A few years ago, spotting a scam was straightforward. Broken English, urgent wire transfer requests, a sender address that was clearly off. Most people learned to recognize the signs.
That playbook is obsolete.
Today’s attackers aren’t firing off mass spam emails and hoping someone clicks. They’re using artificial intelligence to clone voices, craft flawless emails, and build convincing fake identities — tailored specifically to their target. The gap between a real communication and a fake one has never been smaller, and the consequences of getting it wrong have never been larger.
AI Voice Cloning: When You Can’t Trust What You Hear
This is the one that stops people cold when they first hear about it.
With as little as a few seconds of audio — pulled from a YouTube video, a podcast, a voicemail, a social media clip — attackers can generate a synthetic voice that is functionally indistinguishable from the real person. They then use that cloned voice to make phone calls.
The scenarios play out like this: An employee receives a call from what sounds exactly like their CEO, asking them to process an urgent wire transfer before the end of the day. A business owner gets a call from what sounds like their accountant, requesting sensitive financial credentials. A parent receives a panicked call from what sounds like their child, claiming to be in trouble and needing money immediately.
These aren’t hypothetical scenarios. They are happening right now, at scale, to real businesses and real families. The FBI has issued warnings. Companies have lost hundreds of thousands of dollars in single incidents. And the technology to pull it off costs an attacker almost nothing.
What to do: Establish a verbal code word with key employees and family members for urgent financial requests. If something feels off — even slightly — hang up and call back on a known number. Never act on financial requests made solely over the phone without independent verification.
Email Spoofing: The Sender Is Not Who You Think
Email has always been a primary attack vector, but the craft behind malicious emails has improved dramatically.
Modern phishing emails no longer look like phishing emails. Attackers research their targets before sending a single message. They study your company’s email signature format, your communication style, your org chart, your ongoing projects — all of it available through LinkedIn, your website, press releases, and social media. The email they send you will reference real people, real projects, and real context. It will look like it came from inside your organization.
Display name spoofing is the simplest version: the sender name shows as someone you trust, but the actual address is different. Most email clients show the name prominently and bury the address — most people never look past the name.
Domain spoofing is more sophisticated: attackers register domains that look nearly identical to yours. yourcompany.com becomes yourcompany-inc.com, yoourcompany.com, or yourcompany.co. At a glance, especially on a mobile screen, these are nearly impossible to catch.
Compromised account attacks are the most dangerous: attackers gain access to a real email account inside your organization or a vendor’s organization and send malicious requests from a completely legitimate address. No spoofing required — because it’s the real account.
What to do: Verify any unexpected financial request, credential request, or sensitive data request through a second channel — pick up the phone and call the person directly on a known number. Make this a written company policy, not just a suggestion.
Business Email Compromise: The Long Con
Business Email Compromise (BEC) is what happens when attackers play the long game.
Rather than sending one obvious phishing email and hoping for a quick hit, they infiltrate an email thread — sometimes for weeks — silently monitoring conversations between your business and a vendor, partner, or client. When the moment is right, they insert themselves into the thread with a message that is perfectly timed, perfectly worded, and completely in context.
The classic version: your company is finalizing payment with a vendor. The attacker has been watching the thread. At the moment payment details are being exchanged, they send a message — appearing to come from the vendor — with updated banking information. Your accounts payable team processes the payment to the attacker’s account instead.
By the time anyone realizes what happened, the money is gone. Recovery rates are extremely low. The FBI’s Internet Crime Complaint Center reported over $2.9 billion in losses from BEC attacks in 2023 alone.
What to do: Any change to payment instructions or banking details should require a verified phone confirmation with a known contact at the receiving organization. No exceptions.
QR Code Phishing: The Attack You Can’t Hover Over
For years, the standard advice was to hover over a link before clicking to see where it actually goes. QR codes eliminated that safeguard entirely.
Attackers now embed malicious QR codes in emails, physical mail, and even printed materials placed in public spaces. When you scan the code, you’re taken to a convincing fake login page — a replica of Microsoft 365, a bank portal, a corporate VPN — designed to harvest your credentials.
Because the destination URL is hidden inside the QR code, traditional email security filters that scan for malicious links often don’t catch it. And because scanning a QR code feels like a physical action rather than clicking a link, people apply less scrutiny than they otherwise would.
What to do: Treat QR codes in emails with the same skepticism as links. If a QR code leads to a login page, navigate to that service directly through your browser instead.
Deepfake Video: The Next Frontier
Voice cloning is already mainstream in the attacker toolkit. Video is close behind.
In early 2024, a finance employee at a multinational firm was tricked into transferring $25 million after attending a video call where every other participant — including someone posing as the company’s CFO — was a deepfake. The employee had doubts but was convinced by seeing familiar faces on screen.
Deepfake video generation has historically required significant computing resources. That barrier is dropping rapidly. What required a sophisticated setup two years ago can now be accomplished with consumer hardware and freely available software.
What to do: For any high-stakes financial or data-related decision made over video call, require a secondary verification step that happens outside that call — a follow-up email from a known address, a callback to a known number, or an in-person confirmation where possible.
The Common Thread
Every attack described here exploits the same thing: trust.
Trust in a familiar voice. Trust in a known sender. Trust in a face on a screen. Attackers have become exceptionally good at manufacturing that trust artificially, and the technology available to them is improving faster than most organizations’ awareness of it.
The solution isn’t paranoia — it’s process. Clear, consistent verification procedures for sensitive requests, applied without exception regardless of how legitimate something looks or sounds. The few seconds it takes to confirm through a second channel is a small price compared to what happens when that step gets skipped.
How GK Data LLC Can Help
Social engineering and phishing are the entry point for the majority of serious breaches. Once an attacker has a credential or a foothold, the damage to your web assets, your infrastructure, and your data can be extensive.
At GK Data LLC, we help businesses understand and close the gaps that these attacks exploit — from email authentication configuration that makes it significantly harder to spoof your domain, to security assessments that identify where your web presence is leaking information attackers use to build convincing pretexts.
If your business has never had an outside set of eyes on its security posture, now is the right time.
[email protected] | gkdata.io
GK Data LLC is a cybersecurity consultancy based in Minneapolis, MN, specializing in web application security.