In my 25 years working in IT and cybersecurity, I’ve helped businesses of all sizes protect themselves against evolving threats. But recently, something new has emerged that poses a risk to every organization, from small local businesses to large enterprises: AI-powered impersonation scams.

Let me share a story that illustrates why this matters to your business. Recently, a mid-sized manufacturing company almost lost $250,000 when their accounting team received what seemed to be a legitimate call from their CEO. The caller ID matched, and the voice was identical to the CEO’s. Fortunately, their simple but effective verification policy prevented the fraud.

Why this threat is different — and getting worse

Most of us can spot a sloppy phishing email or a robocall with awkward grammar. Artificial intelligence (AI) changed that baseline. With only a few minutes of publicly available audio, pulled from conference talks, podcasts, town halls, or social media, criminals can now clone a person’s voice so well that even family members and long-time colleagues hesitate. Add a convincing on-camera deepfake inside a Zoom or Teams call, and the old “tells” evaporate. The attack no longer looks like crime; it looks like work.

Over the past year the world has seen exactly how far this can go. A high-profile case involving the engineering firm Arup showed a finance employee in its Hong Kong office being socially engineered over a multi-participant video call. On screen were “senior colleagues” authorizing urgent transfers. In reality, the faces and voices were synthetic. The result: roughly US$25 million moved out in a series of transactions—one of the largest known deepfake-enabled payment frauds to date. Arup later confirmed the incident and kept operations steady, but the loss and subsequent leadership fallout in the region underline how credible these fakes have become.

Canadian authorities have been equally direct about the trajectory. In June 2025, the Canadian Anti-Fraud Centre (CAFC) and the Canadian Centre for Cyber Security (CCCS) issued a joint advisory warning that AI-generated voice and text are actively being used to impersonate senior government officials and corporate leaders, push urgent transfers, and lure targets into malware. If you’re a Canadian SMB that handles wire payments or changes vendor banking instructions, this is not a theoretical risk—it’s here, and it’s proliferating.

Meanwhile, the FBI’s Internet Crime Complaint Center (IC3) continues to track the broader ecosystem of Business Email Compromise (BEC), the scam family that these AI impersonations reinforce. IC3’s public service announcement in September 2024 reported US$55 billion in exposed losses (2013–2023). In its 2024 annual report, the FBI noted reported internet-crime losses exceeding US$16 billion for the year, with BEC remaining a persistent, costly threat. AI-driven voice and video simply supercharge a criminal model that already worked.

What’s changed since last year

Multi-participant deepfakes are now operational. We’re past one-to-one phone spoofs. Attackers can stage an entire “meeting” with multiple believable faces and voices. That was the Arup employee’s reality: a familiar CFO and colleagues, synchronized urgency, and step-by-step instruction, none of them genuine.

Caller-ID authentication helps, but only in certain lanes. Canada’s telecom regulator (CRTC) continues to push STIR/SHAKEN caller-ID authentication and traceback. It improves trust across IP-based phone networks and makes spoofing harder to pull off at scale. But it doesn’t cover every channel Canadians use (think in-app calls, OTT messaging, and many collaboration tools), and it can’t tell you that the voice you’re hearing belongs to the real CFO. Treat caller ID as a hint, not proof.

Official guidance emphasizes process, not magic tools. Across Canada and our allies, the message is consistent: the single most effective defence is an iron-clad verification process for money movement. Technology assists, but governance stops the wire.

Detection tools are emerging—but they’re not decisive. Some conferencing and security vendors now market “real-time deepfake detection” features. These can be useful tripwires, but they are not a green light to approve payments. The safest posture is to run them and assume they can fail. Process remains king. (Industry summaries and advisories reinforce that stance.)

How these attacks really unfold in 2025

The attackers don’t begin with code; they begin with context. They mine public posts to map your org chart. They learn who approves wires, who updates vendor records, who runs last-mile logistics. They capture audio of executives from webinars, keynotes, or that heartfelt LinkedIn video. With modern models, even a short sample is enough to produce a voice that’s “close enough” to evoke trust.

Then they craft a moment:

• It’s late Friday or end-of-month, when teams are tired and eager to clear the decks.
• There’s plausible urgency: a vendor cutoff, a tax remittance, a shipment stuck in customs, a closing window on a deal.
• There’s secrecy: “We’re under NDA; keep this tight.” “Don’t loop in the usual approvers—board sensitivity.”
• There’s staging: a warm-up text “from the CEO,” then a phone call, then a legitimate-looking calendar invite with a real meeting link.
• There’s pressure: “We’ll lose this if it’s not done in the next 20 minutes.”

At that point, technology rides shotgun to psychology. People want to help. People want to be responsive to leaders. People don’t want to be the reason a deal dies. If your controls rely on “common sense” in a high-pressure moment, you’ve already lost.

What actually works (and works for SMBs)

I’ve helped organizations of every size implement controls for this exact threat. The countermeasures are surprisingly human. They require clarity, repetition, and leadership support—more than budget.

The call-back rule. If a request for money movement arrives by any inbound channel—call, text, chat, email, or video—the recipient ends that interaction and calls back using a known, verified number they look up themselves in the company directory or password vault. They do not call numbers read to them. They do not click phone links in chat. They do not accept “new direct lines.” This single step defeats the vast majority of AI-assisted impersonations, because it moves the decision to a channel the attacker doesn’t control.

The two-channel rule. Receive in one channel; verify in a second channel you initiate. If the request arrives by video, verify by phone. If it arrives by email, verify by phone or in person. For distributed teams, add a simple rolling passphrase known only to a small group that changes weekly; if the caller can’t produce it, the request dies there. Canadian federal guidance has explicitly called out the value of independent verification rituals for voice-driven scams.

Tiered approvals and cool-downs. Small invoices shouldn’t drown in bureaucracy. But larger wires deserve friction. Set thresholds that require additional sign-offs. Add a next-business-day release window for high-value transfers initiated after 2 p.m. (especially on Fridays). Fraud preys on clocks; you can remove the artificial deadline.

Bank-side tripwires. Work with your bank to enable callbacks for large wires, beneficiary-change alerts, positive-pay for cheques, and notifications for first-time payees or foreign accounts. These are not substitutes for your own process; they’re layered safety nets.

Caller-ID reality checks. Keep STIR/SHAKEN and traceback efforts in perspective. They are improving the ecosystem and making spam and spoofing more expensive for criminals, especially on IP-based calls. They do not validate the human being behind a cloned voice, and they do not apply across many app-to-app calling platforms. Always verify out-of-band.

Detection as a signal, not a stamp. If your conferencing stack offers deepfake-detection features, turn them on. If you can flag suspicious video artefacts or manipulated audio, do it. But never treat a “clean” detector reading as permission to skip verification. The tools are getting better; the adversaries are too.

What this looks like in the real world

I’ve watched the pattern repeat across industries. A fraudster scrapes a CEO’s keynote from a trade show and a podcast interview from two years ago. They harvest names from a press release and stitch together a ten-minute live deepfake that looks good enough on a laptop screen. Then they target the most helpful person in your finance workflow, the coordinator who prides themself on being responsive.

Here is the simple rhythm I’ve seen work again and again:

1. The request comes in—email, call, or video—and it sounds exactly like your boss.
2. Your staff member immediately moves to the written process: end the inbound channel, initiate a callback on the published number, and note the time and person they spoke with.
3. If the dollar figure is above a threshold, they add a second approver.
4. If the payee is new or bank details changed, they initiate a new supplier verification workflow and apply a 24-hour hold.
5. If it’s 4:45 p.m. Friday and someone is pushing a deadline, they politely explain that, per policy, the next business day is the release window.

That rhythm saves money. It also protects culture. It tells your team, “We don’t reward speed over control. We reward people who follow the process.”

I’ve advised businesses where a single Friday callback—sixty seconds of discipline—prevented six-figure losses. The employee didn’t need a law degree or a forensic toolkit. They needed a short policy and permission from leadership to follow it every time.

Making it stick inside your company

Write a policy people will actually read. Two pages. Page one: purpose and scope, in plain English. Page two: the flow. “If inbound request → callback using known number. If over $X → two approvals. If new/changed bank details → supplier re-verification and 24-hour hold. If initiated after 2 p.m. Friday → next business day release.” Don’t bury it in a 40-page manual.

Practice the Friday at 4:45 p.m. scenario. Once per quarter, spend 15 minutes running the “urgent wire” tabletop with your finance team. Stage the fake CEO text, the meeting link, the “can you do me a favour?” opener. Debrief what made people hesitate. Normalize the phrase: “I’m going to verify that now.”

Reduce your executive audio footprint. You don’t need to scrub the internet, but you can be intentional. Share shorter clips instead of posting full-length town halls. Disable auto-publishing of internal meetings. For public events, consider controlled “rights clips” rather than hour-long audio that makes high-fidelity cloning trivial.

Lock down your meeting rooms. Require authenticated sign-in for internal calls. Use waiting rooms and lock meetings once participants are in. Avoid ad-hoc links for payment approvals; route approvals through your finance system or vendor portal where identity and logging are stronger.

Measure quietly, then praise publicly. Add a monthly spot-check: pull a sample of payments and confirm the callback was logged. When someone follows the process under pressure, thank them visibly. Culture is the cheapest control you’ll ever deploy.

The Canadian context: ecosystem help, not a silver bullet

Canada is doing meaningful work to clean up the telephony ecosystem. STIR/SHAKEN authentication and traceback are both being advanced to make spoofing harder and help identify the origins of malicious traffic. Compliance and enforcement actions continue to nudge carriers and filtering intermediaries to block blatantly illegitimate calls. These efforts raise the cost of mass-scale fraud, but they don’t eliminate targeted impersonation inside collaboration apps or OTT channels—or stop AI from cloning voices. Your best defence is still the same: independent, out-of-band verification before funds move. (CRTC+1, 2025)

On the threat-intelligence side, bookmark the Canadian Centre for Cyber Security and the CAFC. Their June 2025 alert specifically called out AI-assisted impersonations of public officials and C-suite leaders, and it recommended multi-channel verification and cautious handling of unexpected, urgent requests. If you work with public sector partners or handle grants/subsidies, pay double attention: those same tactics bleed into vendor ecosystems. (Canadian Anti-Fraud Centre, 2025)

If you think you’ve been hit

Act fast and treat it like a business-interruption event.

1. Call your bank’s fraud desk immediately. Many wires can be paused or recalled if you move quickly. Document the case number.
2. Preserve evidence. Save call logs, meeting links, chat transcripts, emails, and any attachments. Don’t delete anything; don’t “tidy up.”
3. Report. File with the CAFC and inform your cyber insurer. If you’re a Fusion Cyber client, our financially backed Cybersecurity Guarantee means fully onboarded clients who are breached receive incident response, containment, and business recovery at our expense.
4. Run a blameless post-incident review. Identify the control that would have stopped it—then make that control impossible to skip.
5. Notify affected partners. If supplier details were changed or invoices spoofed, warn counterparties right away to prevent secondary fraud.

Looking ahead

Deepfakes will keep improving. Telecom authentication will keep expanding. Vendors will keep shipping better detectors. None of these trends negate the central reality I’ve watched in boardrooms for twenty-five years: the last control that matters before money moves is human discipline. Write it down. Practise it. Reward it. Make it normal to say, “I’m going to verify this.”

And when an urgent request arrives at 4:45 p.m. on a Friday—exactly when attackers love to strike—you’ll have something more powerful than any model or gadget: a team that has rehearsed the right move often enough that it’s habit.

Remember: Trust, but verify. Then verify again. It might take an extra few minutes, but it’s worth it to protect your business.

A few closing notes from the field

I still think about an SMB in Ontario where the accounts payable lead received a crisp, friendly Teams call from “the CEO” while juggling month-end payments. The voice was perfect. The backstory was plausible: a vendor issue, a threatened shipping hold, a reputation risk. She felt the pressure to be a hero.

She ended the call, opened the directory, and dialled the CEO’s published mobile. He was in a cab to the airport and knew nothing about it. The wire never went out. We pulled the meeting metadata, tightened two configurations in Teams, and added a cool-down for end-of-day wires. The AP lead got a public thank-you, and the company got a quiet win.

I’ve seen the opposite too. A clever voice on a Friday afternoon; a helpful staffer; a tidy, devastating loss. The difference between those two stories is not intelligence, tooling, or budget. It’s the permission your team feels to slow down and verify—especially when the request sounds urgent and important.

Give them that permission in writing. Back it in practice. You’ll sleep better.

If you want help pressure-testing your payment controls—or want a two-page Payment Verification Standard you can roll out by next week

👉 Contact Us Today!