A wave of headlines has seized on a single data point from the 2025 AFP® Payments Fraud and Control Survey: 63% of organizations experienced attempted or actual check fraud in 2024. Payment technology providers, faster-payments advocates, and broader anti-paper narratives have amplified this figure into a singular conclusion that checks are the most dangerous payment rail in B2B, and eliminating paper eliminates risk. The narrative is persuasive, but incomplete
This article is not a defense of checks. It is a challenge to imprecise analysis. For finance leaders, risk is not measured by the frequency of attempts. It is measured by the permanence of loss, and on that dimension, the dominant narrative leaves out the most important variables.
Risk Requires a Complete Equation
True risk is defined by a specific calculus:
Expected Loss = Probability × Severity × (1 − Recovery Rate)
Most public discussions and vendor-driven commentary emphasize probability. The other two variables are treated as footnotes. They are not. Incident frequency is a poor proxy for capital risk. A high-frequency, low-severity, high-recoverability loss is fundamentally different from a low-frequency, high-severity, unrecoverable one. Conflating the two produces bad decisions.
Severity and the Value Gap
Frequency does not equal material loss. According to the Federal Reserve’s 2021 Depository and Financial Institutions Payments Survey, business checks averaged $3,601. Conversely, Nacha’s 2021 data shows 5.3 billion B2B ACH payments valued at $50 trillion, an average payment of $9,434.
In many commercial environments, electronic transactions are simply larger than checks, so even if check fraud attempts occur more frequently, the dollar exposure on electronic rails can be equivalent or greater, depending on severity and recoverability. If the goal is protecting capital rather than just counting incidents, severity must be part of the analysis.
The Shift to Social Engineering
The largest B2B losses today are no longer driven by stolen envelopes or chemically altered paper. They are driven by social engineering: vendor impersonation, account change manipulation, and business email compromise.
These schemes trick employees into authorizing legitimate payments to fraudulent destinations. Crucially, they overwhelmingly target push-payment rails like ACH and wire transfers. A vendor calls accounts payable requesting a banking information update or enrollment in electronic payment. The voice sounds authentic. The email domain looks legitimate. The caller is familiar with the vendor’s product or project. The payment details are changed in the system.
Weeks or months later, the actual vendor calls about a past-due invoice. By then, multiple payments may have been sent to the fraudulent account, and the funds are long gone. The window for recovery has closed.
When a check is altered or stolen, or a credit card for that matter, the fraud is unauthorized at the instrument level, triggering established dispute processes. When accounts payable is socially engineered into updating vendor banking details, subsequent payments are technically valid. Because electronic funds move near instantly and the fraud is typically undetected for weeks or months, recovery is often impossible. Fraud follows value and irreversibility, and that is where economic risk is migrating.
Asymmetrical Recovery
Checks and credit cards operate within a mature framework of Positive Pay, the Universal Commercial Code, and network dispute mechanisms. While recovery is not guaranteed, the settlement cycle and dispute infrastructure introduces friction and processes that favor the victim.
Push payments are different. Once sent, funds are fragmented and dispersed. Recovery primarily depends on speed, not statute. It is worth noting that the same 2025 AFP survey that documents high check fraud attempt rates also reflects this broader reality: only 22% of organizations recovered 75% or more of their losses in 2024, down sharply from 41% in 2023. The survey’s own data spans all payment rails. The problem is systemic, not confined to paper. Focusing on check fraud incidence while ignoring recovery asymmetry misses the structural shift in fraud economics.
What Actually Reduces Loss
Digital controls like immutable audit trails and automated detection are essential, but speed is a neutral technology. If social engineering bypasses governance or detection and prevention capabilities, losses scale faster on electronic rails. Modern fraud is about manipulating people, not documents.
To minimize unrecovered loss, risk identification and screening tools must be leveraged to detect and thwart social engineering. IP analysis, behavioral profiling, and anomaly detection must exist upstream of funds movement. And bank-level safeguards must be actively configured: ACH debit blocks, transaction limits, and Positive Pay for checks. Unconfigured controls offer no protection. Fraud avoidance and early detection are everything.
A More Honest Standard
Citing that 63% of organizations experienced attempted or actual check fraud describes frequency, not economic impact. The distinction matters. Attempted fraud that is intercepted carries no loss. Fraudulent checks that aren’t honored due to Positive Pay controls carry no loss. Unrecovered electronic fraud, the kind that scales through social engineering on push-payment rails, often carry the full loss.
Checks are slow, friction prone, and easy to criticize. Electronic payments are faster, scalable, and challenging to reverse, which is precisely why fraud follows them. I am not advocating for one rail over another. Rather, I am advocating for intellectual honesty in the evaluation of risk across them.
The serious conversation is not about eliminating a rail. It is about reducing unrecovered loss in a world where the dominant threat is less about forged paper and more about manipulated trust.
That requires analytical precision and a willingness to measure what actually matters: unrecovered loss.
The answer is not to slow the digitization of payments. It is to accelerate it in the right way, with the technology, controls, and processes needed to reduce risk as digitization accelerates. Otherwise, fraud will scale faster than trust, and the pace of adoption will inevitably suffer.