Facebook Pixel
(303) 578-6256

For years, the advice on phishing was simple. Look for bad grammar, check the sender's email address, and never click a suspicious link. That advice still matters, but it no longer covers the threat. In 2026, the emails hitting business inboxes are grammatically perfect, personalized, and written in a tone that matches the person they're impersonating. Some of the scams aren't emails at all. They're phone calls in a voice your employee recognizes, or video calls with a face they've seen on dozens of prior meetings.

Generative AI didn't just make phishing a little better. It removed the tells that used to give scammers away, and it opened up entirely new attack formats that most small businesses have never trained for.

The numbers behind the shift

AI-generated phishing emails are producing open rates between 54 and 78 percent, compared to roughly 12 percent for traditional phishing attempts. That gap alone explains why attackers have shifted so heavily toward AI tools. A message that used to get ignored by most recipients is now getting opened by the majority of them.

Voice and video impersonation has grown just as fast. The FBI's Internet Crime Complaint Center received more than 22,000 reports involving AI-generated voice or video scams in 2025, with reported losses approaching $893 million. Separately, AI-assisted business email compromise generated an estimated $2.77 billion in losses across more than 21,000 incidents, with audio and video elements increasingly layered into campaigns that used to be text only. Some fraud researchers have tracked a surge of roughly 3,000 percent in deepfake fraud instances as generation tools became cheaper and easier to access.

Those are not enterprise-only numbers. A growing share of these incidents involve companies with a few dozen employees and a finance team of one or two people, exactly the profile of most of our clients.

How these attacks actually work

Voice cloning has the lowest barrier to entry. Widely available tools can produce a convincing clone of someone's voice from as little as 3 to 10 seconds of audio, which is easy to pull from a voicemail greeting, a webinar recording, a podcast appearance, or a video posted to social media. Once an attacker has that sample, they can generate new sentences in that voice on demand, including sentences the real person never said.

Video deepfakes take more effort to produce but are now feasible in real time, meaning an attacker can face-swap live during an actual video call rather than sending a pre-recorded clip. This is what made the most damaging documented cases possible: entire video conferences where every participant, including the executive giving instructions, was synthetic.

The most effective attacks combine channels. An email that appears to come from the CFO announces an incoming call about a time-sensitive matter. Minutes later, the call arrives, and the voice matches perfectly. Because the email primed the target to expect the call, there's little reason for the employee to question it. The attacker has removed the moment of doubt before it ever has a chance to form.

Preparation for these attacks typically starts weeks in advance, built almost entirely from information a company has published about itself. LinkedIn profiles reveal who has approval authority over payments. Press releases and SEC filings reveal what deals or transactions are in motion. Company websites list who the vendors are. None of this requires hacking. It's all public, and attackers use it to build a pretext that sounds financially plausible for that specific business at that specific moment.

Real incidents worth knowing about

A finance employee at a multinational engineering firm joined a video call that appeared to include the CFO and several colleagues. Every face on the call was AI-generated. Believing the request was legitimate, the employee processed 15 separate transfers totaling $25.6 million before the fraud was discovered.

A business owner in Switzerland was contacted over a series of phone calls across two weeks by what sounded like a trusted business partner. The voice was a clone. By the time the deception was discovered, several transfers totaling millions of Swiss francs had already gone out.

In a smaller case closer to the scale most of our clients operate at, a CFO received a call that sounded exactly like a company leader requesting an urgent transfer. Believing it was a legitimate directive, the CFO authorized a $243,000 payment, only learning afterward that the voice had been cloned.

These cases share a pattern. The technology bypassed scrutiny not because the target was careless, but because the deception was convincing enough that skepticism never had a reason to kick in.

Why "we're too small to be a target" no longer holds up

It's tempting to assume this is a large-enterprise problem, since the headline cases involve millions of dollars. But attackers don't need a company to be large. They need a company to have money that moves, a person authorized to move it, and enough publicly available information to build a believable pretext. Most small businesses check all three boxes, and most have no formal verification process in place for high-value payment requests, which makes them an easier target than a company with layered approval controls.

A recent survey found that 72 percent of business leaders now rank AI-enabled fraud and deepfakes as their top operational concern heading into this year, a sharp jump from prior years when the concern barely registered on most risk assessments.

Warning signs employees should be trained to recognize

Because these scams no longer rely on the traditional red flags of bad grammar or suspicious links, employee training needs to shift toward behavioral and procedural warning signs instead:

  • Urgency that discourages normal verification, especially language suggesting the transaction must happen before end of day or before someone is reachable
  • A request to keep the matter confidential or avoid discussing it with other team members
  • A shift to an unusual communication channel partway through a request, such as a call arriving right after an email that primed the request
  • Any request, regardless of who appears to be asking, to bypass a standard approval step or skip a second signature
  • A voice or video call requesting financial action that the requester has never asked for in that format before

None of these signs depend on spotting a fake. They depend on recognizing that the request itself doesn't follow the company's normal process, which is a far more reliable indicator than trying to judge whether a voice sounds slightly off.

Defenses that actually hold up against this threat

Security researchers and fraud investigators are consistent on one point: deepfake detection technology will never be perfectly reliable, so the defense has to be procedural rather than purely technical. The practices below are what we recommend building into a business's standard operating procedure, not just a slide in an annual training session.

Out-of-band verification for any payment request. If a call, email, or video conference requests a transfer or a change to payment details, verify it through a separate, previously known channel before acting. Call the person back on a phone number already on file, not one provided in the request itself.

A hard rule requiring dual approval on transfers above a set threshold. No single call, email, or video conference, no matter how convincing, should be able to trigger a payment on its own. Structure the process so that a second authorized person always has to independently confirm the request through a separate channel.

Limit how much operational detail is public. Attackers build their pretext from information the company has already published. Reviewing what's publicly visible about approval authority, vendor relationships, and pending transactions, and trimming what doesn't need to be public, reduces the raw material available for a convincing scam.

Run realistic drills, not just annual training modules. A once-a-year phishing awareness session built around spotting a suspicious email won't prepare anyone for a live phone call. Periodic simulated scenarios involving unexpected calls requesting urgent action give employees practiced muscle memory for pausing and verifying, rather than a policy they read once and forgot. If you're not sure where to start, check out our guide on 8 security essentials for business.

Layer in modern email and endpoint security. AI-generated phishing emails are built to defeat the old checklist of red flags, which means detection needs to move toward behavioral and anomaly-based tools rather than keyword filtering alone.

We've helped several clients build these verification steps directly into their accounts payable process this year, and the change that makes the biggest difference isn't a piece of software. It's making the callback step a required part of the workflow rather than something an employee has to remember to do under pressure.

A practical action checklist

  • Set a dollar threshold above which no transfer can be authorized by a single person or a single communication channel
  • Document a callback verification procedure using contact information already on file, not information provided in the request
  • Review what your company has published publicly about who approves payments and what vendor relationships you have
  • Run at least one simulated scenario this quarter involving a phone call or video request, not just an email
  • Confirm your email security tools are set up to flag anomalies and behavior patterns, not only known malicious links
  • Make sure every employee who can initiate or approve a payment knows the verification procedure exists and understands it isn't optional, regardless of who appears to be asking

Frequently asked questions

Can deepfake voice or video be reliably detected with software?
Detection tools exist and are improving, but security researchers are clear that detection will never reach full accuracy. The stronger defense is designing processes so that a single call or video, however convincing, cannot trigger a payment on its own.

How much audio does someone need to clone a voice?
As little as 3 to 10 seconds. Voicemail greetings, webinar recordings, podcast clips, and social media videos all provide enough material.

Is this really a risk for a business our size?
Yes. These scams depend on a company having money that moves and a person authorized to move it, not on company size. Smaller businesses often lack the layered approval processes that make larger organizations harder targets, which can make them more vulnerable rather than less.

What's the single most effective change we can make?
Requiring out-of-band verification, a callback to a known number, before acting on any payment request that arrives by phone, video, or email. This one step defeats the vast majority of documented cases, because the fraud depends entirely on the target acting within the same channel the request arrived through.

Should we be worried about our executives' public presence, like conference talks or podcast interviews?
Not to the point of avoiding visibility, but it's worth being aware that any public audio or video of a company leader is a potential source for voice cloning. This is less a reason to disappear from public life and more a reason to make sure your internal verification procedures don't rely on anyone being able to recognize a voice or face as proof of identity.

About ITGuys

ITGuys is a Managed IT Support company that has been helping businesses solve technology problems since 2009. We work with companies of all sizes to provide reliable, practical IT solutions that keep teams productive and secure.

Our services include managed IT support, network cabling, office onboarding and offboarding, email migration, IT consulting, wireless networking, infrastructure upgrades, and ongoing technical support for businesses across the United States.

We believe technology should make business easier, not more frustrating. Our goal is to provide straightforward IT guidance that helps businesses avoid downtime, improve reliability, and make smarter technology decisions.

Learn More About Our Services