AI Phishing and Deepfake Fraud: What to Watch For

Your bookkeeper gets a call. It's your voice — or close enough. The "voice memo" says you need an urgent wire transfer to a new vendor. The bookkeeper sends $47,000.

That's not a hypothetical. In 2019, a CEO in the UK was scammed out of $243,000 using voice cloning. In 2024, a finance worker in Hong Kong sent $25 million after a deepfake video call with what he believed were his CFO and other colleagues. These attacks are getting easier to execute and harder to detect.

AI-powered fraud is not future risk — it's happening to businesses like yours right now.

What this solves (in real business terms)

• Employee awareness: Your team recognizes AI-generated phishing before clicking or sending
• Verification procedures: You've established processes that make impersonation attacks harder to execute
• Incident response: You know what to do when a fraud attempt occurs
• Customer protection: Your customers aren't at risk from fraudsters impersonating your business

What can go wrong

• Business email compromise (BEC): AI-generated emails that perfectly mimic your vendor's writing style, with realistic sender addresses — much harder to spot than obvious phishing
• Voice cloning for wire fraud: A 30-second audio sample from a LinkedIn video or Zoom call is enough to clone someone's voice. Fraudsters use this to call employees with "urgent" wire transfer requests.
• Deepfake video calls: AI-generated video is real-time now. A fraudster can look and sound like your CEO during a video call.
• Customer service impersonation: AI chatbots or voice clones impersonate your customer service to extract account information from customers
• Fake invoices: AI generates invoices that look exactly like real ones from your vendors — same formatting, same language — sent from lookalike domains
• QR code phishing: AI generates convincing QR codes that link to phishing sites — harder for employees to check than URLs

What it costs (honest ranges)

• Awareness training: Free (your own training materials) to $500/month (services like KnowBe4 or Cofense)
• Email filtering with AI detection: $3-$10/user/month (Microsoft Defender, Google Workspace security, Mimecast)
• Deepfake detection tools: $500-$2,000/month for business-tier tools (emerging market, options vary)
• Fraud simulation services: $1,000-$5,000/year for simulated phishing campaigns against your team

The expensive part isn't tools — it's process. Wire transfer verification, callback procedures, and approval workflows cost time but prevent losses.

Vendor questions (copy/paste)

1. What AI-generated content detection capabilities do you have? Can you identify deepfake audio or video?
2. How do you handle business email compromise (BEC) attacks that don't contain malicious links or attachments?
3. What authentication do you support for your platform to prevent impersonation attacks?
4. Do you offer employee training materials specifically about AI-powered fraud?
5. What's your response time if we report a fraud attempt or compromised account?

Minimum viable implementation

1. Implement verification for financial requests. Any wire transfer or payment change request — regardless of who calls or emails — must be verified through a second channel. "I'll call you back on the number we have on file" is the baseline.
2. Establish a verbal passphrase. Create a code word for your business that employees can use to verify it's really you calling. Change it quarterly.
3. Train your team on AI fraud. Show them real examples. A 10-minute discussion of the Hong Kong deepfake case is more effective than a 30-page security policy.
4. Add flags to unusual requests. If someone asks for urgency ("don't have time to verify, just send it"), that's your signal to slow down.
5. Set approval thresholds. Any wire transfer over a specific amount requires two people to approve — regardless of who requested it.

When to hire help

• You've been targeted or compromised — get incident response help immediately. Time matters. The faster you act, the more you can recover.
• You handle significant wire transfers or payments — a security consultant can help design verification procedures specific to your payment workflows.
• Your team lacks the technical knowledge to evaluate AI fraud risks — a one-time training session with a local IT security firm is worth the investment.

---

The most effective defense against AI fraud isn't technology — it's procedures. Fraudsters count on urgency and authority to bypass skepticism. Your job is to make sure your team knows: slow down, verify, and it's always okay to say no.