In January 2024, a finance worker at a multinational company in Hong Kong joined what appeared to be a routine video conference. On screen: his CFO, his chief executive, and several senior colleagues. The instructions were specific — initiate a series of wire transfers totaling HK$200 million, approximately $25.6 million USD. He complied. Every person on that call was a deepfake.
That case made international news — but the underlying technology wasn't new. By 2024, the tools required to clone a voice, generate a photorealistic face on a live video call, write hyper-personalized phishing emails, or maintain dozens of fake romantic relationships simultaneously were either free or cheap. AI didn't create fraud. It industrialized it. A single operator with a laptop can now run attack campaigns that previously required a team and weeks of preparation.
This article covers six categories of AI-enhanced scams that are actively targeting people right now, how each works mechanically, the documented financial toll, and specific steps to protect yourself and the people around you.
The Numbers Behind the Crisis
Before examining individual attack types, it helps to understand the scale. The data below comes from official government filings and law enforcement reports — not vendor surveys. All figures are reported losses, meaning the actual totals are likely significantly higher because a large fraction of fraud victims never file a report.
Those numbers represent disclosed losses only. The Global Anti-Scam Alliance (GASA) estimated in their 2023 State of Scams report that the majority of fraud victims — particularly in romance and investment scams — never report what happened due to embarrassment or uncertainty about whether it was "really" a crime. The FBI IC3's 2023 report also notes that cybercrime losses are likely underreported by a factor of 10 or more.
The Six Attacks
Modern AI can clone a person's voice from as little as 3–10 seconds of audio. That audio can come from a voicemail, a social media video, a YouTube appearance, a podcast, or even a short phone call. The resulting clone is fed into text-to-speech software that can then say anything the attacker types — convincingly, in real time.
The "grandparent scam" — where a fraudster calls an elderly person claiming to be a grandchild in trouble — has been a known attack for years. With voice cloning, the voice on the phone now sounds exactly like the grandchild. The emotional manipulation is nearly identical to a real call. The FTC published a specific alert on this attack pattern in March 2023, describing callers who impersonated family members claiming to be in legal trouble, hospitalized, or in danger — and urgently needed money transferred immediately.
"Mom, it's me — I'm so sorry to call like this." [voice identical to your child's] "I was in an accident and the police are here. My lawyer says I need $2,400 sent by wire transfer tonight or I'm going to be held over the weekend. Please don't tell Dad. I'm so embarrassed."
The same technology scales to corporate fraud. In a business voice clone attack, executives' voices — scraped from earnings calls, conference recordings, LinkedIn videos, or media appearances — are cloned and used to instruct finance staff to execute wire transfers. The instructions arrive as an urgent, plausible-sounding phone call from someone who sounds exactly like the CFO.
A 2023 McAfee survey of 7,054 adults across seven countries found that 25% had been targeted by an AI voice clone scam or knew someone who had — and of those who were deceived, 77% lost money. In February 2024, the FCC explicitly ruled that AI-generated voices in robocalls are illegal under the Telephone Consumer Protection Act, following a case where fake AI robocalls impersonated President Biden to suppress voter turnout in New Hampshire.
Your defense: establish a family code word. Pick a single word your family agrees on in advance. If anyone calls claiming to be a family member in an emergency, ask for the code word. Someone who is genuinely your family member will know it. A voice clone won't. This takes 30 seconds to set up and costs nothing.
The Hong Kong case described at the opening of this article was not the first documented real-time deepfake fraud — but it was the largest. Tools like DeepFaceLive and successor software allow a person's face to be replaced on a live video feed with another person's likeness, in real time, during a Zoom, Teams, or Google Meet call. The face tracks, the expressions sync, and the head movement follows the fraudster's actual movement.
For the Hong Kong attack, investigators believe the criminals built the deepfakes from publicly available video footage of the company's actual executives — conference recordings, news appearances, annual report videos. Reuters reported in February 2024 that the employee attended the call, expressed doubt beforehand, but was reassured by seeing what appeared to be familiar faces. The call included multiple fake participants to reinforce the illusion of a legitimate meeting context.
The calendar invite arrives with a standard company video conference link. The meeting is framed as urgent and confidential — a strategic move requiring discretionary wire transfers before the end of the quarter. Multiple "colleagues" are visible on screen. All are deepfakes. The meeting ends. The money leaves.
The Europol Innovation Lab's report on malicious uses of AI identified face-swapping and deepfake video as a primary tool for executive impersonation fraud, noting that the technology removes the "uncanny valley" barrier that previously made such attacks detectable. Sumsub's 2023 Identity Fraud Report documented a 10x year-over-year increase in deepfake fraud attempts detected by identity verification systems.
Red flags: the meeting was scheduled with urgency and little notice; the "executive" communicates primarily through a call rather than email trail or internal messaging; instructions involve a transfer that bypasses normal approval channels; the request is accompanied by explicit pressure not to discuss it with others before acting.
For decades, phishing emails were identifiable by bad grammar, strange formatting, generic greetings, and implausible scenarios. AI eliminated all of those tells. A language model can now generate a perfectly written, contextually appropriate, grammatically flawless email — and it can personalize that email using data scraped from the target's public LinkedIn profile, social media posts, company website, recent news coverage, or professional publications.
This is called spear phishing — a targeted attack on a specific individual rather than a mass send. AI makes what used to be a labor-intensive, per-target operation trivially scalable. A bad actor can feed a model a LinkedIn profile and a company's "About" page and receive a draft phishing email that references the target's job title, recent projects, colleagues' names, and the organization's current initiatives — all tailored to earn trust before the malicious link or attachment appears.
"Hi [first name], I saw your presentation at [actual conference you attended] last month — really insightful work on [actual topic]. I'm reaching out because our team is working on something adjacent and I'd love to share a brief document for your feedback. Here's the link: [malicious URL that looks like a familiar cloud storage service]."
IBM's X-Force Threat Intelligence division has reported that AI-generated phishing messages test significantly more effective than human-written equivalents in click-through rate studies — because they eliminate the social cues humans have learned to associate with scams. Smishing (SMS phishing) has followed the same trajectory: AI-generated text messages impersonating package delivery services, banks, and government agencies arrive personalized with the target's name and plausible contextual detail scraped from data broker databases.
Red flags: any link in an email or text that requires you to log in — even to a site that looks exactly right. Hover over the link first and check the actual URL in your browser's status bar. Legitimate companies will never ask you to verify your account or credentials by clicking a link in an unsolicited message. When in doubt, navigate directly to the company's website by typing the address yourself and log in from there.
AI can generate convincing job postings at scale — complete with realistic company descriptions, plausible salary ranges, and detailed role requirements — and post them across LinkedIn, Indeed, ZipRecruiter, and dozens of other boards simultaneously. The company may be entirely fictional, a real company's identity stolen, or a shell that mimics a legitimate employer's branding.
In one increasingly common variant, the job application leads to a "video interview" with what appears to be a recruiter or hiring manager. That person is an AI avatar — a photorealistic face with synchronized lip movement, scripted responses, and enough natural-sounding dialogue to conduct a full 30-minute interview. The victim completes the interview, is "hired," and is then asked to complete onboarding steps that involve providing direct deposit banking information, paying for "required software" or "background check fees," or receiving checks to deposit and forward to a "vendor." The check bounces. The money is gone. The job never existed.
"Congratulations! We're excited to move you to the next stage. As part of your onboarding, you'll need to purchase your work-from-home equipment package through our approved vendor. We'll send you a reimbursement check — please deposit it and forward $800 to the vendor using Zelle. Your first day is Monday."
The FTC reports that job scams have cost Americans hundreds of millions of dollars annually, with losses rising every year as the barrier to generating convincing fake postings and conducting fake interviews has dropped to near zero. The FTC's 2022 figures put reported job scam losses at $367 million — and that number has grown since.
Verification steps: search for the company independently (not through the job posting's link) and verify the role exists on their actual website. Contact the company's HR department directly using a number you find on their official website — not one provided by the recruiter. Never pay money of any kind during a hiring process. Never deposit a check and forward a portion of the funds to anyone — this is the textbook "fake check scam" and the deposited check will always be counterfeit.
Romance scams involve building a fake emotional relationship with a victim over time — weeks or months — before introducing a financial request. Historically this required significant human labor: a person had to maintain each fake relationship individually, keep track of personal details shared by the victim, and respond in real time. AI removes that bottleneck. A single operator can now manage hundreds of simultaneous "relationships" using AI to generate responses, remember context, adjust emotional tone, and escalate toward the financial ask at the right moment.
"Pig butchering" (from the Chinese shā zhū pán — fattening a pig before slaughter) is a specific and devastating variant. The scammer builds a romantic or friendly connection, then casually mentions having made significant money through a cryptocurrency investment platform. Over subsequent conversations, they guide the victim to try a small investment on the platform — which shows impressive, real-seeming returns. Encouraged, the victim deposits more. The platform shows growing gains. The victim deposits everything they can access — retirement savings, home equity, borrowed money. Then they try to withdraw. The platform freezes. Customer support disappears. The Department of Justice has documented operations that netted tens of millions of dollars per month, often run by forced-labor workers in compounds in Myanmar, Laos, and Cambodia.
"I don't usually talk about this but I have a cousin who works at a quantitative trading firm. He shared a strategy with me and I've made back everything I lost in the crash. I only mention it because I feel like I can trust you — I'd never recommend it to just anyone. Start small. See for yourself."
The FTC reported $1.14 billion lost to romance scams in 2023 — but pig butchering losses are typically categorized under investment fraud, which totaled $4.57 billion in the FBI IC3's 2023 data. The Consumer Financial Protection Bureau (CFPB) issued specific guidance on pig butchering, noting that victims often lose amounts averaging six figures and frequently exhaust retirement savings. The Stanford Internet Observatory has published research documenting the infrastructure of pig butchering operations, including the use of AI tools to generate and maintain victim personas at scale.
The single most reliable warning sign: anyone you have never met in person who introduces a cryptocurrency investment opportunity — regardless of how long you've known them online, how credible their story seems, or how small the initial investment appears — is almost certainly running a pig butchering operation. No legitimate investment platform is introduced through a romantic or social relationship with a stranger.
Voice cloning and AI-generated scripts have supercharged impersonation of government agencies and financial institutions — the two categories of caller most people feel they cannot afford to ignore. The IRS scam, the Social Security Administration scam, the Medicare scam, and the bank "fraud alert" call all follow the same structure: create urgency, establish fear of a consequence (arrest, account closure, benefit termination), and pressure the target to act immediately before thinking clearly.
What AI adds is consistency and scale. An AI-powered robocall system can make tens of thousands of calls simultaneously with a cloned voice that sounds indistinguishable from a human government employee. The script adapts based on the target's responses. If the target says "let me call back," the AI has a response for that. If they say "I've heard this is a scam," the AI has a counter-script for that too. Older adults, who are more likely to answer unknown calls and more accustomed to treating calls from authorities as legitimate, are disproportionately targeted.
"This is the Social Security Administration. Your social security number has been flagged for suspicious activity linked to a drug trafficking case. To avoid arrest and the suspension of your benefits, you must verify your identity immediately and transfer your funds to a secure government holding account. This is your only warning."
In March 2024, the FTC finalized its Impersonation Rule, explicitly banning AI-generated impersonation of government agencies and companies — and creating new enforcement tools to pursue international scam operations. But enforcement cannot keep pace with automated attack volume.
The rule that applies to every call of this type: hang up. Do not press buttons. Do not stay on the line to "sort it out." Look up the official number for the organization independently (IRS: 1-800-829-1040; SSA: 1-800-772-1213; your bank's number is on the back of your card) and call back on that number. The IRS does not initiate contact by phone. The SSA does not threaten immediate arrest. Your bank will never ask you to transfer money to a "secure account" to protect it from fraud.
The common thread in every AI scam is the same: pressure to act fast, before you can think or verify. Slow down. That single habit defeats the majority of attacks.
How to Protect Yourself and Your Family
Each threat type above has specific defenses noted within the section. These are the cross-cutting protections that apply regardless of attack type:
If You've Been Targeted or Victimized
The most important thing to know if you've already been scammed: stop sending money immediately. Scammers often have a "recovery scam" ready to deploy on victims — a follow-up contact from a fake law enforcement officer or fraud recovery service offering to retrieve your money for a fee. This is the same scammer coming back for more. There is no legitimate recovery service that charges upfront fees to retrieve fraud losses.
Key Sources & Further Reading
Every attack described in this article exploits the same three things: urgency that prevents clear thinking, trust that's been carefully engineered over time, and the human instinct to act rather than verify when someone important seems to need help right now.
AI made these attacks faster to deploy and harder to detect by ear or eye. But the countermeasures are not technical. They are habits: slow down, verify independently, establish a code word with your family, freeze your credit before you need to, and talk about this openly with the people around you. Scams work best in silence.
Share this article with someone who needs it. That might be the most useful thing you do today.
Sheldon covers AI, security, and the practical impact of emerging technology on everyday life. Dear Tech is committed to sourcing every factual claim — if you find an error or a broken link, reach out through the contact page.