is not unhelpful — it is the job. A fraudster's most reliable tool is manufactured urgency.
• Conduct post-mortems on rerouting attempts. If your organization has experienced a diversion attempt, trace how the fraudster obtained the invoice details. Was an email account compromised? Was a domain spoofed? The answer shapes the next control.
• Analyze anomalies in your fraud signals dashboard. Ship-to address changes, domain mismatches, and banking updates that arrive outside normal customer communication patterns are detectable — if the system is configured to surface them.

‍

By treating fraud prevention as a core component of the credit strategy — not an IT escalation — AR teams can close the gaps that payment diversion attacks rely on.

‍

Catch Diversion Attempts Before Funds Move

Seeing open balances on invoices your customers insist they paid? Banking update requests arriving through email with no way to confirm authenticity? Bectran's fraud prevention platform includes automated email domain verification that flags mismatches between credit application domains and known customer records, ship-to address change alerts that trigger review workflows before updates are committed to master data, bank account matching against historical patterns, document validation with AI to surface altered or fabricated supporting materials, and Company Radar integration for real-time monitoring of legal filings, financial distress signals, and domain anomalies — giving AR teams the controls to catch diversion attempts before funds leave the customer's account. See how fraud detection works.

‍