Last month, a small insurance agency in Florida wired $47,000 to a vendor they’d worked with for years. The invoice looked perfect. The email came from the right person. The voice on the follow-up call even sounded like their contact.
It was all fake. The invoice, the email, and the voice were generated by AI.
According to the FBI’s Internet Crime Complaint Center (IC3), business email compromise cost American businesses over $2.9 billion in 2023 alone — making it one of the most financially devastating cybercrimes in the country. And AI is making these scams faster, cheaper, and harder to catch than ever before.
If your business processes invoices and makes wire transfers, this is the threat that should be keeping you up at night.
Why Your Accounts Payable Team Is the #1 Target
Accounts payable sits at the intersection of trust and urgency. Your AP team handles invoices, manages vendor details, and executes payments — often under pressure to keep the business running smoothly.
For criminals, that combination is gold.
Most successful payment fraud doesn’t involve hacking into your systems. The FBI has consistently found that business email compromise attacks rely on impersonation — posing as a trusted executive, vendor, or colleague to redirect payments or change bank details before anyone notices something is off.
Now add AI to that equation. Where it once took hours of research to craft a convincing fake email, AI tools can now generate personalized, context-aware fraud emails in seconds. According to VIPRE Security’s Q2 2024 Email Threat Trends Report, approximately 40% of BEC phishing emails were AI-generated — and that number is growing.
The Deepfake Voice Call That Seals the Deal
Here’s where it gets truly unsettling. Email isn’t the only thing being faked anymore.
AI voice cloning technology has advanced to the point where a criminal can create a convincing replica of someone’s voice using just a few minutes of audio — pulled from a conference call recording, a YouTube video, or even a voicemail greeting.
Imagine your bookkeeper gets an email about an updated payment for a regular vendor. She’s not sure, so she calls the number in the email to verify. The person who answers sounds exactly like your vendor contact. “Yes, we changed banks. Go ahead and send it to the new account.”
That call was AI. The money is gone.
For accounting firms and wealth management practices in Bradenton and Tampa Bay that handle client funds, this isn’t a hypothetical. It’s the new reality of accounts payable fraud.
Why “Just Be Careful” Isn’t a Strategy
Most small businesses rely on their team to “spot something suspicious.” That worked when fake emails had typos and bad grammar. AI-generated fraud doesn’t have those red flags. The emails are polished. The context is accurate. The timing is right.
The question for your AP team is no longer whether they can identify a suspicious request. It’s whether your process makes fraud difficult — regardless of how convincing the scam looks.
Five Process Changes That Actually Work
1. Require out-of-band verification for any payment change. If someone asks to change bank details or routing numbers, verify it using a completely separate channel — a phone call to a number you already have on file, not the one in the email.
2. Implement dual approval for payments above a threshold. No single person should be able to authorize a wire transfer over a set amount. Two sets of eyes catch what one set misses.
3. Slow down urgent requests. Criminals rely on urgency — “this needs to go out today.” Build in a mandatory waiting period for payment changes. Real vendors will understand. Fake ones will push back.
4. Train your team on AI-generated threats specifically. Generic security awareness training doesn’t cover deepfake voices and AI-crafted emails. Your team needs to know these exist and how they work.
5. Verify voice calls independently. If someone calls to confirm a payment or change, hang up and call them back at a verified number. An AI-cloned voice can’t answer a call it didn’t initiate from a number it doesn’t control.
The Stakes Are Too High to Ignore
A single fraudulent wire transfer can cost a small business tens or hundreds of thousands of dollars. Insurance may not cover it. Law enforcement may not recover it. And for law firms and financial practices bound by GLBA and FTC Safeguards Rule requirements, the regulatory consequences of a data or payment breach add another layer of exposure.
You don’t need to become a cybersecurity expert. You need a process your team can follow — one that doesn’t depend on spotting a fake that was designed to be undetectable.
Book a free 15-minute risk assessment with Justin and Sara at Reef Cyber Security. We’ll walk through your accounts payable process and show you exactly where AI-powered fraud could slip through — and how to close those gaps before it does.
