Business email compromise attempts soared last year, with nearly three-quarters of organizations reporting incidents, a new survey found.

According to the Association for Financial Professionals (AFP) 2026 Payments Fraud and Control Survey Report, 74% of organizations experienced BEC last year, up from 63% in 2024. And it said there’s a simple reason why. 

“Fraud via email continues to be prevalent because email remains the main communication tool at organizations, making it a prime target for cybercriminals,” AFP wrote in the report released April 14. 

Spoofed emails—which appear to come from a trusted source—topped the list of BEC types, with 85% of organizations receiving them in 2025. But that’s not the only way fraudsters attempt BEC. “More than half of respondents indicate that their companies received emails from domains that looked almost identical to legitimate ones, with only minor differences in a letter or two,” AFP reported. 

In other findings, AFP said check fraud remains the No. 1 type of payment fraud, reported by 58% of organizations. While that figure is down slightly from a year earlier, the report noted a troubling finding: “Despite being the payment method most vulnerable to payments fraud, check usage at businesses is widespread: 87% of organizations report using checks in 2025.”

While the respondents cited various reasons for continuing to write checks, Michael Herd, Nacha Executive Vice President, ACH Network Administration, said no business should still be doing that.

“Check fraud has been prevalent for many years, and that alone should put an end to their use,” said Herd. “There are good reasons why ACH business-to-business volume grew nearly 10% last year, with safety and convenience topping the list. Checks should disappear once and for all—no checks, no check fraud.”