In today’s digital-first environment, fraudsters are more sophisticated than ever. Before they ever attempt to steal funds, they spend time gathering data—quietly, methodically, and often undetected. Understanding how and where they collect this information is the first step in protecting your organization from fraudulent payments.

Fraud doesn’t begin with a fake invoice or a spoofed email. It begins with data gathering—the process of collecting enough information to convincingly impersonate someone within your organization or one of your trusted vendors.

Let’s explore how this process unfolds—and how you can stop it before it starts.

Step 1: Open-Source Intelligence (OSINT) - The Public Data Mine

Fraudsters don’t need to hack your systems to learn about your organization. They simply look at what’s already out there…

  • Organization websites often list leadership bios, department contacts, and vendor relationships.
  • Social media platforms like LinkedIn reveal job titles, reporting structures, and even employee travel plans that could indicate when certain employees may be under time pressure to complete work.
  • Press releases and news articles can expose new partnerships, acquisitions, or system upgrades—perfect timing for a fraud attempt.
  • Job postings can unintentionally reveal internal systems (e.g., “experience with Oracle NetSuite”), giving attackers insight into your tech stack.

Why it matters: This phase is about building a believable story. The more accurate the details, the more likely an employee will trust a fraudulent request. It’s not just about information, it’s about credibility.

Step 2: Social Engineering - Manipulating Human Behavior

Once enough data is collected, fraudsters move to social engineering—the psychological manipulation of people into performing actions or divulging confidential information. Common tactics include...

  • Phishing - Emails that appear to come from executives or vendors, often with urgent requests.
  • Pretexting - Creating a fake scenario—like a vendor needing to “verify” account details.
  • Vishing - Phone calls pretending to be from IT, a bank, or even law enforcement.

Why it works: People are the weakest link in cybersecurity. Fraudsters exploit trust, fear, and urgency—especially in high-pressure environments like finance or operations.

Real-world example: A fraudster calls pretending to be from your IT department, referencing a recent system upgrade (learned from a press release), and asks an employee to “confirm” their login credentials.

Step 3: Organization or Business Email Compromise (BEC) - The Silent Infiltration

BEC is one of the most financially damaging types of fraud. It often involves

  • Email spoofing - Making an email look like it’s from a trusted source.
  • Account takeover - Gaining access to a real email account through stolen credentials.
  • Thread hijacking - Inserting themselves into an ongoing email conversation.

Why it’s dangerous: BEC attacks are highly targeted and low-tech, making them hard to detect. They often bypass spam filters and appear completely legitimate.

Real-world example: A CFO receives an email from the “CEO” (actually a spoofed address) requesting an urgent wire transfer to close a deal. The tone, timing, and context all check out—because the attacker did their homework.

Step 4: The Payment Trap – When Data Turns into Dollars

This is the final step—when the fraudster uses all the gathered data to initiate a fraudulent payment. Common scenarios include...

  • Fake vendor invoices sent with updated (fraudulent) banking details.
  • Executive impersonation requesting urgent wire transfers.
  • Vendor email compromise where a real vendor’s email is hacked and used to redirect payments.

Why it’s effective: By this point, the fraudster has built credibility and context. The request feels routine, even expected. That’s what makes it so dangerous.

Real-world example: A long-time vendor emails your AP team with new banking instructions. The email is real—but the account has been compromised. Payments are rerouted to a fraudster’s account.

How to Protect Your Organization

Fraud prevention isn’t just about technology—it’s about people, processes, and vigilance. Here’s how to build a layered defense:

  • Audit your digital footprint.
  • Be cautious with press releases.
  • Train employees on LinkedIn hygiene.

Tip: Fraudsters use small details to build big lies. The less they know, the harder it is to impersonate you.

  • Conduct regular training and simulations.
  • Create a culture of healthy skepticism.
  • Encourage easy reporting of suspicious activity.

Tip: Make it easy for employees to report suspicious activity supported by procedures to investigate.

  • Always verify payment changes via a second channel.
  • Require dual approval for high-value transactions.
  • Document and enforce payment procedures.

Tip: Fraudsters thrive on urgency. Slow down and verify.

  • Use multi-factor authentication (MFA).
  • Limit access to sensitive systems.
  • Monitor for unusual login activity.

Tip: MFA is one of the simplest and most effective defenses against account takeover.

  • Vet vendors thoroughly.
  • Use secure communication channels.
  • Review vendor payment instructions regularly.

Tip: Vendor fraud is often the result of a compromised third party—not your own systems.

  • Use fraud detection tools and alerts.
  • Set up transaction thresholds and flags.
  • Have a clear incident response plan.

Tip: Speed matters. The faster you detect fraud, the better your chances of recovery.

  • Leverage your relationship manager.
  • Use banking tools like Positive Pay and ACH filters.
  • Schedule regular account reviews to make sure you have the right tools protecting your accounts.
  • Stay informed through alerts and webinars.

Tip: Your bank is a partner in fraud prevention—lean on their expertise.

Quick-Reference Checklist: Fraud Prevention Essentials

  • Digital Exposure - Limit public info on websites, social media, and job postings
  • Employee Training - Conduct phishing simulations and social engineering workshops
  • Payment Verification - Always confirm changes via a second channel
  • Email Security - Enable MFA and monitor for anomalies
  • Vendor Management - Vet vendors and confirm payment instructions regularly
  • Real-Time Monitoring - Use alerts, thresholds, and fraud detection tools
  • Bank Partnership - Engage your M&T team for fraud reviews, insights, tools, and support

Fraudsters are patient and strategic

They don’t need to break down your digital walls—they just need to convince someone to open the door.

By understanding how they gather data and where your vulnerabilities lie, you can build a stronger defense and keep your organization secure.

Seasoned Businessman in Action: portrait of a mature professional checks his mobile phone while enjoying a coffee outside the office, capturing a moment of balance between work and relaxation.

Let's have a conversation

If your organization is looking to strengthen its approach to payment fraud risk, our team can help you evaluate options and identify practical steps that support your internal controls.

We can provide perspective on:

  • Approaches to employee awareness and education around social engineering and payment‑change requests
  • Common verification practices used to support secure payment processesGeneral considerations for reviewing vendor contact and payment‑instruction procedures
  • Treasury and banking tools that can complement, but not replace, your organization’s fraud‑prevention efforts

We can discuss:

  • How organizations assess their fraud‑risk posture
  • Training and awareness strategies aligned to high‑risk fraud scenarios
  • Approaches to strengthening payment‑verification procedures
  • Tools that may help support monitoring and protection of business accounts

We're here to serve as a resource

An M&T representative can share insights and help you explore options that support your organization’s established risk‑management program.

Connect with your Relationship Manager today or visit Fraud Protection & Risk Management | M&T Bank to learn more.

This content is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.
All M&T Treasury Management services are subject to M&T’s standard Treasury Management Services Agreement and Treasury Management Services Product Terms and Conditions for that service. Please contact an M&T Bank representative for details.