TL;DR - AI-powered fraud, including deepfake impersonation, automated phishing, and synthetic voice cloning, is growing rapidly because AI has reduced the cost and effort required to run scams at scale. Leaders must strengthen approval chains, train teams for realistic scenarios, and embed verification into policy to defend against threats that look and sound increasingly legitimate.

I spend a lot of time in this newsletter talking about how AI helps leaders build, create, and move faster. That’s the upside, and it’s real.

But there’s a conversation I haven’t spent enough time on: the people using these exact same tools to steal, deceive, and manipulate at a scale we’ve never seen before.

I’m talking about AI-powered fraud. Deepfake voice calls that sound exactly like your CFO, phishing emails so well-written your spam filter waves them through, and fake video calls convincing enough to authorize six-figure wire transfers. This is happening right now, across industries, and most leadership teams aren’t ready for it.

As a sidenote, it's also part of why I don't own a smartwatch. I prefer timepieces with real heritage (currently wearing a Doxa as I write this), as there's something quietly intentional about keeping one device on your wrist that isn't collecting anything.

I first touched on some of these risks in my piece on how to protect yourself from AI disasters in just 10 minutes, but today we’re going much deeper.

I’m bringing in Mohib Ur Rehman, an emerging tech researcher and one of the minds behind SK NEXUS. Mohib breaks down how AI has fundamentally changed the economics of fraud, what the most common attack patterns look like today, and (most importantly) what you can actually do to protect your organization.

SK NEXUS

Breaking down Tech for the Mango Man (Aam Aadmi/Regular Person)

By Saqib Tahir

If you lead a team, manage budgets, or approve transactions, this one is required reading. (AI security is one of the most common blind spots I see in coaching conversations with leaders, the tools move faster than the policies protecting them.)

In this post, you’ll learn:

• How AI has changed the cost structure of fraud, making large-scale scams cheaper and faster to execute

• The specific attack patterns (deepfakes, AI phishing, fake AI tools, adaptive malware) are actively targeting organizations right now

• A practical response framework for strengthening approvals, detection, training, and governance at your organization

I’ll see you at the end.

How AI Is Changing the Economics of Scamming

Not long ago, while working on my piece about social engineering on SK NEXUS, I kept circling back to one idea: AI-powered scams.

I didn’t write on it then and put the idea in my bucket list.

But lately, the pattern has become too obvious to ignore. Every week, there’s another case - Cloned executive voices requesting wire transfers, fake video calls that look legitimate enough to move money…etc

At some point, you stop bookmarking incidents and just start to feel the need to do something.

The thing is, Artificial intelligence is reshaping the economics of fraud.

Tools built to automate writing, generate visuals, and process data are now being repurposed to industrialize deception. What once required skilled social engineers, time, and coordination can now be semi-automated and deployed at scale.

For businesses, the impact is immediate - higher financial exposure, reputational risk, compliance strain, and internal security blind spots.

With that being said, let’s get into it.

The Operational Shift - How AI Changes Fraud

AI basically removed the majority of the friction from the fraud.

Generative systems can now produce realistic voice messages and synthetic video with almost no effort. Different language models can generate tailored phishing campaigns targeting specific individuals or departments, while deepfake systems create impersonations that closely mimic real people’s faces or voices during video calls.

This is a big thing because in the past, fraud used to be constrained by human bandwidth, but now that’s not the case.

We’ve already seen how far this goes. In one high-profile case, a deepfake impersonation of actor Brad Pitt was used in a romance scam that extracted hundreds of thousands of dollars by exploiting emotional trust over time.

Usual Forms of AI-Enabled Scams

Scams powered by AI are evolving quickly, but some patterns dominate. Let’s take a look at such methods and break them down:

AI-Enhanced Phishing and Social Engineering

Generative systems have removed the obvious red flags that previously exposed phishing attempts. Broken grammar, awkward phrasing…etc Those aren’t a problem now.

Emails now sound like internal memos. Messages reflect context. Voice notes feel authentic. And instead of mass spam, attackers are crafting targeted communications aimed at specific employees/departments as well.

Some researchers have documented more advanced techniques - embedding hidden instructions designed for AI systems that process emails automatically. These techniques - sometimes invisible to legacy filters - can trigger automated actions or evade detection entirely.

Independent testing shows the impact. Spear-phishing emails refined by large language models achieve engagement rates comparable to professionally written scams and far higher than traditional phishing.

And it’s important to keep in mind that AI isn’t the root problem, social engineering is and I have previously written a detailed post on it, I would suggest that you check that out, if you haven’t already:

SK NEXUS

Social Engineering - When People Become the Exploit

Hey folks 👋…

Read more

4 months ago · 28 likes · 14 comments · Mohib Ur Rehman and Saqib Tahir

Deepfake Scams

Deepfakes and voice cloning have now become operational threats.

Today, inexpensive and widely accessible tools allow attackers to mimic executives, lawyers, and managers with crazy realism.

Law enforcement agencies have repeatedly warned that finance teams, HR departments, and legal staff are prime targets - especially in organizations where approval chains are loosely enforced.

Healthcare organizations are also seeing increased activity. In emergency-driven environments, verification is often bypassed to save time. Attackers know this.

The FBI has publicly warned that criminals are using AI-generated voice and video to impersonate trusted individuals - including CEOs - to authorize fraudulent transactions.

Europol has echoed the same concern in its Internet Organised Crime Threat Assessment, noting that deepfakes are increasingly being used in social engineering and financial fraud.

Fake AI Tools and Services

Whenever a new technology surges, opportunists follow.

AI is a great example of that.

The rapid rise of AI created enormous demand and a parallel rise in fake AI products. Some services claim advanced automation, predictive intelligence, or proprietary AI engines. In reality, they deliver little or nothing.;

In 2024, the U.S. Federal Trade Commission explicitly warned companies against falsely marketing products as AI-driven. Regulators noted a growing number of services exaggerating or fabricating AI capabilities to mislead customers.

At the same time, underground markets openly advertise AI tools designed specifically for fraud and malware development. Security researchers have documented the emergence of so-called dark LLM promoted for criminal use.

Even legitimate providers have acknowledged misuse. OpenAI’s transparency and misuse reports describe cases where generative models were integrated into fraudulent services without users knowing.

Adaptive Malware and Ransomware

AI is also changing what happens after attackers gain access to a system.

Instead of relying only on pre-written instructions, modern ransomware can adjust its behavior while it spreads. It can prioritize valuable data, avoid obvious detection triggers, and time its actions to cause maximum disruption.

In January 2023, Yum! Brands suffered a ransomware attack that temporarily shut down around 300 KFC restaurants in the UK. The incident showed how automated decision-making can allow attacks to spread and disrupt operations before defenders fully understand what’s happening.

Security agencies have warned that these adaptive techniques are becoming more common. Traditional defenses - especially those that rely on known attack signatures - are increasingly struggling to keep up.

The Mechanics Behind the Growth

The examples above are just the tip of the iceberg.

And one thing people sometimes don’t notice is that - AI isn’t inventing any brand-new crimes every week.

What’s new is the cost structure.

AI dramatically reduces the time and manpower required to run these schemes. Tasks that once required coordination can now be automated easily.

That’s the first multiplier - automation.

The second multiplier is the structure of the internet itself.

Large portions of the digital economy now rely on a small group of cloud providers, identity platforms, and email services. When millions of organizations depend on the same infrastructure, a single weakness can spread quickly and easily.

This concentration creates attractive targets.

Email authentication systems, identity providers, and cloud dashboards centralize access. If attackers compromise one account or workflow, they often gain access to entire systems downstream.

Security researchers have warned that this kind of digital monoculture reduces resilience. It increases the reward for attackers because the same technique can be reused across thousands of organizations.

The final multiplier is human behavior.

Most successful attacks - AI-enabled or not - still begin with social engineering. Studies consistently show that people are the primary entry point.

The Slow Collapse of Online Confidence

AI-enabled scams also change how people behave online.

When users are repeatedly exposed to highly unsafe actions, they start to feel normal. Clicking unknown links or skipping verification steps starts to become routine.

Security culture weakens next.

Verification steps are dismissed as unnecessary friction, and caution gets framed as overreaction. After that, people begin to question whether security controls even matter.

Some narratives promote weak security habits by suggesting small organizations aren’t attractive targets or that strong security slows innovation. These messages circulate across social platforms, industry forums, and workplace discussions.

For organizations, this undermines a core assumption: that employees will recognize risk and respect boundaries. Meanwhile, traditional trust signals are collapsing. Email identity, voice recognition, video presence, and brand authority - all can now be convincingly fabricated.

Organizations are now forced to rethink how trust is established and verified in an environment where authenticity can no longer be taken for granted.

Business Impact and Risk Exposure

AI-enabled scams expand organizational risk far beyond isolated incidents. While there are countless possible scenarios, several risk areas consistently stand out:

Direct Financial Damage

The most immediate impact is financial.

Fraudulent payments, diverted transfers, chargebacks, etc., create direct losses. At the same time, investigations, legal reviews, and remediation efforts increase operational costs.

Due to scams becoming more convincing, separating legitimate activity from fraud is also becoming more resource-intensive. Instead of simplifying operations, organizations must dedicate more time and personnel to validation and oversight.

Reputational Damage

Brand damage often follows quickly.

Even when organizations are victims, customers associate fraud with weak safeguards.

Trust, once damaged, is difficult to rebuild.
It comes slowly and goes fast.

And it’s especially harder to build when impersonation campaigns and fake communications are spread all across digital channels - ultimately damaging perception.

That is why it’s important to note that, while reputational harm may not appear immediately in financial reports, it influences customer loyalty, investor confidence, and long-term value.

The Insider-Looking Threat

AI-assisted manipulation increases the likelihood of internal access abuse.

Attackers don’t break systems via cool hacking techniques all the time. A lot of times, they exploit approval flows, impersonate decision-makers, or obtain valid credentials through deception.

From the outside, the activity looks legitimate, which is another big problem. Internal access abuse makes it harder for organizations to dig out the truth and find what really happened.

Earlier I mentioned the term “hacking.” It reminded me of another thing - a lot of folks don’t really know what hacking means and I have already written an in-depth post to clarify that misconception in the past, check it out:

SK NEXUS

Hacking as a Lifestyle: Beyond Computers

Hey there 👋…

Read more

7 months ago · 7 likes · 3 comments · Mohib Ur Rehman and Saqib Tahir

The Compliance Problem

Regulatory and compliance exposure ties these risks together. Data protection frameworks increasingly expect organizations to demonstrate reasonable safeguards against foreseeable threats.

Over time, as AI-enabled fraud becomes more documented, many regulators are less likely to view such incidents as unpredictable anomalies. Failure to adapt controls and verification processes can translate into audit fines or legal liability rather than isolated security failures.

How Organizations Should Respond

The risks discussed so far represent only part of the exposure organizations now face. Attackers constantly recombine familiar tactics with automation and scale, and treating these threats as rare incidents is no longer realistic.

Underestimating them is a risk in itself.

As AI reduces the cost of impersonation and fraud, the potential impact spreads across finance, operations, and governance. The question is no longer whether these attacks will happen. It’s whether systems and teams are ready when they do.

The focus must shift from identifying the problem to responding to it.

The following are some practical steps organizations can take to reduce exposure, strengthen verification, and limit damage if an incident occurs:

Strengthening Approval Processes

Operational controls are the first layer of defense against impersonation.

Many AI-driven scams rely on authority and urgency rather than technical hacking. That means single-step approvals are increasingly vulnerable.

Requiring multi-party verification for payments and sensitive actions adds friction where attackers depend on speed. Even if a message appears legitimate, secondary confirmation through a separate channel can significantly reduce fraud.

Voice and video verification rules are equally important. As you have seen, AI-generated voices and deepfake calls are no longer theoretical. That is why organizations should define clearly when verbal approval is not enough and how identity must be confirmed during high-risk interactions.

Limiting account privileges also reduces potential damage. If a compromised account cannot automatically access financial systems or sensitive data, the impact is contained.

Monitoring Beyond Simple Red Flags

Traditional detection systems were designed for predictable patterns. AI-enabled scams disrupt that assumption by adapting in real time, changing language, timing, and behavior based on user responses.

In order to deal with this - Organizations must rely more on behavioral monitoring.

Unusual login patterns, unexpected transaction timing, and abnormal approval workflows often provide earlier warning signs than static filters.

Detection also applies to synthetic content. No system can catch every deepfake, but monitoring tools can flag inconsistencies across different mediums when analyzed together with contextual risk factors.

Implementing all of the above things makes it easier to identify anything weird, which can be dangerous, and that is exactly the goal.

Reducing Psychological Vulnerability

Let me put this straight - Technology cannot compensate for unprepared people.

AI-enabled scams are designed to pressure, persuade, and manipulate. Training programs must reflect that reality. Obvious phishing examples are no longer enough. Employees need realistic simulations and clear guidance on how to handle authority-based requests.

Other than that - Clear escalation paths are equally important. Employees should know when to pause, who to contact, and how to verify unusual requests without fear of slowing operations.

Lastly, reliance on informal trust signals such as writing style or familiar voices must be reduced, because these are no longer sufficient in an environment where such cues can be easily replicated.

I have already written an in-depth guide on this particular topic, do check it out.

Embedding Control Into Policy

Governance determines whether safeguards hold. Formal verification policies clarify when additional confirmation is required and who has the authority to grant exceptions. Without structure, convenience overrides caution. Clear response protocols ensure that incidents are handled consistently rather than improvised under pressure.

Documented response procedures for AI-enabled fraud ensure incidents are handled consistently. Auditability matters as well. Being able to reconstruct who approved what, why an exception was granted, and which safeguards were in place often determines whether incidents are viewed as unavoidable or negligent.

Most regulators do not ask whether AI was involved. They ask whether organizations implemented reasonable protections against known threats.

In such environments, the biggest evidence of responsibility is preparation.

The Quiet Cyber Arms Race

Congrats if you made it this far - in an age where attention itself has been hijacked by algorithms, staying present through an entire piece is a big thing.

Just so you know - I didn’t write this post to scare you, it was to ground you, and if you look closely enough, there’s a positive side as well.

AI powers both sides of the equation. The same systems that enable scalable impersonation, automated fraud, and synthetic deception are also strengthening detection, vulnerability discovery, and incident response.

It’s literally like an arms race.

Adversaries are doing what they do best.

On the other hand, defenders are playing their part by moving away from static rules toward systems that analyze behavior and context across users and infrastructure.

This shift has been acknowledged at the institutional level. Europol states:

The takeaway is straightforward - automation benefits whichever side adapts more quickly.

For leaders trying to understand this transition. Ongoing work from bodies such as ENISA, Europol, the World Economic Forum, and NIST documents how AI is reshaping cyber risk, threat modeling, and defensive strategy at a structural level.

The Algorithm is Winning!

I got a confession, most of my time goes into researching topics so I can help you see what the system doesn’t want you to see. At this point, it’s me versus the algorithm, and the algorithm is winning…

That’s why I need your help.

If SK Nexus has provided you any kind of value, consider subscribing if you haven’t already. Independent research only works if the signal travels. If this work has been useful to you, help it travel.

And if you’re active elsewhere, follow along on Bluesky or LinkedIn - those are the two places I show up most consistently outside Substack.

Lastly, a sincere thanks to Joel Salinas for the opportunity to share this work with his audience. Platforms matter. So does trust. I don’t take either lightly.

Dive Deeper

• How Gambling Went Digital

• Social Engineering - When People Become the Exploit

• AI Assistants vs. Privacy: Are We Trading Too Much for Convenience?

• The Truth About the Dark Web: Myths vs Material

Thank you, Mohib Ur Rehman!

Questions Leaders Are Asking

How are deepfake scams targeting businesses in 2026? Attackers use widely available AI tools to clone executive voices and create realistic video calls, then target finance teams, HR departments, and legal staff with urgent requests for payments or sensitive data. The FBI and Europol have both issued warnings that these impersonation attacks are increasing, especially in organizations with loose approval chains.

What makes AI-powered phishing different from traditional phishing? AI-generated phishing removes the obvious red flags that used to make scam emails easy to spot, things like broken grammar and awkward phrasing. Modern AI phishing can mimic internal communication styles, target specific individuals, and even embed hidden instructions designed to bypass automated email filters. Independent testing shows engagement rates comparable to professionally crafted attacks.

How can leaders protect their organizations from AI-enabled fraud? Three practical steps: first, require multi-party verification for any payment or sensitive action (no single-person, single-channel approvals). Second, run realistic drills that simulate authority-based impersonation, not just generic phishing tests. Third, formalize verification policies so your team knows exactly when to pause, who to contact, and how to confirm unusual requests.

Are nonprofits and smaller organizations at risk from AI scams? Yes. AI has reduced the cost of running scams so dramatically that attackers no longer need to focus only on large targets. Any organization that processes payments, handles sensitive data, or relies on verbal approvals is a potential target. The belief that “we’re too small to be targeted” is itself a security vulnerability.

That was dense, and intentionally so.

Here’s what I want you to sit with: the AI tools making your team more productive are the exact same tools making scammers more productive. The difference comes down to who adapts faster, and whether your organization has the verification habits to catch what your instincts can’t.

If this piece made you rethink even one approval process or one “quick verbal confirmation” shortcut, it did its job.

Three things you can do this week:

1. Audit your approval chain. Any payment or sensitive action that can be authorized by a single person on a single channel is a vulnerability. Add a second channel, add a second person.

2. Run one realistic drill. Not a generic phishing test. A scenario where someone impersonates a known executive requesting an urgent action. See how your team responds.

3. Talk about this openly. The biggest risk is the culture of “that won’t happen to us.” Name the threat so your team takes it seriously.

What’s one verification step your team relies on that might not hold up against a convincing deepfake? I’d love to hear what you’re thinking. Hit reply or drop a comment.

A big thank you to Mohib Ur Rehman for bringing his expertise to this community. If you want more of his security analysis, check out SK NEXUS on Substack.

PS: Many subscribers get their Premium membership reimbursed through their company’s professional development $. Use this template to request yours.