AI-Generated Fraud Is Now a Small Business Problem

Here's What It Looks Like and How to Defend Against It

Reading time: 12 minutes | Published: May 2026

Your bookkeeper gets an email from you. Your name is in the "From" field. Your email address is right there. The message is professional, well-written, and urgent: a vendor needs to be paid today, or the job stops. Please wire $4,200 to this account number.

The email is fake. You never sent it. But your bookkeeper doesn't know that yet.

This is not a story about big corporations getting hacked by sophisticated criminal organizations with server farms in Eastern Europe. This is what's happening to plumbers, electricians, HVAC companies, and landscapers right now, in every city in America.

AI has changed the economics of fraud. What used to require technical skill, time, and resources to pull off now takes a criminal about 20 minutes and less than $10 in software costs. The result is a wave of scams that look, sound, and read like the real thing — because they're built by machines that have studied how you and your vendors communicate.

Here's what the scams look like, and here's exactly what to do about them.

How Big Is This Problem, Really?

Before we get into the specific attacks, it helps to understand the scale.

The FBI's Internet Crime Complaint Center — the federal agency that tracks reported fraud losses — received more than 22,000 complaints in 2025 that specifically referenced AI as part of the crime, with reported losses of $893 million. That marked the first time the FBI has ever broken out AI-related fraud as its own reporting category — a sign of just how fast this threat is growing. And as the FBI itself acknowledges, those are only the crimes people actually reported. Fraud, especially against businesses, is chronically underreported because owners are embarrassed, don't realize they're a victim until it's too late, or assume nothing can be done.

Business Email Compromise — the category that covers fraud involving fake emails from executives or vendors — generated $3 billion in losses in 2025 alone, up from $2.77 billion the year before.

Total internet fraud losses in 2025 hit $20.9 billion — a 26% increase over 2024 in a single year.

Those numbers skew toward larger companies and wealthier individuals. But small businesses are increasingly in the crosshairs, and for an obvious reason: you're less protected, and criminals know it. The widely cited figure that 60% of small businesses close within six months of a significant cyberattack is disputed in its exact origins, but the underlying reality it points to is consistent across multiple studies: small businesses don't have the cash reserves to absorb the losses, the legal fees, and the reputational damage that follow a serious fraud event. You are not too small to be a target. You are the right size to be an easy one.

The Three Scams Hitting Small Businesses Right Now

Scam #1 — The Fake Email From You (Business Email Compromise)

This is the most common attack on small businesses, and it works because it doesn't require a criminal to hack anything. They just need to pretend to be you.

Here's how it works: a scammer finds out a little about your business. Your company name is on your website. Your email address is probably listed there too. Maybe your bookkeeper or office manager is named on your "About" page, or tagged in a Facebook post. That's enough.

The criminal creates an email address that looks like yours. Maybe your real email is mike@smithplumbing.com and theirs is mike@smith-plumbing.com. One hyphen. Many - if not most - people won't notice. They write a message to your bookkeeper or office manager, in your name, in your voice, asking for a wire transfer, a payment to a new vendor, or a gift card purchase for "a client."

Where AI enters the picture: it used to be easy to spot these emails because they were poorly written. Weird grammar, odd phrasing, spelling mistakes. Not anymore. AI can now generate emails that perfectly mimic the tone and style of your real communications. If a criminal can access even a few of your real emails — from a data breach, a hack, or a LinkedIn message — they can feed them into an AI tool that learns to write exactly like you do.

Research published in 2024 found that AI-generated phishing emails achieved a 54% click-through rate — meaning more than half the people who received them acted on them — compared to just 12% for old-fashioned phishing attempts. That's more than four times as effective.

The FBI has documented that voice cloning is now being layered into these attacks as a follow-up. The scammer sends the fake email, then calls your employee — in your voice, cloned from a video on your company's social media page — to "confirm" the transfer. The employee hears your voice authorizing the payment. They send the money.

Real-world example: In one widely reported case, an employee at a global engineering firm joined what appeared to be a video conference with the company's CFO and other colleagues. Every face on the call was an AI-generated deepfake — a fake video that looked and sounded real. The employee transferred $25 million before the fraud was discovered.

Scam #2 — The Fake Vendor Invoice

This one is brutally simple, and it's scaling fast because AI makes it cheap to run at volume.

You use the same suppliers regularly. Your material vendor. Your equipment rental company. Your insurance provider. A criminal does a little research — sometimes just by reading your website or social media — and figures out who your vendors are. Then they send you a professional, perfectly formatted invoice that looks exactly like the real thing. Same logo. Same address. Different bank account number.

You or someone on your team pays it. The real vendor never gets the money. You find out weeks later when they call about a past-due balance.

What makes this harder to catch now: AI can generate these invoices in seconds, matching fonts, duplicating layouts, and mirroring the exact numbering format of your real invoices. A criminal can send a hundred fake invoices to a hundred different small businesses in the time it used to take to produce one convincing fake by hand.

The detail your accounts payable person — or you, if that's you — needs to watch for: an invoice that looks totally normal except the routing number or account number at the bottom has quietly changed.

Scam #3 — The Voice Clone Phone Call

This is the newest attack, and it's the one most small business owners aren't prepared for.

McAfee researchers found that just three seconds of audio can create a voice clone with 85% accuracy. If you've ever posted a video on your company's Facebook page, recorded a voicemail greeting, or appeared in any YouTube or local news footage, your voice is already available to anyone who wants to clone it.

The attack plays out like this: someone on your team (an employee, a spouse who helps with the books, anyone who handles money or makes decisions) gets a call. The voice on the other end sounds exactly like you. Or exactly like your banker. Or exactly like a vendor you've worked with for years. The caller has a reason that something needs to happen fast: an emergency, a deadline, an opportunity. They need money wired, or a password confirmed, or access to an account.

The FTC received over 36,000 reports of voice cloning fraud in 2025. In the same McAfee survey, 1 in 4 adults said they or someone they know had been targeted by an AI voice cloning scam.

AI-enabled scams overall surged 1,210% in 2025 - not 120%, not 200%, but 1,210% - outpacing the 195% growth rate in traditional fraud by a factor of six. Projected losses from AI-enabled fraud could reach $40 billion by 2027, according to research from Deloitte's Center for Financial Services.

The technology is improving every month. Researchers have found that voice cloning has crossed what cybersecurity professionals call the "indistinguishable threshold" — meaning trained human listeners can no longer reliably tell a cloned voice from a real one in a live call.

Why You're Being Targeted Specifically

This is worth understanding, because knowing the logic helps you defend against it.

Large companies have IT departments, cybersecurity teams, multi-step approval processes for wire transfers, and fraud-detection software. Small businesses usually have none of these. A criminal targeting a company with 200 employees might get caught at three different checkpoints. A criminal targeting a two-person plumbing operation has a much cleaner shot.

You are also, in the kindest possible terms, more trusting. You know your vendors personally. You pick up when a number you recognize calls. You don't have a policy that says "we never wire money without two approvals" because you've never needed one.

The criminals doing this are not working alone in their bedrooms. Organized criminal networks. including (according to FBI reporting) state-sponsored groups are running these schemes at industrial scale using AI tools that automate the research, personalization, and outreach. One operator can run hundreds of simultaneous fraud attempts targeting different businesses.

What You Can Do About It — The Checklist

None of what follows requires a technical degree or a large budget. These are all things you can implement yourself, or have an employee or family member help you set up. We've organized them by what costs nothing, what costs a little, and what's purely policy.

Free Defenses You Can Set Up This Week

1. Create a verbal code word for money transfers.

Pick a random word or phrase — something that has never been posted online and isn't connected to your name, your pet, your hometown, or your birthday. "Blue tractor." "Tuesday umbrella." Whatever feels random to you.

Tell your employees, your bookkeeper, your spouse, your office manager: any request to transfer money, pay a new vendor, or change a bank account number requires this code word spoken out loud on a phone call. If the person asking can't provide the code word, the answer is no — no exceptions, no matter how urgent it sounds.

The National Cybersecurity Alliance recommends this exact approach for defeating voice cloning attacks. The clone can only say what the criminal types. It cannot know a private code word that has never appeared online.

2. Establish a "call back" rule for any payment request.

If you or an employee receives an email, a text, or a voicemail asking to pay a new account, change a payment method, or wire money for any reason: the only acceptable response is to hang up and call the person back using the phone number you already have for them. Not the number they're calling from. Not a number they give you in the message. The number already saved in your phone.

This defeats fake email and voice clone attacks in one step. If your "vendor" can't be reached at their real, pre-existing number to confirm the request, the request is fraudulent.

Write this rule down. Tell everyone who touches money in your business. Make it non-negotiable.

3. Check the "From" email address carefully before acting on any payment request.

Scammers use addresses that are one character different from the real thing. mike@smith-plumbing.com looks like mike@smithplumbing.com at a glance. Get in the habit of clicking on the sender's name in any email involving money to reveal the actual address underneath.

Also: be skeptical of any email marked "urgent" that involves money. Urgency is the primary tool scammers use to get people to skip their normal verification steps. Real emergencies can wait three minutes for a phone call.

4. Google your own business and your own name to see what's publicly visible.

Spend 15 minutes understanding what a criminal can learn about you before they even make contact. Who's on your staff? Who handles payments? What vendors do you use? What's your email format? Criminals research you before they strike. So should you.

Low-Cost Defenses (Under $50/Month)

5. Turn on Multi-Factor Authentication (MFA) on every account that touches money.

Multi-Factor Authentication ("MFA") means logging into an account requires two things: your password, and a second step, usually a six-digit code sent to your phone. Even if a scammer gets your password through a phishing attack, they can't get into your account without that code.

Microsoft's own security research has found that MFA blocks over 99% of credential-based attacks. Turn this on for: your business bank account (call your bank and ask how), your email, your accounting software (QuickBooks, FreshBooks, whatever you use), and any account that holds financial or customer data. In most cases it's free, just a setting you need to enable.

6. Use a password manager.

A password manager is a program that creates and stores complex, unique passwords for every account you use. You only have to remember one master password. Strong options include 1Password (about $3/month for individuals) and Bitwarden (free for basic use).

Why this matters: most people use the same password on multiple sites. When one site gets hacked (and thousands do every year) criminals try that password on your email, your bank, your payroll software. A password manager eliminates that vulnerability entirely.

7. Set up email filtering on your business email.

If you use Google Workspace or Microsoft 365 for your business email, both services have built-in spam and phishing filters that catch many fraudulent emails before they reach your inbox. Make sure these filters are turned on and set to their most protective levels.

If you use a free Gmail or Yahoo account for your business, consider upgrading. Google Workspace starts at about $6/month and provides meaningfully better security tools than a free personal account, including better controls over who can spoof your domain.

Policies That Cost Nothing But Time

8. Write a one-page payment policy and make everyone sign it.

It doesn't need to be legal language. It just needs to say:

• We never pay a new vendor without verifying by phone (using a number we already have on file).

• We never change a vendor's bank account information without a phone confirmation from a known number.

• Any wire transfer over $[you set the amount] requires two people to approve.

• Urgent payment requests are always verified by phone before anyone acts.

This does two things: it creates a habit before you need it, and it gives your employees air cover to say "I can't process this without following our policy" when someone is pressuring them to move fast.

9. Train anyone who handles money to recognize urgency as a red flag.

Legitimate vendors, real executives, and actual banks do not typically need money wired in the next two hours or the world ends. That kind of pressure is the #1 tool in every scammer's kit. The more urgent the request sounds, the more carefully you verify it. Write that down too.

10. Report any suspected fraud to the FBI's IC3 at ic3.gov.

If you think you've been targeted, even if you didn't lose any money, report it. This costs you nothing and helps law enforcement identify patterns across thousands of similar attacks. If you did lose money, report it immediately. The FBI has a financial recovery program, and time is critical; funds that haven't yet been moved can sometimes be clawed back.

What to Watch Out For When Someone Tries to Sell You a Solution

This section matters, because some of the people selling "cybersecurity solutions" to small businesses are nearly as aggressive as the scammers themselves.

You probably don't need:

• A $500/month "enterprise cybersecurity platform" designed for companies with 50 or more employees

• An on-site security audit that costs $3,000 and produces a 40-page report written for a CIO, not a plumber

• A "managed security operations center" that monitors your two-person office around the clock

You probably do need:

• MFA on all financial accounts (free or nearly free)

• A password manager ($0–$3/month)

• Business email through Google Workspace or Microsoft 365 ($6–$12/month)

• A simple, written payment policy (free)

• Cyber liability insurance is worth getting a quote on. Ask your current business insurance provider; it often costs $500–$1,500/year for a small business and can cover direct fraud losses. The Insurance Information Institute has a plain-English overview of what these policies typically cover.

Before you buy any cybersecurity product, ask: Does this solve a specific problem I actually have? Can you explain in plain English what it does? Is there a free or cheaper version that does the same thing? What happens to my data if I cancel?

Any vendor who can't answer those questions clearly isn't helping you. They're selling you something.

The One Thing That Defeats Almost Every AI Scam

Every attack described in this article relies on a single weakness: it pressures you to act fast, before you can think or verify.

The criminal pretending to be you sends an urgent email. The voice clone on the phone says the job will shut down today. The fake invoice arrives right before a holiday weekend. Urgency is the engine that drives all of it.

The defense is almost comically simple: slow down.

Any request involving money gets a phone call. Any invoice for a new vendor gets verified. Any "emergency" wire transfer gets a second set of eyes. Any voice on the phone asking for something unusual gets asked for the code word.

A real vendor, a real bank, and a real employee can wait five minutes for you to call back. A scammer cannot afford to let you do that — and that difference is your entire defense.

Three Things to Do Before You Close This Tab

1. Decide on a code word and tell everyone who handles your money today. Write it on a piece of paper. Don't email it. Don't text it. Tell people in person or on a phone call you initiate.

2. Turn on MFA for your business bank account and your email. Call your bank if you're not sure how. This takes less than 20 minutes and closes the most common attack path against small businesses.

3. Write down your rule for wire transfers. Who can approve one? How do you verify it? What dollar amount triggers a second approval? One page. Simple sentences. Post it where the bills get paid.

These three steps cost nothing and address the most likely attacks against your business right now.

None of these cost money. All are from federal agencies. Any vendor who tells you government resources aren't good enough and you need their paid product right now is selling you something, not protecting you.

Let's be careful out there.

If you'd like to download this article to read later, here's the link:

If this article helped you, forward it to one other business owner you know. The more people understand these attacks, the harder they become to run at scale. If you have any questions or want to talk about this post, just reach out to us at jcooper@aebacus.com.

Note: Aebacus does not make any money, take any commissions or refrerral fees when you click on a link in this post.