Blog

Archives
Categories

AI Deepfake Scams Are Targeting Your Accounts Payable Team

AI Deepfake Scams Are Targeting Your Accounts Payable Team

A finance employee at a Hong Kong company joined what appeared to be a routine video conference with the CFO and several colleagues. During the call, they received instructions to transfer company funds. 

Everything looked legitimate. 

The problem? Every person on the video call was an AI-generated deepfake. 

The employee transferred approximately $25.6 million to accounts controlled by criminals. 

While that case grabbed headlines, the version affecting small and mid-sized businesses happens every day—and it doesn’t require millions of dollars to be devastating. 

The Evolution of Business Email Compromise (BEC)

For years, cybersecurity training focused on spotting suspicious emails. 

Employees learned to look for: 

  • Misspelled domain names 
  • Poor grammar 
  • Suspicious links 
  • Unusual requests 

Attackers adapted. 

According to the FBI’s latest Internet Crime Report, Business Email Compromise (BEC) scams caused more than $3 billion in losses, making them one of the most financially damaging cybercrimes reported. The report also separated AI-enabled scams into their own category for the first time, documenting over 22,000 complaints and nearly $893 million in losses. 

The threat isn’t slowing down. It’s becoming more convincing. 

How AI Deepfake Fraud Works 

Most AI-powered financial fraud doesn’t involve hacking a network or exploiting software vulnerabilities. 

Instead, attackers focus on something easier: impersonation. 

Criminals pose as: 

  • Company owners 
  • CEOs and CFOs 
  • Vendors and suppliers 
  • Managers and department heads 
  • Trusted coworkers 

The goal is simple: convince someone to send money or change banking information before questions are asked. 

What makes today’s attacks different is that the impersonation no longer stops at email. 

Now it includes: 

  • AI-generated voice calls 
  • Deepfake video meetings 
  • Real-time voice cloning 
  • Synthetic audio messages 

A few seconds of publicly available audio—from a podcast, webinar, conference presentation, YouTube video, or social media post—is often enough to create a convincing voice clone. 

Why Accounts Payable Teams Are Prime Targets 

Accounts payable departments sit directly in the path of company cash flow. 

They process invoices, manage vendor payments, and work under constant pressure to keep business moving. 

Attackers understand this. 

When a request appears to come directly from an owner, executive, or trusted vendor—and includes urgency—the natural instinct is to help quickly and avoid becoming a bottleneck. 

That urgency is exactly what fraudsters exploit. 

The attack isn’t targeting technology. 

It’s targeting process. 

You Can’t Train Your Way Out of Deepfake Fraud 

Many organizations respond by increasing employee awareness training. 

Training still matters, but it is no longer enough on its own. 

The reality is that AI-generated voices and videos are becoming increasingly difficult to distinguish from legitimate communications. Eventually, even experienced employees will struggle to tell the difference. 

The strongest defense is not better detection. 

The strongest defense is a process that works even when everyone believes the request is real. 

Three Controls That Stop Most Payment Fraud Attempts 

  1. Verify Requests Using a Known Phone Number

Any request involving: 

  • Wire transfers 
  • ACH payments 
  • Bank account changes 
  • Vendor payment updates 

should require a callback to a trusted number already stored in company records. 

Never use a phone number provided in the email, text, voicemail, or request itself. 

  1. Use an Independent Verification Channel

Verification should happen through a separate communication method. 

For example: 

  • A payment request received by email should be verified by phone. 
  • A phone request should be verified through a separate communication channel. 
  • A video meeting instruction should still require independent confirmation. 

The goal is to avoid relying on a potentially compromised or impersonated communication channel. 

  1. Require Dual Approval for High-Dollar Transactions

Establish a dollar threshold that triggers mandatory secondary approval. 

No single employee should be able to: 

  • Approve large wire transfers 
  • Change vendor banking information 
  • Authorize unusual payments 

without a second reviewer involved. 

This simple control prevents many fraud attempts from succeeding. 

Fraud Prevention Doesn’t Have to Be Complicated 

The technology behind AI-powered scams is advancing rapidly. 

The controls that stop them are remarkably simple. 

Verification procedures, dual approvals, and documented payment workflows aren’t new cybersecurity innovations—they’re operational discipline. 

Consistency matters more than complexity. 

Could a Single Request Move Money Out of Your Business Today? 

If your payment approval process still relies on phrases like: 

  • “It sounded like the owner.” 
  • “The CFO asked me directly.” 
  • “The request looked legitimate.” 

then it’s worth reviewing your controls before attackers test them for you. 

A payment fraud assessment can quickly identify where a convincing email, phone call, or video meeting could bypass existing safeguards and put company funds at risk. 

Schedule a security scan today: Contact Us