Good Transformer
How to protect your firm when AI makes scams harder to spot
AI now writes clean phishing and clones familiar voices cheaply, so the old tells are gone. The one habit that protects a firm, and what to tell your staff.
For years, the easiest way to catch a scam was to look for the seams. Clumsy grammar, a generic greeting, a web address that was almost right. Those signs have gone. AI now writes a clean, personal email in seconds and can clone a familiar voice from a few short clips, so the message asking your finance assistant to change a supplier's bank details, or the call that sounds like a director approving a payment, no longer carries the old tells. The single most useful thing a firm can do is stop trusting the request on its own merits. Confirm anything that moves money or sends sensitive data out of the firm through a second channel, on contact details you already hold, before acting. What follows is general guidance on a security risk, not legal advice.
What has actually changed
Two things shifted at once: the tools got better and they got cheaper. Launching a set of cyber tools in June, OpenAI said plainly that AI has changed the physics of cybersecurity, because models can now find and exploit software weaknesses faster than defenders can keep up. Anthropic, after mapping a year of misuse of its own models, found attackers using AI deeper inside an attack, and the share of higher-risk actors climbing from a third to more than half in twelve months, as AI let less-skilled people carry out techniques that used to need real expertise.
The effect is already in the numbers. UK Finance's 2026 fraud report records authorised push payment fraud, where someone is tricked into sending the money themselves, rising 19% to £576.4 million in a single year, with criminals using cloned voices, deepfakes and personalised messages to do it. The old habit of scanning a message for bad spelling no longer protects anyone, because the spelling is now perfect.
Why this lands hardest on professional-services firms
A firm that handles other people's money and confidential information is a natural target, because one convincing message can move a real sum or open a real file. A corporate finance team changes payment details in the middle of a live deal. An accountancy practice files on a client's behalf and holds access to their accounts. A recruitment firm verifies identities and runs payroll. A practice that sends settlement funds moves large amounts on written instruction. In each case the work depends on acting on instructions that arrive by email or phone, which is exactly the channel AI has made unreliable.
The people on the receiving end are usually junior, busy, and trained to be helpful and quick. That is the behaviour an attacker now counts on. A request that looks routine, written in a familiar style, referencing a real project or a real client, is far harder to question than the clumsy fakes of a few years ago.
The habit worth changing
The fix is not a product. It is a rule, applied without exception: any request to move money, change bank details, or release personal or confidential data is confirmed on a second channel before it happens, using contact details the firm already holds, not the ones in the message. If an email asks for a payment, someone rings the known number for that person or supplier and asks. If a call sounds like the managing director, the assistant calls back on the saved mobile. The aim is to break the loop where the same message both makes the request and supplies the way to confirm it.
Attackers rely on urgency to stop people doing this, so the rule has to be stronger than the pressure. No exception because a message says it is urgent, and no exception because it carries a senior name. The verification rule belongs in the same place as your other ground rules; if you have written a simple AI policy, this sits naturally inside it, and deciding which steps must always keep a human in the loop is the same judgement we cover in what not to delegate to AI.
What to tell your staff
Most security training still teaches people to look for mistakes. That advice is now actively misleading, because a clean, well-written message is no longer a sign of safety. Tell staff three things plainly. A perfect email proves nothing. A familiar voice on the phone can be faked, and a credible clone of a known executive costs an attacker very little. And urgency is the warning sign to watch for, not a reason to skip a check.
Then give them explicit permission to slow down and verify a request from anyone, including the most senior person in the firm, without fear of looking awkward or slow. Much of the success of these scams comes from a junior person not wanting to challenge an apparent instruction from the top. A team that knows a call-back is expected, and welcomed, is much harder to rush into a mistake.
Who carries the loss
It is worth being clear-eyed about the money. The UK's mandatory reimbursement rules, in force since late 2024, mean banks now refund most victims of this kind of fraud, and they reimbursed £354.3 million last year, around 61% of these losses. That protection is aimed mainly at individuals, charities and the smallest businesses, and it is capped. A professional-services firm above that size that authorises a payment on a faked instruction may simply bear the loss, and having moved a client's money to a criminal carries a reputational cost of its own. Where the detail matters to your firm, check your position with your bank and take proper advice. The safe working assumption is that prevention, not reimbursement, is the protection you control.
Are AI-enabled scams really different from old phishing?
Yes, in two practical ways. The messages no longer carry the mistakes that used to give them away, and the channels have widened to include convincing voice and even video. The intent is the same as it has always been, to get someone to move money or hand over access, but the signals people were taught to rely on no longer work.
What is the single most useful thing a small firm can do?
Adopt one rule and apply it without exception: confirm any request to move money or release sensitive data through a second channel, using contact details you already hold, before acting. Almost every successful attack of this kind depends on the target acting on a single message, so a mandatory second check is what breaks it.
Can we still tell a real message from a fake?
Not reliably by reading or listening to it, which is the whole point. A well-written email or a familiar-sounding call is no longer evidence that a request is genuine. The dependable test is no longer how the request looks or sounds. It is whether you have confirmed it independently, through a route the sender did not provide.
Where to start
AI has made the tools of fraud cheap and the old defences close to useless, but the response is unglamorous and well within reach. It is one firm-wide habit, taught well and kept up. If you want help working out where AI changes the risks your team carries, and how to build sensible habits around it, that is the work we do in AI lessons for leaders. A single session on your firm's real exposure is a good place to start, and you can book a discovery call to talk it through.