In February 2024, a finance employee at one of the world's largest engineering firms received a video call invitation from the company's chief financial officer. When the call started, the CFO was on screen, along with several senior colleagues. The meeting looked and sounded completely normal. Over the next several minutes, the CFO walked through an urgent transaction that required immediate wire transfers to complete a confidential deal.
The employee authorized 15 separate wire transfers totaling $25.6 million. Every person on that call was a deepfake — AI-generated from publicly available conference footage. By the time anyone discovered what had happened, the money was gone.
That case involved a large multinational firm. But the tools used to execute it now cost almost nothing and are being deployed against small and mid-size businesses every week. If you think this is a problem for big companies with complex structures, the attackers have already counted on you thinking that.
What AI-Powered Fraud Actually Looks Like
The fraud landscape has changed faster in the past two years than in the previous two decades. The FBI's 2025 Internet Crime Report logged more than 22,000 AI-related fraud complaints with losses exceeding $893 million. Deloitte projects total AI fraud losses in the US could reach $40 billion annually by 2027. Four specific attack types are hitting businesses hardest right now.
Deepfake voice and video calls. A convincing voice clone can be created from as little as three seconds of audio — freely available from any recorded call, voicemail, social media video, or conference recording. Attackers use these clones to impersonate executives, vendors, or bank representatives and pressure employees into authorizing wire transfers, changing payroll accounts, or sharing login credentials. A UK energy company lost €220,000 in a single phone call that sounded exactly like their CEO. A Swiss entrepreneur transferred several million francs over a two-week series of calls, each one a deepfake, before the deception was discovered. In Singapore, a finance director joined what appeared to be a Zoom call with her leadership team and authorized a $499,000 transfer — every face and voice on that call was synthetic.
AI-crafted phishing. Generative AI now writes phishing emails that achieve click-through rates more than four times higher than human-written ones. These don't look like the obvious scams of a decade ago. They mirror your company's writing tone, reference real transaction numbers, use correct names and titles, and arrive from addresses one character off from a domain you recognize. They are designed to pass every gut check an employee might run in the first few seconds of reading.
Synthetic invoices and document fraud. AI can generate invoices, purchase orders, and financial documents that are indistinguishable from legitimate ones — including your vendor's logo, formatting, and payment routing numbers. Attackers intercept a legitimate vendor relationship, generate a matching invoice with a slightly different bank account, and collect payment before anyone notices the substitution. The first sign is often a vendor calling to ask why their invoice is overdue.
Payroll diversion fraud. An attacker impersonates an employee — using an AI-crafted email that matches their writing style — and requests a change to their direct deposit account. Payroll runs. The money hits an account the attacker controls. The real employee calls HR asking where their paycheck is. By then the window for bank recovery has often closed. This attack requires no deepfake technology, no special access, and no prior relationship with your business. It requires only one thing: a company small enough that HR processes changes without a phone verification step.
Why Smaller Businesses Are More Exposed
Large enterprises have IT security teams, multi-layer approval workflows, and dedicated fraud analysts. Small and mid-size businesses typically have none of those things. What they have instead is trust and familiarity among a small team — and that is exactly what these attacks exploit.
When the owner calls and says there is an urgent wire transfer that needs to happen before end of day, the person receiving that call does not want to be the one who delayed a deal. When an invoice arrives from a vendor you have paid twenty times before, you do not scrutinize the bank routing number. When the CFO appears on a video call and makes a direct request, you act on it.
That combination of familiarity, urgency, and authority is the attack surface. In a business where one or two people handle all financial decisions, there are very few checkpoints standing between a fraudulent request and a completed transfer.
The Controls That Actually Stop Most of It
The encouraging news is that most of these attacks are stopped by simple procedural controls, not expensive technology. The businesses that get hit are not the ones with unsophisticated employees. They are the ones without a few clear rules in place.
Dual approval on any wire transfer above a defined threshold. No single person should be able to authorize a wire transfer on their own, regardless of who requested it. Two people need to independently approve it. This one control eliminates the majority of successful CEO fraud attempts before they complete.
Out-of-band verification for any unscheduled payment request. If you receive a call, email, or message requesting a payment that was not already scheduled or expected, hang up and call back on a phone number you have on file — not the one that contacted you. Every time, without exception. This feels awkward at first. It becomes standard quickly. A legitimate requester will understand. A fraudster will push back, which tells you everything.
A pre-agreed passphrase for urgent financial requests. For businesses where leadership regularly requests payments by phone, establish a simple verification phrase known only to authorized individuals. Any request that does not include it gets verified through a separate channel before action is taken.
A mandatory hold on unscheduled transfers above a set amount. Urgency is the primary lever fraudsters use. Removing urgency as a valid reason to skip verification removes most of their leverage. A written policy requiring a minimum window — even 24 hours — before executing any unscheduled transfer above a threshold takes most of the pressure away from whoever is being asked to act quickly.
Using AI to Fight Back
There is an appropriate irony in using AI tools to defend against AI-powered fraud, and several categories are worth considering.
Email filtering tools use AI to detect synthetically generated writing patterns, flag domain spoofing, and identify anomalies in sender behavior before an email reaches your team's inbox. If you use Microsoft 365, Microsoft Defender for Business starts at around $3 per user per month and adds a meaningful layer beyond basic spam filtering. Google Workspace includes phishing detection in its standard plans. Either way, also set up DMARC authentication on your domain — it is a free DNS record that stops attackers from sending email that appears to come from your domain, and most small businesses have never done it.
Document verification services can detect when a PDF or invoice was generated or modified programmatically rather than produced by a legitimate accounting system. If your accounts payable process involves any volume of incoming invoices from outside vendors, this category is worth exploring. Tools like Vericheck and several AP automation platforms include this functionality at small-business price points.
Call authentication tools can flag whether an incoming voice call shows patterns consistent with synthetic audio. Hiya and Nomorobo both offer business-tier plans. More broadly, any modern VoIP platform — RingCentral, Nextiva, Zoom Phone — is starting to integrate AI-based call screening. If you have not reviewed your phone provider's security settings recently, now is a reasonable time to do so.
The broader principle: the same AI capabilities that make fraud easier also make detection possible. You do not need enterprise security infrastructure. You need to close the gaps where a single communication channel creates a single point of failure.
One More Layer: Cyber Insurance
Most small businesses have no cyber insurance, and many assume their general liability or business owners policy covers fraud losses. It typically does not. A standalone cyber policy for a small business generally starts between $500 and $1,500 per year and can cover fraudulent transfer losses, notification costs, and incident response. Some policies also include access to a breach response team if something does happen.
Before purchasing, ask your broker two specific questions: does this policy cover social engineering fraud — attacks where an employee is tricked into authorizing a transfer — and what controls does the policy require you to maintain? Most cyber insurers now ask about dual-approval policies and out-of-band verification as part of underwriting. The four controls described in this article are exactly the kind of documentation that supports a claim and sometimes reduces your premium.
Building a Culture That Catches What Technology Misses
Controls only work if people use them. And people only use them consistently if they do not feel penalized for doing so.
Train every employee who touches financial processes on what these attacks look like. Make it specific and recent — show real examples, explain what made them convincing, and be honest that these attacks are designed to fool smart people. The goal is not to make people feel paranoid. It is to make the pause before acting feel normal rather than accusatory.
Create explicit permission to slow down. The message to your team has to be clear: if something feels wrong, you are authorized and expected to stop and verify — even if it delays a transaction, even if the request came from leadership, even if the person on the other end is frustrated. That permission has to come from the top and be repeated consistently.
"The easiest person to defraud is the one who is certain it cannot happen to them."
Frank Abagnale, Security Consultant and Former Con Artist
The businesses that get hurt are not the ones with careless employees. They are the ones where the culture rewards speed over verification and where asking questions feels like a career risk. One policy change and one honest conversation can close that gap faster than any technology purchase.
If You Have Already Been Hit
If a fraudulent transfer has already been authorized, speed matters more than anything else. Contact your bank within 24 hours — wire transfers can sometimes be recalled if the receiving bank has not yet released the funds, but that window closes fast. Do not wait to gather information first. Call immediately and explain that the transfer was fraudulent.
File a complaint with the FBI's Internet Crime Complaint Center at IC3.gov. This is required for the FBI to open an investigation and is often a prerequisite for insurance recovery. Your insurer will want the IC3 report number.
Preserve everything: the emails, call logs, invoices, and any communication related to the fraud. Do not delete, modify, or forward these records without guidance from your attorney or insurer. They are evidence.
Notify your insurance carrier the same day. Cyber policies typically have reporting windows, and a delayed notification can affect your ability to recover losses. If you do not have cyber insurance, this is the moment to understand what coverage you actually have under your existing business owners or commercial general liability policy.
This Is Not About Becoming Paranoid
It is about recognizing that the fraud environment has changed in ways most small business owners have not accounted for yet. The controls that were adequate two years ago are no longer adequate. The attacks are more convincing, more targeted, and cheaper to execute at scale than at any point in history.
The businesses that come through this period with their assets intact will be the ones who took it seriously before something happened. A few clear policies, a brief team conversation, and a review of your payment approval workflows cost almost nothing. The alternative costs a great deal more.
Most Small Businesses Have at Least One Gap Here
The four controls in this article — dual approval, out-of-band verification, a passphrase, and a transfer hold — are straightforward to implement and cost nothing. But most business owners who read this are covered on one or two, not all four. A 30-minute review of your payment approval process is usually enough to find the gaps and close them before someone else does.
Let's find your gaps