A finance employee joined a video call with what appeared to be the company’s CFO and several colleagues. Everyone looked right, sounded right, acted right. She approved a series of wire transfers. When it was over, $25 million was gone. Every person on that call was an AI-generated deepfake.
That happened at a multinational firm. But the same technology is now being used against businesses with 20 employees.
Here’s why it works especially well for small businesses. At a large company, a wire transfer goes through multiple approvals. At most small businesses, one person gets a call from the boss and moves the money. That’s not carelessness, that’s how small teams operate. Attackers know it.
Voice cloning now requires as little as three seconds of audio. Your voicemail greeting is enough. So is a clip from a podcast, a video on your website, or a recording from a Zoom call. Once they have it, they can make that voice say anything. The tools to do it cost under $20 on the dark web.
About 40% of business email compromise attacks now incorporate AI-generated voice or video. The FBI created an entirely new fraud reporting category for it in 2025. An estimated 80% of companies have no protocols in place to catch it.
The defense isn’t complicated, but it has to be deliberate. Any request to transfer money, change banking information, or share credentials, regardless of who appears to be making the request, requires a second verification through a separate, known channel. A callback to a number already in your phone. A quick text to confirm. A code word that your team agrees on in advance.
That’s a process problem, not a technology problem. And it’s fixable.
The first step is knowing whether your business has the exposure that makes these attacks easy. A Cyber Liability Scan shows you what attackers can find about your business before they call.
