treasury management strategies

Treasury Management Strategies that Help Businesses Stay Safe and Continue to Grow

Fraudsters aren’t just getting smarter in how they target businesses; they are also costing business treasuries more. A 2025 TransUnion report found that U.S. companies effectively lost nearly 10% of their annual revenue to fraud.

Criminals used to attempt to steal money through check fraud, flagrant phishing emails, and brute force cyberattacks. Now, they are sliding quietly into systems, biding their time, and striking when transactions are most vulnerable.

Andrew Lebron CTP, Vice President and Treasury Management Officer at West Michigan Community Bank, works directly with business clients across West Michigan to help them stay protected. He says businesses can reduce their risk of fraud by making deliberate choices about how money flows through their organization, who controls it, and how transactions get approved.

Here’s what business leaders need to know.

How Fraud Targeting Businesses Has Changed

According to Lebron, fraudulent transactions against businesses used to be unsophisticated.

“Ten years ago, there was some wire transfer and ACH fraud, but most of it was check-driven,” he says.

Most criminals stole money by stealing checks from the mail and attempting to cash them, or by hacking into systems and leaving quickly.

“That still happens, but so many more businesses are using Positive Pay that it’s not hitting at the same rate for those who use positive pay.”

Positive Pay prevents fraud by matching the checks a business issues against information the business sends to the bank each day about its payments. If the information on a check or ACH payment doesn’t match the information sent directly from the business, the transaction is flagged.

Fraudsters Are Biding Their Time

While Positive Pay has prevented some fraud, bad actors have learned from past mistakes. “What we see now is far more calculated,” says Lebron. “The bad guys are a lot smarter.”

Criminals will use phishing emails and other social engineering attacks to access protected systems. These types of attacks used to be easy to spot, but now they are much more convincing.

“They used to say, ‘Dear Sirs or Madams,' had terrible grammar, and had other obvious red flags. Now, they're very targeted, even personalized.”

 Once they are inside your business, they’ll settle in and wait.

“Fraudsters will get into your system, go quiet, and just watch how money flows through the business. They’re trying to learn who makes the decisions, when key people are going to go on vacation, and what your routines are.”

AI Is Accelerating the Problem

Artificial intelligence has made fraudulent communications faster to produce and harder to detect. A bad actor can use AI tools to draft convincing, personalized messages at scale — drawing from publicly available information about your team to make each one feel legitimate.

"AI never sleeps,” says Lebron. “A bad actor sitting anywhere in the world can tell an AI tool to write a message that sounds like it came from inside your office. They’ll draw it from what your CFO posted on LinkedIn or how your team typically communicates—the impersonation can be very convincing."

Treasury Management and Security Strategies to Keep Your Business Safe

While criminals have become smarter and more creative, there are steps businesses can take to reduce their risk.

According to Lebron, businesses that avoid major losses from fraud are typically those that approach treasury management strategically. Here's what that looks like.

Document How Money Moves

A clear, written procedure for how payments are to be initiated, reviewed, and approved is the foundation of any good treasury management program. Lebron suggests companies document everything.

Who can send money? Through which accounts can they send it? Who must sign off on transactions, and at what dollar amount?

“Without answers to those questions, there can be no consistent process for protecting the integrity of transactions,” says Lebron. “When something goes wrong, there's no baseline to investigate against.”

Keep Access Tight and Role-Specific

Broad access is one of the most common vulnerabilities that Lebron encounters. When too many employees can “touch” too many accounts, a single compromised credential puts everything at risk.

“The businesses that stay protected know exactly who can access what, and they keep that list tight,” he says. “The ones that get hurt often gave everyone access to everything, or they have a process on paper, but they stopped enforcing it.

While it may seem reasonable to give leaders full access, you should also institute executive-level fraud controls.

“Even the president of a company shouldn't be able to take a transaction from start to finish; what if they get hacked?"

The fix is straightforward: Each person on your team should have access only to the accounts and tools they need to do their job.

For example, an accounts payable employee needs access to certain capabilities but doesn’t need wire transfer permissions. Someone who uploads payment files to the system shouldn't be the same person approving them.

“Keeping access narrow and role-specific limits the amount of damage, a single breach can do,” says Lebron.

Separate Who Initiates from Who Approves

Segregating duties is one of the most effective anti-fraud controls a business can have. This involves setting protocols so that one person initiates a payment and a different person approves it.

Lebron says he has watched the same type of fraud attempt play out among two different clients. However, each client had a very different outcome from the others based on this one distinction.

"One business had a two-person approval process on all transactions. An employee got a convincing fraudulent email and almost sent out a large payment, but the second approver caught it,” he says.

“The vendor had always insisted on being paid by check. They called the vendor directly, who confirmed they hadn't requested to be paid via ACH.

The other client was not so lucky.

“The other business had no second approver,” says Lebron. “They encountered the same type of fraud attempt, but the money was released, and it was gone.”

Know When to Move Fast and When to Slow Down

Businesses want their payments to be fast and efficient. Sometimes, this can make them reluctant to implement any additional security controls.

While extra verification can slow transactions down, not all transactions require extra scrutiny. The key is knowing which transactions need to be analyzed and which ones can be automated.

"I think about the book Thinking Fast and Slow—the idea that our brains are built to go fast in familiar situations and slow in new or uncertain ones. Payments work the same way,” says Lebron.

“A vendor you've paid fifty times at the same account? Move those payments fast. A new vendor sending banking details, or a longtime vendor who says they've suddenly changed banks? Stop and verify.”

Save your verification steps for anything new, unusual, or involving a change in banking information. Other transactions can be automated.

Three Steps Worth Taking

If your business hasn't reviewed its fraud controls recently, Lebron’s recommendation is to start with three things.

“If I could tell a business owner three things to do in the next six to twelve months: set up Positive Pay, limit who has access to what based on their role, and slow down. An urgent email isn't that urgent when $100,000 is on the line.”

1. Set up Positive Pay

When you write a check, register its information with your bank, including the check number, payee name, and dollar amount. If a check comes in that doesn't match what you submitted, the bank will flag it before it clears.

Businesses that skip Positive Pay often discover the problem several weeks or even months later, when recovery is no longer possible.

2. Limit Access Based on Actual Roles

Review who in your organization can access which accounts. Establish dollar limits that reflect each person's actual responsibilities. If an employee only needs to process smaller transactions, cap their limit, and require a manual review for anything above it.

Also, “make sure the person who uploads payment files isn't the same person who approves them,” Lebron suggests. That single separation protects against both external fraud and internal errors.

3. Give Unfamiliar Transactions Their Due Diligence

When a new vendor sends payment details, or when a longtime vendor appears to have changed their banking information, verify it. Call the vendor by phone using a number you already have on file, not one provided in the email or letter.

Don't let urgency be the reason you skip that step. Transactions involving trusted payees and unchanged accounts can move quickly. Everything else deserves a second look.

Ready to Take a Closer Look at Your Treasury Management?

Smart treasury management helps your business grow and pursue new opportunities without constantly worrying about what could go wrong. At West Michigan Community Bank, our team works with businesses of all sizes to review controls, identify weaknesses, and build processes that fit your operations.

Ready to talk? Let's start a conversation.