← All insights

AI-Powered Scams: Deepfake Voice and Email Attacks on Canadian Businesses

For years, the advice for spotting scams was “watch for bad grammar and weird phrasing.” That advice is now dangerously out of date. Attackers have AI too — and they’re using it to write flawless emails, clone voices, and impersonate people convincingly enough to fool careful employees. Here’s what’s changed and how to defend against it.

What AI changed for attackers

AI didn’t invent new attacks; it made the old ones far more effective and scalable:

• Phishing emails are now polished. Generative AI produces clean, on-brand, grammatically perfect messages in any language — instantly. The typos that used to give scams away are gone.
• Voice cloning is cheap. With a short sample of someone’s voice (often scraped from a webinar, podcast, or social video), attackers can generate realistic audio of that person saying whatever they want.
• Personalization is automated. AI can scrape LinkedIn and company sites to tailor a message to a specific person’s role, projects, and colleagues — at scale.
• Deepfake video is emerging in real-time meetings, where a “colleague” or “executive” appears on a call to authorize something.

The attacks Canadian businesses are seeing

AI-enhanced business email compromise. The classic BEC scam — an email impersonating an executive or supplier requesting a payment or banking change — now arrives flawlessly written and well-researched, making it much harder to dismiss.

Voice phishing (“vishing”) with cloned voices. An employee gets a call that sounds exactly like the CEO or CFO, creating urgency to approve a wire transfer or share credentials. The familiar voice short-circuits suspicion.

Fake “IT support” calls. Attackers impersonate your help desk or a vendor, using AI-generated voices and scraped details to talk staff into resetting MFA or installing remote-access tools.

Why this is so dangerous

These attacks defeat the human instincts we’ve trained people to rely on. We taught staff to trust a familiar voice and to relax when an email “looks professional.” AI weaponizes exactly those signals. You can no longer authenticate a request based on how convincing it sounds or reads.

How to defend against AI-powered scams

The good news: the defences are process-based, and they work regardless of how convincing the impersonation is.

1. Verify out of band. Any request to move money, change banking details, or reset access must be confirmed through a separate, known channel — call the person back on their saved number, not the one in the message. Make this a hard rule, not a judgment call.
2. Use callback rules for payments. Require dual approval and a verified callback for wire transfers and vendor banking changes, with no exceptions for “urgent” requests from “the boss.” Urgency is the tell.
3. Establish a verification word or process for sensitive verbal requests, so a cloned voice alone isn’t enough.
4. Update your awareness training. Retire the “look for typos” advice. Train staff that a perfect email or a familiar voice proves nothing, and that verification is expected — never punished. See what to do when an employee clicks.
5. Lock down the fundamentals. MFA (phishing-resistant where possible), least privilege, and monitoring limit the damage when someone is fooled.
6. Reduce your voice/data footprint where practical, and assume executives’ voices are clonable.

The bottom line

AI hasn’t broken cybersecurity — it’s broken our old detection heuristics. The defence is to stop trusting appearances and start trusting verified processes. Build “verify through a second channel” into how your business handles money and access, and an attacker’s perfect deepfake runs straight into a wall it can’t talk its way past.