Your finance assistant gets an email from you. The grammar is perfect and the tone sounds right. Minutes later, a voicemail in your voice asks them to rush a payment. Both are fake. AI phishing attacks on small business now look and sound completely real. The old advice to watch for typos no longer protects you. This guide explains how these scams work in plain English. You will learn to spot deepfakes, voice cloning and CEO fraud. You will also get simple, affordable steps to stop them. No jargon, and no scare tactics.
What is AI phishing?
AI phishing is a scam that uses artificial intelligence to create convincing fake messages. Criminals use AI to write flawless, personalised emails at speed. They can also clone voices and faces on video. This makes attacks far harder to spot than older phishing. It now targets businesses of every size.
The software pulls details from your website and social media. So a message can name your real suppliers, projects and colleagues. That personal touch is what makes you trust it.
Are small businesses really targeted by AI scams?
Yes, small businesses are firmly in the firing line. You handle payments and client data but rarely have big-company defences. AI lets criminals personalise attacks at scale, so being small no longer hides you.
Phishing is the most common attack facing UK firms. According to the government’s Cyber Security Breaches Survey 2025/2026, it leads by a wide margin. Fraud that follows a breach also costs more on average than other incidents.
Kent businesses are no exception. A local accountancy practice or care provider holds the exact data and payment access criminals want. We see this with the finance and professional-services firms we support.
Why your finance team is the main target
Criminals follow the money, so finance staff sit at the top of their list. These roles can move funds and change payment details fast. Attackers study who approves payments long before they strike.
That is why training matters most for your finance and admin roles. One confident scam call to the right person can cost thousands in minutes. A clear approval process gives that person a safe way to say no.
The new threats: deepfakes, voice cloning and CEO fraud
Three AI-powered scams now cause the biggest losses. Here is how each one works, with real cases.
Voice cloning and phone scams
Voice cloning copies a person’s voice from short audio clips. Criminals find these clips on social media, podcasts or videos. They then phone an employee, posing as a manager or supplier. The voice sounds real and the request feels urgent.
This is not a theory. In 2019, criminals used an AI-cloned voice of a chief executive. They tricked a UK energy firm into transferring around £200,000.
Deepfake video calls
Deepfake video calls fake an executive’s face and voice in real time. Staff join what looks like a normal Teams or Zoom meeting. They then approve payments that go straight to criminals.
Engineering firm Arup lost around US$25 million this way. Employees on a fake video call believed they were talking to senior leaders.
Business email compromise (CEO fraud)
Business email compromise is a scam where criminals impersonate a senior leader or trusted supplier. They send urgent, secret requests to move money or change bank details.
Even the head of WPP, the world’s largest advertising group, was targeted. Criminals used a voice clone and a fake video meeting in 2024. The attempt failed, but it proves no one is too senior to copy.
AI phishing vs traditional phishing
Quality, scale and channel set the two apart. This table shows how they compare.
| Feature | Traditional phishing | AI phishing |
|---|---|---|
| Spelling and grammar | Often poor | Flawless |
| Personalisation | Generic and mass-sent | Tailored to you |
| Channels used | Mostly email | Email, voice and video |
| Speed and volume | Slower | Fast and large-scale |
| Easy to spot by eye? | Sometimes | Rarely |
How to spot an AI phishing or deepfake scam
You spot these scams by the request, not the spelling. Watch for these warning signs:
- Urgency or pressure to act before the day ends.
- Secrecy, such as a request to keep it between you.
- A sudden change to bank or payment details.
- Requests that skip your usual approval process.
- Odd pauses, a robotic tone or strange noise on calls.
- A reply-to address that does not match the sender.
In the invoices we screen for clients, the wording is rarely the giveaway. The real warning sign is almost always a quiet change of bank details on a familiar supplier.
How to stop AI phishing attacks
A handful of solid habits stops most attacks. Follow these steps:
- Turn on multi-factor authentication everywhere, so a stolen password is not enough.
- Use modern, AI-assisted email filtering to block scams before they arrive.
- Train your team often with realistic phishing simulations.
- Get Cyber Essentials certified to lock down the basics.
- Keep software updated and limit who can access what.
These steps follow recognised guidance. The NCSC small business guide recommends the same basics.
Our cyber security support helps Kent firms put them in place affordably. Ongoing managed IT support then keeps your defences current as threats change.
Your “verify before you pay” rule
One simple rule stops most payment fraud. Verify before you pay, every single time.
- Pause whenever a payment or bank-detail request feels urgent.
- Call the person back on a number you already trust.
- Never use the contact details given in the message.
- Require a second person to approve larger payments.
- Agree a verbal passphrase to confirm identity by phone.
Make clear that pausing is never punished. Junior staff must feel safe to question a request from the boss. That culture stops more fraud than any single tool.
The email security layer most firms miss
SPF, DKIM and DMARC are settings that prove your email really comes from you. Think of them as a doorman checking ID at your domain. Set up well, they stop criminals spoofing your address.
Many small firms have these records missing or misconfigured. That gap lets fake emails through before your staff ever see them.
Email security is our specialism at ITMS. Our award-winning work in this area shapes how we protect every client. Read more about our approach to email security.
What to do if you think you have been hit
Act fast and stay calm. Take these steps in order:
- Contact your bank at once to try to recall the payment.
- Change any passwords or logins that may be exposed.
- Save all evidence, including emails and call records.
- Report the crime to Action Fraud.
- Tell the ICO within 72 hours if personal data is involved.
- Call your IT partner to contain the problem.
You can report the crime through Action Fraud. Good tested backups then mean you can restore data and keep working.
The bottom line for your business
AI phishing attacks on small business are real, but they are not unbeatable. A few clear habits and properly set up email defences make you a hard target. The aim is not fear. It is quiet confidence that your team and your money are safe.
Not sure whether your email is properly protected? ITMS checks exactly this for businesses across Kent. Book a no-obligation call and we will show you where you stand.
When did you last test whether your team could spot a scam?