AI Payment Fraud: What Canadian Merchants Face in 2026

KPMG Canada, March 2026: 72% of Canadian businesses lost up to 5% of profits to AI-powered fraud attacks in the past year. 81% experienced at least one attempted or successful AI-assisted fraud incident.

The Industrialization of Fraud

Fraud used to require skill. A convincing scam email took time to craft, voice impersonation required a talented actor, and fake documents were expensive to produce. AI has eliminated those barriers.

Today's fraud operations run like businesses — complete with AI toolchains, customer support queues, and refund-of-service guarantees for fraudsters who don't get results. The cost to launch a deepfake invoice attack or a synthetic identity scheme has dropped to near zero.

KPMG Canada's March 2026 fraud survey documents the scale. Of Canadian businesses surveyed:

81% experienced at least one attempted or successful AI-assisted fraud incident in the past 12 months
60% encountered AI-generated email fraud (phishing, BEC, impersonation)
39% were hit with deepfake documents — fake invoices, purchase orders, or business registrations that passed visual review
24% reported voice clone attacks targeting staff with authority over payments
72% lost measurable revenue — up to 5% of annual profits — to these incidents

These aren't isolated enterprise incidents. The same KPMG survey found small and mid-size businesses are disproportionately targeted because they lack dedicated fraud teams and rely on manual review processes that AI fraud is specifically designed to defeat.

Five AI Fraud Patterns Hitting Canadian Merchants

1. Synthetic Identity Fraud

Fraudsters use AI to generate entirely fabricated identities — complete with plausible names, addresses, SINs, and supporting documents. These synthetic identities pass standard KYC checks because they're internally consistent, even though no real person exists behind them.

The damage compounds over time. A synthetic identity might build a legitimate purchase history for months before executing a large fraudulent order and disappearing. By the time the merchant or processor flags it, the goods are gone.

2. AI-Enhanced Card Fraud

Card-not-present fraud has always been a problem for Canadian e-commerce, but AI has accelerated it sharply. BMO's November 2025 holiday shopping report flagged 2.6% of Canadian online transactions as potentially fraudulent — a 51% year-over-year increase. The spike tracks directly with the availability of AI tools that automate carding attacks, credential stuffing, and card testing at scale.

AI-powered card fraud tools can test thousands of card numbers against merchant checkout flows in minutes, identify working cards, and route purchases through legitimate-looking patterns to avoid velocity triggers. Standard rate limits and IP blocks are no longer sufficient on their own.

3. Invoice and Business Email Compromise (BEC) Fraud

AI has made BEC fraud terrifyingly accurate. Where earlier attacks were obvious from grammar errors or incorrect logos, AI-generated BEC emails now match your supplier's exact writing style, replicate their invoice templates pixel-for-pixel, and arrive from spoofed domains that pass casual inspection.

The typical Canadian attack vector: an AI-generated email from a "known supplier" requests a change to banking details before a large payment. The accounts payable contact, trusting the familiar format, updates the wire instructions. The payment goes to a fraudster's account.

See our BEC and invoice fraud guide for detailed response protocols and real Canadian case examples.

4. AI Voice Clone CEO Fraud

Voice cloning technology can now replicate a known voice from as little as three seconds of audio — a YouTube interview clip, a podcast appearance, a voicemail. Fraudsters clone the voice of a company's CEO or CFO and call the controller or accounts payable manager with an urgent wire transfer request.

The social engineering script is standard: the "executive" is travelling, needs a confidential wire sent today, will explain everything later. The urgency and familiar voice together override normal caution. KPMG Canada found 24% of surveyed businesses were targeted with this method in 2025–2026.

5. Automated Chargeback Fraud

AI-assisted chargeback abuse has emerged as a distinct category separate from traditional friendly fraud. Fraud rings now use automation to systematically purchase goods, generate plausible dispute narratives, and file chargebacks across dozens of merchant accounts simultaneously. The scale makes it impossible to fight manually — each dispute looks legitimate in isolation.

Where Canadian Merchants Are Most Exposed

Card-Not-Present vs. In-Person Risk

In-person card fraud remains relatively contained in Canada because chip-and-PIN provides strong authentication. The exposure is almost entirely online. Card-not-present transactions carry five to ten times the fraud rate of in-person chip transactions, and that gap is widening as AI fraud tools specifically target CNP environments.

If you run a hybrid business — physical store plus online — your online channel is where fraud investment should be concentrated.

Subscription Businesses

Subscription merchants face compounding risk. A fraudster who signs up with a stolen card gets recurring charges until the real cardholder notices. Multiple chargebacks from the same fraud event arrive weeks apart, making patterns harder to detect. Subscription businesses also accumulate stored payment credentials, making them attractive targets for account takeover attacks.

Marketplace Platforms

If your business connects buyers and sellers — a booking platform, a local marketplace, a service directory — you inherit fraud risk from both sides. Synthetic seller identities, fake reviews, and buyer-side payment fraud all apply. AI has made it dramatically cheaper to populate a marketplace with convincing fake participants.

Practical Defences by Payment Layer

Checkout and Card-Not-Present

3D Secure 2 (3DS2): Enables frictionless authentication for low-risk transactions while adding bank verification for higher-risk ones. Critically, a successful 3DS2 authentication shifts chargeback liability from you to the card issuer. See our 3DS2 guide for Canadian merchants.
AVS and CVV: Address Verification Service cross-checks billing postal codes; CVV confirms physical card possession. Neither is bulletproof alone, but together they block a significant percentage of automated carding attempts. Details in our AVS/CVV guide.
Velocity limits: Cap the number of transactions from a single card, IP address, or device fingerprint within a rolling time window. Most processors let you configure these in your dashboard.
Device fingerprinting: Tools like Stripe Radar and Helcim's built-in fraud detection build device profiles across millions of transactions and flag anomalies. A device that's placed orders across fifty different merchants in the past hour is a fraud signal.

EFT, Wire, and B2B Payments

Callback protocol: Before processing any change to banking details or any wire over a threshold amount (set your own — $1,000 or $5,000 depending on your business), call the requestor back on a pre-established phone number — not the number in the email. This single control defeats the vast majority of BEC attacks.
Dual approval: Require two authorized staff members to approve any outgoing wire or large EFT. Fraudsters targeting voice clone or email-based CEO fraud rely on a single employee acting under pressure. Dual approval breaks that model.
DMARC on your domain: DMARC prevents fraudsters from spoofing your domain in emails sent to your partners or suppliers. If your domain doesn't have DMARC enforcement, anyone can send emails that appear to be from your company. See free tools below.

For a full breakdown of EFT and wire security considerations, see our EFT, PAD, and wire guide for Canadian businesses.

Account and Dashboard Security

MFA on all processor accounts: Enable multi-factor authentication on every payment processor dashboard — Stripe, Helcim, Moneris, Square, wherever you have merchant accounts. An attacker with your processor credentials can redirect settlements, issue refunds, or extract customer card data.
Least-privilege access: Staff who only need to view reports shouldn't have access to refund controls or banking settings. Every major processor supports role-based permissions.
Audit log review: Periodically check your processor's audit logs for login attempts, setting changes, and banking detail updates you don't recognize.

Free Tools Worth Using

CAFC Scam Detector: The Canadian Anti-Fraud Centre maintains a searchable database of known fraud patterns, active scam alerts, and reporting tools at antifraudcentre-centreantifraude.ca.
DMARC Check (MXToolbox): Run your domain through mxtoolbox.com/dmarc.aspx to see whether your domain has DMARC, SPF, and DKIM configured. Takes 30 seconds.
Stripe Radar: Stripe's machine learning fraud detection is included with all Stripe accounts at no extra cost. It flags suspicious cards, devices, and behavioural patterns before the charge hits. For higher-volume merchants, Radar for Fraud Teams adds custom rules.
Helcim Built-in Fraud Tools: Helcim includes address verification, CVV matching, and velocity controls in its standard merchant dashboard. No add-on required. Particularly strong for Canadian merchants who want straightforward configuration without custom code.

When to Escalate

Not every fraud incident warrants law enforcement involvement — but some do, and reporting matters for crime statistics and potential recovery.

Canadian Anti-Fraud Centre (CAFC): 1-888-495-8501 or online at antifraudcentre-centreantifraude.ca. The CAFC is the primary national reporting body for fraud affecting Canadian consumers and businesses. Reports feed into federal investigations and help identify patterns.
RCMP National Cybercrime Coordination Centre (NC3): For cybercrime-specific incidents — account intrusions, ransomware, large-scale BEC — report through the RCMP Cybercrime Reporting Centre at rcmp-grc.gc.ca. The NC3 coordinates investigations across jurisdictions.
Your processor's fraud team: All major processors have dedicated fraud lines for merchants. Call immediately if you suspect ongoing compromise — they can flag accounts, pause transactions, and preserve evidence.
Your bank: For wire fraud involving business bank accounts, call your bank's fraud line within the first few hours. Wire recalls are possible but time-sensitive — every hour reduces recovery odds.