Cyber Season: A CFO’s 10 Step Payment and Data Security Check Before Holiday Phishing Peaks

Cyber season: A CFO’s 10-step payment and data-security check before holiday phishing Peaks

The end of the fiscal year is ideally supposed to be about closing the books rather than chasing fraud losses. For many finance teams, however, December also brings a spike in payment fraud attempts. Many criminals realize that the year’s end means higher transaction volumes, vacation coverage gaps, and tight deadlines amidst the holidays. This creates the perfect storm for mistakes and rushed approvals. 

Luckily, protecting your organization doesn’t require expensive new technology. Implementing simple, nontechnical process controls, when applied consistently, can dramatically cut your risk down. Gateway Commercial Finance, an invoice factoring company, gathered data from leading sources, including the FBI, Truist, the Consumer Compliance Outlook Report, and more, to highlight practical defenses finance teams can deploy right now to reduce exposure without slowing down payments. 

Understanding the year-end threat landscape

Year-end is the prime time for fraud, with staff stretched thin and transaction volumes up. To add some perspective to the danger the year-end landscape poses, it’s worth referring to the FBI’s 2024 Internet Crime Report, which analyzed aggregate cyberthreats and trends during the year. One case of business email compromise last year caused over $3 billion in reported losses, demonstrating why the FBI and the Cybersecurity and Infrastructure Security Agency consistently warn about the surge in holiday season payment fraud attempts. 

The 2025 AFP Payments Fraud and Control Survey Report, underwritten by Truist and analyzing 521 survey responses from treasury practitioners and prospects, pointed to startling data: 65% of organizations reported attempted or actual payment fraud. Business email compromise remained the leading tactic. As fraudsters become more patient, the most common year-end fraud vectors seen include:

• Vendor impersonation: Fake invoices that mimic real suppliers.
• Bank reroute scams: Requests to change deposit details right before a payment run.
• ACH diversion: Hackers intercepting or altering routing numbers.
• CEO fraud: Impersonating executives to rush approvals while staff are out.

While finance teams can’t be expected to control attacker behavior, they can build strong, people-centered defenses. Keep reading for seven controls to consider implementing within your organization to protect against cyberattacks. 

Control #1: Implement dual approval for banking detail changes

Changing vendor details can be one of the riskiest transactions a finance team performs. It’s also a task that many attackers try to manipulate. Dual approval, requiring two separate individuals to review and confirm any change before it’s made, is one of the simplest and most effective defenses against this. Under a dual-approval model, there are two parts:

1. The first reviewer validates the request against known vendor data or documentation.
2. The second reviewer independently confirms the legitimacy of the request, ideally through a separate communication channel.

This process adds little friction to day-to-day flow, but dramatically reduces the odds of a single compromised inbox or inattentive clerk that can lead to fraud. Consider enforcing a rule within your organization that no payment account change can be made or approved by the same person who received the request in the first place. Even in lean teams, a quick peer review or sign-off from a manager can stop an impersonation scam before it hits too close to home. 

Control #2: Establish call-back verification protocols 

Email is the best friend of a fraudster, as once an attacker compromises a mailbox, fake requests can look indistinguishable from legitimate ones. This is why call-back verification remains a gold standard in all industries when it comes to preventing fraud. A call-back verification means that someone in accounts payable or procurement gives a call to a known contact at the vendor using a verified phone number from the vendor master, not the one in the email. To make this strategy stick, consider the following tips:

• Use a standard script for call-backs so staff know exactly what to ask.
• Maintain an up-to-date vendor contact directory with verified phone numbers.
• Require call-backs for all requests to change banking or remittance details, regardless of dollar amount or familiarity.

As the cybersecurity and IT advisor company KnowBe4 points out on its blog, modern fraud tactics often mimic legitimate invoice formats, signatures, and even past communication threads. By taking just 30 seconds out of the day to give a verification call to someone at the company, you can break the illusion instantly. 

Control #3: Deploy positive pay services

For those still issuing checks, positive pay remains one of the strongest tools to prevent forgery and counterfeit check issuance. With positive pay, your organization provides the bank with a list of approved checks and specific details, including the amounts, date, payee, and check number. The bank will then honor only items that match this list, with any discrepancies as a trigger to review before payment. 

Many banks similarly offer Payee Positive Pay, which adds an additional name-match verification tool. For ACH payments, there is also an equivalent known as ACH Positive Pay or a debit block, which filters unauthorized electronic transactions. The second issue of the Consumer Compliance Outlook report issued by the Federal Reserve notes that Positive Pay adoption is one of the clearest differentiators between companies that prevent fraud and those that fall victim to it. 

Control #4: Enforce role-based access controls (RBAC)

Perhaps one of the fastest ways to reduce fraud risk is to limit who can do what within your financial systems. Role-based access control (RBAC) enforces that only specific roles, as opposed to individual users, have the authority to initiate, approve, or release payments. Below are some best practices with RBAC to consider:

• Segregating duties between those who create vendors, approve invoices, and release payments.
• Limiting sensitive functions (like editing bank data) to a small number of authorized staff.
• Requiring dual control for wire transfers and ACH batches, not just vendor updates.

Without clear roles in place, it’s easy for permissions to sprawl, especially when there is large staff turnover. By formalizing RBAC, you can prevent malicious insider activity and accidental policy violations during the year-end chaos. 

Control #5: Require multifactor authentication (MFA) 

Even the best access policies can fail if attackers compromise user credentials. Multifactor authentication (MFA) is a straightforward and nondisruptive safeguard that adds a second layer of verification beyond passwords. In the FBI IC3 Report, it’s noted that credential theft is a top vector for business email compromise. By implementing MFA across email, ERP, and payment systems, you can stop attackers from using any stolen passwords to approve transactions.

MFA doesn’t need to be complex either. Use app-based authenticators instead of SMS when possible, require MFA for remote logins, and periodically test MFA enforcement to ensure coverage hasn’t eroded over time. These small steps protect against both phishing and internal credential reuse, both of which tend to spike during year-end deadlines when staff are rushing. 

Control #6: Maintain vendor master file hygiene

The vendor master file in your organization is the backbone of payment integrity. However, over time, it can accumulate stale, duplicate, or fraudulent records that create cyber vulnerabilities. All businesses should aim to clean this master file before the end of the year. Purge any inactive vendors where there have not been payments for 18-24 months, consolidate any duplicate records for vendors, lock or archive any records that have missing tax or bank information, and revalidate key vendors through official correspondence. 

Fraudsters often exploit neglected vendor files to slip in fake accounts that appear under legitimate names. Keeping your master vendor file clean and up to date will help ensure that every payment request starts from a trusted baseline. 

Control #7: Conduct year-end user access reviews

As your staff shift roles, take vacations, or even leave the company, any outdated access permissions inevitably pile up. Try to conduct a formal year-end user access review that ensures only current employees with a legitimate business need retain system access. A good review should include the following. 

1. Finance systems: Vetting ERP, AP automation, treasury portals, and vendor databases.
2. Banking platforms: Remove all terminated employees immediately.
3. Shared mailboxes and distribution lists: Attackers love to exploit these to gather payment data, so refresh them and keep them as current as possible.

Use HR data to cross-check for recent departures or role changes and, if possible, have IT generate system access reports. You should also require business owners to confirm or revoke each user’s access. Conducting this review isn’t just about compliance. It also reduces insider threats and ensures accountability during one of the busiest payment seasons of the year. 

Additional controls to consider

These seven controls cover all the essentials that you need to know in order to keep your business protected, but there are four additional measures that can help further harden your defenses.

1. Payment run scheduling: Avoid processing high-value wires on Friday afternoons or during holiday coverage, as fraudsters time attacks when staff are least available.
2. Out-of-office delegation policies: Require manager approval for any temporary reassignment of payment authority when someone goes out of office.
3. Reconciliation frequency: Shorten reconciliation cycles in December to catch anomalies faster so they can be addressed. 
4. Email security awareness: Remind staff that requests for “urgent payment changes” should always trigger a manual check, no matter how legitimate they may appear at first glance.

Last year, both the FBI and CISA warned of heightened security risks near the start of December due to the holidays, and the 2025 season will likely be the same. Consider implementing a brief refresher training for your employees or think about sending out a “fraud alert memo” to your accounts payable team just to raise awareness about the issue. 

Resources and additional guidance

Your finance team doesn’t need to tackle payment fraud alone. Multiple U.S. agencies and various industry groups offer up free resources and even incident recovery assistance that you can take advantage of.  

• FBI IC3 complaint filing and recovery: The FBI IC3 Recovery Asset Team can help freeze fraudulent transactions if reported immediately.
• CISA cybersecurity resources: CISA offers guidance on business email compromise, phishing, and ransomware defense that is tailored for businesses of all sizes.
• National Institute of Standards and Technology Cybersecurity Framework guidance: This is a structured model for managing cyber-risk, which can be helpful for long-term planning near year-end.
• PCI Security Standards Council payment security: Payment security guidance is offered here, particularly for card-based transactions. 
• Nacha ACH rules and fraud prevention: This resource offers ACH fraud prevention rules and best practices for originators. 
• Association for Financial Professionals Payments Fraud resources: AFP shares surveys and implementation guidance for treasury and AP professionals. 
• Federal Banking Agencies RFI on payments fraud (September 2025): Here, get insight into regulatory expectations for corporate payments security. 

Consider bookmarking these links now so that your team knows exactly where to turn if something goes wrong in your organization. 

Stay fast, but alert with your payments 

Payment fraud defense doesn’t have to slow down your business operations. By implementing the most effective controls, dual approvals, call-backs, RBAC, and general vendor hygiene, you can practice strong discipline. All these methods rely on clear communication, simple verification, and a company culture where no one feels pressured to rush a transaction that doesn’t feel right. As you begin to close your books for 2025, take just a few extra hours to review and reinforce your controls. A small investment in prevention now can save your organization hundreds of thousands in costs later. 
This story was produced by Gateway Commercial Finance and reviewed and distributed by Stacker.