Author: John Grose, Senior Vice President, Commercial Banking
Business owners often assume their commercial accounts have the same fraud protections as personal accounts. They don't. Here's what every business should know about today's most common fraud schemes and how to reduce risk.
It starts with an email, or a phone call, from someone who sounds exactly like a person you trust.
In the first scenario, the message appears to come from your CFO or a long-time vendor changing their banking information. The tone is familiar. The urgency feels real. An employee sends the wire. By the time anyone questions it, the funds have already left your account, moved through a domestic mule account and been converted to cryptocurrency. The sequence takes less time than your afternoon staff meeting.
In the second scenario, the phone rings. The caller identifies themselves as a representative from your bank's fraud department. They tell you suspicious activity has been detected on your account, and they need to verify your identity to protect you. They’ve already stolen your account number. They sound professional, knowledgeable and concerned. They walk you through "confirming" your online banking credentials. Moments later, a text arrives from your bank's real multi-factor authentication system, triggered because someone just used your credentials to log in. The caller tells you to read them that code so they can "complete the security process." You do. The fraudster is now inside your account.
Commercial Fraud Is No Longer a Rare Even
These are not edge cases. They are the two dominant attack vectors targeting commercial bank accounts today, and they are succeeding at an alarming rate because the people executing them are skilled, patient and specifically trained to sound exactly like someone you would trust.
The FBI's Internet Crime Complaint Center recorded $16.6 billion in losses from cybercrime in 2024, a 33% increase over the prior year. Business Email Compromise alone generated $2.77 billion in losses across 21,442 reported incidents — second only to investment fraud among all cybercrime categories. Since the FBI began tracking it in 2015, Business Email Compromise has produced more than $17 billion in cumulative losses, a growth rate exceeding 1,000%.
Account takeover — where criminals obtain your credentials through deception and log directly into your banking platform — has become the fastest-growing fraud category in commercial banking. It succeeds not through technical exploits but through human ones: a convincing caller, a spoofed phone number that matches your bank's published line, a sense of urgency that overrides normal skepticism. Once inside your account, a fraudster with your credentials can initiate wires, add payees, modify ACH templates and drain balances — all while appearing, to every system, to be you.
Why Small and Mid-Sized Businesses Are Prime Targets
These threats are not aimed primarily at large corporations. The family-owned manufacturer, the regional construction firm, the professional services company with two or three people handling all financial operations — these are the preferred targets, specifically because they move real money and typically lack the layered controls of larger organizations.
Why Recovering Stolen Funds Is So Difficult
Once fraudulent funds leave your account, the clock becomes your adversary.
Criminals do not let transferred funds sit. They move immediately — from your account to a domestic mule account, then to one or more secondary accounts, then converted to cryptocurrency or routed to international correspondent banks in jurisdictions including Hong Kong, the United Kingdom, China, Mexico and the UAE. The FBI documents this sequence in its own reporting and has built an entire operational unit around interrupting it. In 2024, the FBI's Recovery Asset Team froze $561 million in fraudulently obtained funds using its Financial Fraud Kill Chain process, achieving a 66% success rate. That also means a 34% failure rate on cases reported quickly enough to trigger federal intervention at all.
FinCEN, the Treasury Department's Financial Crimes Enforcement Network, states directly that its Rapid Response Program achieves greater success in recovering funds when victims report within 72 hours of the transaction. After that window, the probability of recovery falls sharply. After funds clear a cryptocurrency exchange or reach a non-cooperative foreign jurisdiction, recovery becomes a multi-year legal process with outcomes that are rarely favorable.
The Legal Difference Between Personal and Business Accounts
Here is what makes this especially consequential for business owners: the legal framework governing your commercial account does not give you time to discover the problem gradually.
If fraud hits your personal bank account, federal law protects you. The Electronic Funds Transfer Act caps your liability at $50 on unauthorized transactions, and you have 60 days from your statement date to identify and report the problem. The burden falls on the financial institution.
Your business account is governed by an entirely different legal framework.
Commercial wire transfers fall under UCC Article 4A, a body of commercial law built on the assumption that businesses have — or should have — the internal controls to protect themselves. If your bank has commercially reasonable security procedures in place and acted in good faith, the loss from an unauthorized transfer may fall on your business, not your bank.
For ACH transactions, commercial accounts have until the end of the next business day after a transaction posts to dispute an unauthorized debit. Not 60 days. If your team reconciles accounts weekly and fraud posted on Wednesday, you may already be outside the recovery window before anyone in your building knows a crime occurred.
Most business owners carry the assumption that their commercial account works like their personal account. It is expensive to discover that assumption is wrong.
Six Steps Businesses Can Take Today to Reduce Fraud Risk and Improve Business Banking Security
There are a few critical ways to mitigate your risk of being a victim to these schemes. Every control below is implementable immediately — with little burden, time or complexity.
- Review Accounts Daily.
The ACH fraud reporting window begins at settlement, not when you open your statement. Log in daily. Set transaction alerts for all outbound activity above a threshold you define. Fraud caught the morning after it happens is recoverable. Fraud caught five days later almost certainly is not. - Separate Payment Creation and Approval.
No single employee should be able to both initiate and approve a wire or ACH batch. Dual controls — two people, two credentials, two approvals — create a mandatory checkpoint before funds move. This is the highest-leverage change most smaller businesses can make, and it costs nothing. - Use Positive Pay and ACH Positive Pay.
Positive Pay matches every check presented for payment against your issued check register before funds leave. ACH Positive Pay lets you designate which companies are authorized to debit your account and blocks everything else. These tools exist precisely because commercial customers bear primary monitoring responsibility under the law. - Verify Payment Requests Through a Known Contact.
Any payment request involving a new payee, changed banking instructions or urgency requires a verbal confirmation — to a number already in your files, never one provided in the triggering email or call. This closes the door on Business Email Compromise entirely, and it applies equally to phone-based social engineering. Your bank will never call you and ask you to read back a multi-factor authentication code. If someone does, hang up. - Review Your Cyber Insurance Coverage.
Most commercial policies cover system breaches but exclude losses from fraudulent payment instructions — the precise mechanism behind both BEC and account takeover losses. Confirm your coverage before you need it. - Review Banking Platform Access and User Permissions.
Audit banking platform access this week and, at minimum, annually. Remove former employees immediately. Require multi-factor authentication on every login. Limit payment initiation authority to the fewest people necessary.
It’s important to understand that while MFA provides a layer of protection, it is not foolproof. Criminals increasingly use social engineering tactics to convince victims to share authentication codes or approve login attempts.
A commercial banker and/or commercial payment advisor can help businesses evaluate payment controls, implement fraud-prevention tools such as Positive Pay, establish dual-approval workflows and identify vulnerabilities before criminals do.
The Bottom Line
Prevention is the only reliable strategy in commercial fraud. There is no response protocol that consistently returns funds after they have moved. The FBI's recovery efforts are real and worth pursuing — any business that discovers fraud should call their banker and report to IC3.gov without delay — but even the FBI's own data shows that the 72-hour window closes fast and recovery is never guaranteed.
You will be targeted. The only question is whether your controls are in place when it happens.
Talk to your commercial banker. Audit your payment approval process. Confirm that Positive Pay and ACH controls are active on your accounts. Train your team on what a real bank call sounds and doesn't sound like. Build these habits now, before a convincing voice on the other end of the phone tests whether they exist.
The clock starts the moment the money leaves. The goal is to make sure it never gets that far.
Ready to take the next step? Connect with an FNBO commercial banker to review your fraud controls and explore practical ways to help protect your business from payment fraud.
Frequently Asked Questions About Business Fraud
Business Email Compromise occurs when criminals impersonate a trusted executive, employee or vendor to convince someone to send money or change payment information. It is one of the most costly forms of cybercrime affecting businesses today.
Account takeover fraud happens when a criminal obtains legitimate online banking credentials and gains access to a business's banking platform. Once inside, they may be able to initiate payments, add payees or change account settings.
No. Commercial accounts are governed by different rules than consumer accounts. Businesses are generally expected to maintain internal controls and monitor account activity closely.
Immediately. The chances of recovering stolen funds decrease significantly as time passes. Businesses should contact their bank as soon as suspicious activity is discovered.
Positive Pay is a fraud prevention service that compares checks presented for payment against a list of checks issued by the business. If a check does not match, it can be flagged for review before payment is made.
ACH Positive Pay allows businesses to define which companies are authorized to debit their account and identify unauthorized ACH transactions before they are processed.
No single control eliminates risk, but daily account monitoring, dual approval processes, payment verification procedures, multi-factor authentication and fraud prevention tools such as Positive Pay can significantly reduce exposure.
About the Author
John Grose leads FNBO's operations in the Omaha, Lincoln, Beatrice and Fremont markets. In addition to his regional leadership role, John serves on the Business Segment leadership team with responsibilities for driving the strategic direction of the bank's digital experience and contributing to ongoing enterprise strategic initiatives focused on process transformation.
Sources: FBI Internet Crime Complaint Center 2024 Annual Report (ic3.gov) | FBI IC3 Public Service Announcement: Business Email Compromise — The $55 Billion Scam | Financial Crimes Enforcement Network Rapid Response Program (fincen.gov) | NACHA Operating Rules and Guidelines | Uniform Commercial Code Article 4A | Electronic Funds Transfer Act / Regulation E