Cybersecurity awareness for small and mid-sized businesses, from IT Master Services.
For years, the advice for spotting a phishing email was simple: look for bad grammar, awkward phrasing, and generic greetings. That advice is now dangerously out of date. Artificial intelligence has handed attackers a set of tools that make their scams cheaper, faster, and far more convincing — flawless writing, personalized detail, cloned voices, and even live video of people who were never on the call.
The uncomfortable truth is that the "tells" most employees were trained to look for have largely disappeared. In 2024, a finance employee at a global engineering firm was tricked into transferring roughly US$25 million after joining a video call where every other "colleague," including the company's CFO, was an AI-generated deepfake. No malware. No stolen password. Just a convincing performance.
The core shift: attackers no longer need to break your technology. With AI, they can impersonate the people your staff trust — and trick your team into doing the damage for them.
How AI Has Changed Phishing
Traditional phishing relied on volume: send a million clumsy emails and hope a few people bite. AI changes the economics entirely. A single attacker can now generate thousands of unique, well-written, personalized messages — and follow up in real time when someone replies. Here is what is different:
- Perfect language. Generative AI writes in fluent, professional English (or any language), erasing the spelling and grammar mistakes that used to give scams away.
- Deep personalization. Attackers scrape LinkedIn, your website, and social media to reference real projects, coworkers, and vendors — making messages feel legitimate.
- Cloned voices. A few seconds of audio (from a voicemail, webinar, or social post) is enough to clone someone's voice for a fake "urgent" phone call.
- Live deepfake video. Attackers can now impersonate a specific person on a video call convincingly enough to authorize payments or share credentials.
The Four Threats to Know
| Threat |
How It Works |
Typical Goal |
| AI-written phishing email |
Flawless, personalized emails that mimic a real vendor, executive, or Microsoft 365 notice. |
Steal login credentials or trick a click on a malicious link. |
| Voice cloning (vishing) |
A cloned voice calls an employee — "the boss" or "the bank" — with an urgent request. |
Rush a wire transfer, gift-card purchase, or password reset. |
| Deepfake video |
A fake executive appears on a video call to "approve" an urgent, confidential transaction. |
Authorize large fraudulent payments (CEO/CFO fraud). |
| QR-code phishing (quishing) |
A QR code in an email or printout leads to a fake login page, bypassing email link filters. |
Capture credentials and multi-factor codes. |
Why Small Businesses Are Prime Targets
It is a myth that attackers only chase large enterprises. Small and mid-sized businesses are attractive precisely because they often have real money moving, fewer verification controls, and leaner security teams. A 40-person company that wires payments to vendors is an ideal target for business email compromise — and AI lets one attacker run many of these scams at once. The tools that used to require a skilled operator are now available to anyone.
Red Flags in the AI Era
Because the old spelling-and-grammar tells are gone, awareness now centers on behavior and context rather than polish. Teach your team to pause when they see:
- Urgency and secrecy. "I need this done now, and please don't discuss it with anyone." Manufactured pressure is the single most reliable sign of fraud.
- A change to payment details. Any request to update bank or wire information — even from a known vendor — must be verified out of band.
- An unusual channel or request. The CEO texting your personal phone, or a supplier asking for gift cards, is out of pattern.
- Pressure to bypass normal process. "Skip the usual approval, just this once."
- Requests that discourage a call-back. Legitimate people are happy to be verified; scammers invent reasons you cannot reach them.
The one habit that stops most of these scams
Adopt a verify-out-of-band rule for anything involving money or credentials: independently call the person back on a known phone number — never the number in the message — before acting. A simple agreed-upon code word for payment approvals defeats even a convincing deepfake, because the attacker doesn't know it.
How to Defend Your Business: People and Technology
There is no single product that stops AI-driven social engineering. Effective defense layers trained people on top of strong technical controls.
Train your people
Your team is both the target and your best sensor. Ongoing Security Awareness Training — with realistic, modern phishing simulations — keeps verification habits sharp as the threats evolve. One-time training is not enough when the tactics change monthly.
Harden your Microsoft 365 environment
- Phishing-resistant multi-factor authentication. MFA remains essential, and phishing-resistant methods (passkeys, FIDO2 keys) defeat credential-capture pages. See why MFA is valuable.
- Conditional Access. Restrict sign-ins by device, location, and risk so a stolen password alone is not enough. Read why Conditional Access is critical.
- Email authentication (SPF, DKIM, and DMARC). Properly configured, these make it far harder for attackers to spoof your domain — and to impersonate you to your customers.
- Advanced email filtering. Modern anti-phishing that inspects links, attachments, and QR codes catches a large share of attempts before they reach an inbox.
Put verification into your processes
- Require dual approval for wire transfers and any change to vendor payment details.
- Establish the call-back and code-word rules above — and make it culturally acceptable to slow down and verify.
- Limit the executive audio and video posted publicly, which is the raw material for voice and video clones.
Best Practices Checklist
- Verify money and credential requests out of band, every time.
- Turn on phishing-resistant MFA and Conditional Access across Microsoft 365.
- Configure SPF, DKIM, and DMARC so your domain can't be easily spoofed.
- Run continuous security awareness training with realistic simulations.
- Require dual approval for payments and vendor banking changes.
- Have an incident response plan — know who to call the moment something feels wrong.
Final Thoughts
AI has not invented a new kind of crime — it has supercharged an old one. Phishing, wire fraud, and impersonation are decades old; what's new is how cheap and convincing they've become. The defense hasn't fundamentally changed either: trained people, strong identity controls, and a culture where it is always okay to stop and verify.
When technology can convincingly fake a face and a voice, verification — not appearances — is what keeps your business safe.
Worried your team could be fooled by a modern scam? IT Master Services can assess your exposure, harden your Microsoft 365 tenant, and train your staff. Explore our Managed IT Services and Microsoft 365 Services, or read our comprehensive guide to cyber attacks.
References