Defend Against AI Threats
Deepfakes, AI Phishing, and How to Defend Your Business
By Zach CardozaPublished June 9, 2026
Attackers have AI now, and it has made the old scams far more convincing. A clear look at deepfake voice fraud and AI phishing in 2026, why small businesses are the target, and the defenses that actually work.
The Threats Got an Upgrade
The scams aimed at your business are the same ones as always, a fake request to wire money, a login page that is not really yours. What changed is that attackers now have AI, and it has stripped away the tells you used to catch them with. The broken English and obvious typos are gone. The fake email is polished and personal, and the urgent voice on the phone sounds exactly like your boss. The defense has to change with it.
Deepfake Voice and Video Fraud
This is the new one that catches people. With a short clip of someone's voice, easy to grab from a video or a voicemail, attackers can clone it and make a convincing urgent phone call. The classic version is a call that sounds like your owner or CFO demanding an immediate wire transfer. Deepfake video on a call is getting there too. The hard lesson is simple. You can no longer trust that a familiar voice or face on a screen is actually that person.
- Cloned Voices
- A few seconds of someone's recorded voice is enough to fake an urgent call from your CEO or a vendor asking for money or access.
- The Urgent Wire Request
- The most common play is pressure plus a familiar voice, a payment that has to happen right now, before anyone stops to verify.
- Fake Faces on Video
- Deepfake video on calls is improving fast, so a face you recognize on a screen is no longer proof of who you are actually talking to.
AI Phishing at Scale
AI also made phishing emails far better and far cheaper to send. The old advice to watch for spelling mistakes is dead, because the AI-written version is clean, specific, and tailored to you using details scraped from the web. These messages now get clicked at more than four times the rate of the old human-written ones. Attackers can produce thousands of personalized lures with almost no effort, which means more attempts and far fewer obvious red flags.
Why Small Businesses Are the Target
Attackers go where the defenses are thin, and that is small and mid-size businesses. They account for well over 70 percent of breaches, and ransomware now shows up in nearly half of all confirmed breaches. The reason is that AI lets criminals automate down-market. It used to not be worth their time to hand-craft an attack on a small company. Now the AI does the work, so the local business with no security team is squarely in scope.
Verify Out of Band, Every Time
This is the single defense that beats deepfakes, and it costs nothing. Any request to move money or change payment details gets verified through a separate channel before anyone acts, no matter how real the call sounds. Got an urgent voice request to wire funds. Hang up and call the person back on their known number. The attacker controls the channel they contacted you on, so confirming through a different one breaks the whole scam. Make it a hard rule, not a judgment call.
- Call Back on a Known Number
- Confirm any money or account-change request by reaching the person through a number you already have, not one from the suspicious message.
- A Hard Rule for Payment Changes
- Treat any change to vendor or payroll bank details as verify-first, always, because that is exactly where this fraud cashes out.
- Slow Down Urgency
- Manufactured urgency is the tell now, not bad grammar. Train people that a rushed money request is a reason to verify, not to hurry.
Move to Passkeys
Passwords and text-message codes are the weak point AI phishing is built to exploit, because a convincing fake login page captures both. Passkeys and hardware security keys close that door, because there is no code to phish and nothing for a fake page to steal. They are also easier in practice. Passkey sign-ins succeed around 93 percent of the time, log people in faster, and cut the password-reset tickets your team keeps fielding. This is one of the highest-value moves a small business can make right now.
- Phishing-Resistant by Design
- A passkey has no code to type, so a fake login page has nothing to capture and the most common attack simply stops working.
- Easier for People
- Passkeys log in faster and more reliably than passwords and texted codes, and they cut the reset requests that pile up on your team.
- Start With the Crown Jewels
- Roll passkeys out first on email and your most sensitive systems, since those are the accounts an attacker wants most.
Retrain People on the New Tells
Your old security training is teaching the wrong signals. Looking for typos and bad grammar no longer works when the lure is AI-written and clean. The new playbook is about behavior, not appearance. Be suspicious of urgency, verify any money request through a second channel, and never trust a voice or face alone. And make it safe to double-check, because the employee who feels rude calling back to confirm is the one the scam is counting on.
The Basics Still Carry the Load
The flashy threats grab attention, but the fundamentals are still what protect you most of the time. Multi-factor authentication, tested backups, least-privilege access, and keeping software patched stop the bulk of attacks, AI-powered or not. The new threats change a few habits, mainly around verification and passkeys. They do not replace the baseline. If you have not got the basics in place, start there before you worry about deepfakes.
Shore Up Your Defenses
We help Central Valley businesses put real verification habits in place, move to phishing-resistant logins, and train their teams on the threats that actually look like 2026, not 2015.
Frequently Asked Questions
Common questions about AI-driven cyber threats like deepfakes and AI phishing, and how to defend against them.
Ready to move forward?
Start with structured discovery and a clear path to execution.