1. Stop treating documents and screenshots as evidence
A screenshot of a wire confirmation? Not enough.
A PDF invoice? Not enough.
A photo of an ID? Not enough.
A Zoom call with the “CEO”? Also not enough.
AI can now fake the artifacts. So businesses need to verify through systems of record, not the document itself.
For example:
| Fraudster provides | Business should verify through |
|---|---|
| Bank screenshot | Bank portal, not the screenshot |
| Vendor invoice | Existing vendor record and contract |
| New payment instructions | Callback to known phone number already on file |
| Employee reimbursement receipt | Merchant validation, card feed, approval workflow |
| ID photo | Liveness check, database verification, multi-factor identity proofing |
The rule is simple: never verify the evidence with the evidence.
2. Require out-of-band verification for money movement
If someone asks to change bank details, approve a wire, issue a refund, rush payroll, or send sensitive data, verify through a separate trusted channel.
That means:
Call a phone number already saved in your system, not the number in the email.
Use a secure client portal, not email attachments.
Require a second approver for payment changes.
Use a pre-agreed verification phrase for emergency requests.
This is where businesses need to get over the fear of “bothering people.” You know what bothers people more? Sending $87,000 to a fraudster because the fake invoice looked professional.
3. Build a “high-risk request” policy
Every business should define what counts as high-risk. For most companies, that includes:
Changing vendor banking information.
Sending wires or ACH payments.
Issuing refunds.
Sharing W-9s, payroll data, tax IDs, trust account details, or client information.
Approving new vendors.
Changing employee direct deposit.
Rushing payments outside the normal process.
Once a request is high-risk, it should trigger extra controls automatically. Not because the employee “feels suspicious,” but because the process says so.
That matters because fraudsters use urgency, authority, and confusion. Good controls remove the drama.
4. Use payment controls that do not care how convincing the fake is
Businesses should add banking controls like:
Positive Pay for checks.
ACH debit blocks or filters.
Dual approval on wires and ACH.
Daily transaction limits.
Vendor payment approval workflows.
Bank account validation tools.
Alerts for new payees, changed payees, and unusual payment amounts.
For law firms, this is even more important because trust accounts are high-value targets. A fake wire instruction tied to a client matter can become an ethics problem, a banking problem, and a client relationship problem all at once.
5. Move approvals out of email
Email is where fraud thrives. It is messy, fast, and easy to spoof.
Better options:
Bill pay platform with approval trails.
Client portal for sensitive uploads.
Document management system with permissions.
Expense platform tied to card feeds.
Payroll system with employee self-service and MFA.
If the approval lives only in someone’s inbox, you do not have a control. You have a hope.
6. Train employees on “process red flags,” not just visual red flags
Old fraud training said, “Look for typos, weird formatting, and bad grammar.”
That is outdated. AI fixed the grammar problem.
Train people to notice process red flags instead:
“Why are they asking us to skip the normal approval?”
“Why is this urgent?”
“Why did the bank account change?”
“Why is the request coming through a new channel?”
“Why is the person refusing a callback?”
“Why is this payment going to a different name, country, or account?”
The fraud may look polished. The process will usually feel off.
7. Create a no-shame pause button
Employees need permission to stop the train.
A good policy says: No one gets in trouble for slowing down a suspicious payment.
That one sentence can save a company. Fraudsters count on employees being afraid to question the boss, the client, the partner, or the “urgent” vendor. Make verification a sign of professionalism, not paranoia.
8. Keep a vendor master file and protect it like cash
For many businesses, the vendor list is basically a payment map. If a fraudster changes the payment details, the money walks out the door.
Vendor changes should require:
Written request.
Independent callback.
Second approval.
Documentation saved in the accounting system.
Confirmation before first payment to the new account.
No exceptions for urgency. Especially not for urgency.
9. Add cyber and fraud insurance, but do not rely on it
Insurance is a backstop, not a fraud prevention plan. Many policies have conditions around verification procedures, employee training, and timely reporting. If the business cannot show it followed reasonable controls, coverage can get messy fast.
So yes, review coverage. But also document the process.
10. For law firms specifically, protect trust accounting workflows
Law firms should be extra careful with:
Incoming wire instructions from clients.
Settlement disbursements.
Refunds from trust.
Case expense reimbursements.
Vendor payments tied to client matters.
Changes to client bank information.
Instructions from “opposing counsel” or “title companies.”
A law firm should have a written rule: no trust disbursement based only on email, image, screenshot, or verbal instruction from an unverified source.
The practical next step
Pick your top five fraud-risk workflows and tighten those first:
- Vendor bank changes
- Wire/ACH approvals
- Employee direct deposit changes
- Client refunds or trust disbursements
- Expense reimbursements
Then write the rule in plain English:
“For any request involving money movement or bank information changes, we verify using a known trusted channel before approval. Screenshots, IDs, invoices, and video calls are supporting information only. They are not proof.”
That is the shift. Do not try to out-detect every fake. Build a process where the fake cannot authorize anything by itself.
