During the pandemic, businesses moved to digital payments almost overnight.
ACH transfers, remote approvals, and online payment workflows became the default.
As a result, payment operations became faster and more efficient.
However, security controls often lagged behind.
Many finance teams simply didn’t have the time to:
-
Lock down remote networks
-
Redesign payment approval workflows
-
Secure sensitive supplier banking data
Now that the rush has slowed, it’s clear the next step is obvious: tighten security before fraud tightens its grip.
Why ACH and Digital Payment Fraud Increased So Quickly
ACH fraud was already rising before 2020.
But once payments went fully digital, the problem accelerated.
According to fraud examiners, cyber fraud increased sharply during this period.
That includes:
-
ACH fraud
-
Business email compromise (BEC)
-
Vendor email compromise (VEC)
In simple terms, criminals followed the money — and the weakest controls.
Vendor Email Compromise: The Most Common Payment Threat
One of the most effective fraud tactics today is vendor email compromise.
Here’s how it usually works:
-
A fraudster gains access to a supplier’s email system
-
They monitor invoice timing and payment patterns
-
Just before a large payment, they request a “bank account update”
-
Funds are redirected to a fraudulent account
-
The account is closed after the money arrives
Because these emails look legitimate, they often bypass basic checks.
Unfortunately, this type of fraud is far more common than most teams expect.
Where Payment Security Often Breaks Down
Even vigilant finance teams can be exposed if processes are weak.
1. Sensitive Data Shared by Email
Bank account details are still frequently sent by email.
This is convenient — but unsafe.
Email remains one of the easiest channels for attackers to intercept.
2. Inconsistent Validation Processes
Some teams validate supplier data carefully.
Others rush when payments feel urgent.
That inconsistency creates opportunity for fraud.
3. Poor Storage of Payment Information
Supplier banking data is often stored in:
-
Spreadsheets
-
Shared drives
-
Unsecured folders
Once exposed, the damage is hard to undo.
How to Reduce Risk in Modern Payment Operations
The goal isn’t to slow payments down — it’s to make them safer.
Here are practical steps businesses can take.
Use Secure Data Collection Methods
-
Avoid email for banking information
-
Use secure portals or encrypted channels
-
Train teams to reject “urgent exception” requests
Validate Before You Pay
Before updating any payment details:
-
Confirm changes through a second channel
-
Cross-check existing supplier records
-
Apply consistent approval workflows
Limit Access and Monitor Activity
Payment systems should:
-
Restrict access by role
-
Log all changes
-
Be reviewed regularly
Security improves when fewer people touch sensitive data.
Why Many Businesses Are Moving Away from ACH for Certain Payments
ACH works — but it exposes raw bank account data.
That’s why many businesses now prefer:
-
Card-based payments
-
Tokenized payment methods
-
Virtual cards with spending controls
Unlike ACH, virtual cards:
-
Don’t expose real bank details
-
Can be limited, paused, or canceled instantly
-
Reduce the blast radius if compromised
How Virtual Cards Improve Payment Security
Virtual cards offer a different security model.
Instead of sharing bank account information:
-
Each payment uses a unique card
-
Limits are set in advance
-
Cards can be frozen immediately
This makes them especially effective for:
-
SaaS subscriptions
-
Vendor payments
-
Cross-border transactions
Final Thoughts
The rapid shift to digital payments brought speed and convenience.
But it also revealed new security gaps.
ACH fraud, vendor email compromise, and payment data exposure are not edge cases anymore — they’re everyday risks.
Now is the time to:
-
Revisit payment workflows
-
Reduce reliance on exposed bank data
-
Adopt safer, more controllable payment methods
Virtual cards and platforms like Buvei don’t just modernize payments — they reduce risk by design.
In today’s environment, that’s no longer optional.
