Back to Blog

In January 2024, a finance worker at a multinational company in Hong Kong joined what appeared to be a routine video conference. On screen: his CFO, his chief executive, and several senior colleagues. The instructions were specific — initiate a series of wire transfers totaling HK$200 million, approximately $25.6 million USD. He complied. Every person on that call was a deepfake.

That case made international news — but the underlying technology wasn't new. By 2024, the tools required to clone a voice, generate a photorealistic face on a live video call, write hyper-personalized phishing emails, or maintain dozens of fake romantic relationships simultaneously were either free or cheap. AI didn't create fraud. It industrialized it. A single operator with a laptop can now run attack campaigns that previously required a team and weeks of preparation.

This article covers six categories of AI-enhanced scams that are actively targeting people right now, how each works mechanically, the documented financial toll, and specific steps to protect yourself and the people around you.

The Numbers Behind the Crisis

Before examining individual attack types, it helps to understand the scale. The data below comes from official government filings and law enforcement reports — not vendor surveys. All figures are reported losses, meaning the actual totals are likely significantly higher because a large fraction of fraud victims never file a report.

$10B+
Total Fraud Losses
United States · 2023
$12.5B
Cybercrime Losses
Reported to FBI IC3 · 2023
$4.57B
Investment Fraud Losses
Primarily Crypto · 2023
77%
Voice Scam Victims
Who Lost Money · 2023

Those numbers represent disclosed losses only. The Global Anti-Scam Alliance (GASA) estimated in their 2023 State of Scams report that the majority of fraud victims — particularly in romance and investment scams — never report what happened due to embarrassment or uncertainty about whether it was "really" a crime. The FBI IC3's 2023 report also notes that cybercrime losses are likely underreported by a factor of 10 or more.

The Six Attacks

01
Voice Clone Attacks — Your Own Voice Used Against Your Family

Modern AI can clone a person's voice from as little as 3–10 seconds of audio. That audio can come from a voicemail, a social media video, a YouTube appearance, a podcast, or even a short phone call. The resulting clone is fed into text-to-speech software that can then say anything the attacker types — convincingly, in real time.

The "grandparent scam" — where a fraudster calls an elderly person claiming to be a grandchild in trouble — has been a known attack for years. With voice cloning, the voice on the phone now sounds exactly like the grandchild. The emotional manipulation is nearly identical to a real call. The FTC published a specific alert on this attack pattern in March 2023, describing callers who impersonated family members claiming to be in legal trouble, hospitalized, or in danger — and urgently needed money transferred immediately.

"Mom, it's me — I'm so sorry to call like this." [voice identical to your child's] "I was in an accident and the police are here. My lawyer says I need $2,400 sent by wire transfer tonight or I'm going to be held over the weekend. Please don't tell Dad. I'm so embarrassed."

The same technology scales to corporate fraud. In a business voice clone attack, executives' voices — scraped from earnings calls, conference recordings, LinkedIn videos, or media appearances — are cloned and used to instruct finance staff to execute wire transfers. The instructions arrive as an urgent, plausible-sounding phone call from someone who sounds exactly like the CFO.

A 2023 McAfee survey of 7,054 adults across seven countries found that 25% had been targeted by an AI voice clone scam or knew someone who had — and of those who were deceived, 77% lost money. In February 2024, the FCC explicitly ruled that AI-generated voices in robocalls are illegal under the Telephone Consumer Protection Act, following a case where fake AI robocalls impersonated President Biden to suppress voter turnout in New Hampshire.

Your defense: establish a family code word. Pick a single word your family agrees on in advance. If anyone calls claiming to be a family member in an emergency, ask for the code word. Someone who is genuinely your family member will know it. A voice clone won't. This takes 30 seconds to set up and costs nothing.

02
Real-Time Deepfake Video — The Face on the Screen Is Not a Person

The Hong Kong case described at the opening of this article was not the first documented real-time deepfake fraud — but it was the largest. Tools like DeepFaceLive and successor software allow a person's face to be replaced on a live video feed with another person's likeness, in real time, during a Zoom, Teams, or Google Meet call. The face tracks, the expressions sync, and the head movement follows the fraudster's actual movement.

For the Hong Kong attack, investigators believe the criminals built the deepfakes from publicly available video footage of the company's actual executives — conference recordings, news appearances, annual report videos. Reuters reported in February 2024 that the employee attended the call, expressed doubt beforehand, but was reassured by seeing what appeared to be familiar faces. The call included multiple fake participants to reinforce the illusion of a legitimate meeting context.

The calendar invite arrives with a standard company video conference link. The meeting is framed as urgent and confidential — a strategic move requiring discretionary wire transfers before the end of the quarter. Multiple "colleagues" are visible on screen. All are deepfakes. The meeting ends. The money leaves.

The Europol Innovation Lab's report on malicious uses of AI identified face-swapping and deepfake video as a primary tool for executive impersonation fraud, noting that the technology removes the "uncanny valley" barrier that previously made such attacks detectable. Sumsub's 2023 Identity Fraud Report documented a 10x year-over-year increase in deepfake fraud attempts detected by identity verification systems.

Red flags: the meeting was scheduled with urgency and little notice; the "executive" communicates primarily through a call rather than email trail or internal messaging; instructions involve a transfer that bypasses normal approval channels; the request is accompanied by explicit pressure not to discuss it with others before acting.

03
AI-Powered Phishing — No Typos, No Tells, Full Context

For decades, phishing emails were identifiable by bad grammar, strange formatting, generic greetings, and implausible scenarios. AI eliminated all of those tells. A language model can now generate a perfectly written, contextually appropriate, grammatically flawless email — and it can personalize that email using data scraped from the target's public LinkedIn profile, social media posts, company website, recent news coverage, or professional publications.

This is called spear phishing — a targeted attack on a specific individual rather than a mass send. AI makes what used to be a labor-intensive, per-target operation trivially scalable. A bad actor can feed a model a LinkedIn profile and a company's "About" page and receive a draft phishing email that references the target's job title, recent projects, colleagues' names, and the organization's current initiatives — all tailored to earn trust before the malicious link or attachment appears.

"Hi [first name], I saw your presentation at [actual conference you attended] last month — really insightful work on [actual topic]. I'm reaching out because our team is working on something adjacent and I'd love to share a brief document for your feedback. Here's the link: [malicious URL that looks like a familiar cloud storage service]."

IBM's X-Force Threat Intelligence division has reported that AI-generated phishing messages test significantly more effective than human-written equivalents in click-through rate studies — because they eliminate the social cues humans have learned to associate with scams. Smishing (SMS phishing) has followed the same trajectory: AI-generated text messages impersonating package delivery services, banks, and government agencies arrive personalized with the target's name and plausible contextual detail scraped from data broker databases.

Red flags: any link in an email or text that requires you to log in — even to a site that looks exactly right. Hover over the link first and check the actual URL in your browser's status bar. Legitimate companies will never ask you to verify your account or credentials by clicking a link in an unsolicited message. When in doubt, navigate directly to the company's website by typing the address yourself and log in from there.

04
Fake Job Listings & AI Interviewers — The Offer That Was Never Real

AI can generate convincing job postings at scale — complete with realistic company descriptions, plausible salary ranges, and detailed role requirements — and post them across LinkedIn, Indeed, ZipRecruiter, and dozens of other boards simultaneously. The company may be entirely fictional, a real company's identity stolen, or a shell that mimics a legitimate employer's branding.

In one increasingly common variant, the job application leads to a "video interview" with what appears to be a recruiter or hiring manager. That person is an AI avatar — a photorealistic face with synchronized lip movement, scripted responses, and enough natural-sounding dialogue to conduct a full 30-minute interview. The victim completes the interview, is "hired," and is then asked to complete onboarding steps that involve providing direct deposit banking information, paying for "required software" or "background check fees," or receiving checks to deposit and forward to a "vendor." The check bounces. The money is gone. The job never existed.

"Congratulations! We're excited to move you to the next stage. As part of your onboarding, you'll need to purchase your work-from-home equipment package through our approved vendor. We'll send you a reimbursement check — please deposit it and forward $800 to the vendor using Zelle. Your first day is Monday."

The FTC reports that job scams have cost Americans hundreds of millions of dollars annually, with losses rising every year as the barrier to generating convincing fake postings and conducting fake interviews has dropped to near zero. The FTC's 2022 figures put reported job scam losses at $367 million — and that number has grown since.

Verification steps: search for the company independently (not through the job posting's link) and verify the role exists on their actual website. Contact the company's HR department directly using a number you find on their official website — not one provided by the recruiter. Never pay money of any kind during a hiring process. Never deposit a check and forward a portion of the funds to anyone — this is the textbook "fake check scam" and the deposited check will always be counterfeit.

05
Romance Scams & Pig Butchering — The Long Con at Industrial Scale

Romance scams involve building a fake emotional relationship with a victim over time — weeks or months — before introducing a financial request. Historically this required significant human labor: a person had to maintain each fake relationship individually, keep track of personal details shared by the victim, and respond in real time. AI removes that bottleneck. A single operator can now manage hundreds of simultaneous "relationships" using AI to generate responses, remember context, adjust emotional tone, and escalate toward the financial ask at the right moment.

"Pig butchering" (from the Chinese shā zhū pán — fattening a pig before slaughter) is a specific and devastating variant. The scammer builds a romantic or friendly connection, then casually mentions having made significant money through a cryptocurrency investment platform. Over subsequent conversations, they guide the victim to try a small investment on the platform — which shows impressive, real-seeming returns. Encouraged, the victim deposits more. The platform shows growing gains. The victim deposits everything they can access — retirement savings, home equity, borrowed money. Then they try to withdraw. The platform freezes. Customer support disappears. The Department of Justice has documented operations that netted tens of millions of dollars per month, often run by forced-labor workers in compounds in Myanmar, Laos, and Cambodia.

"I don't usually talk about this but I have a cousin who works at a quantitative trading firm. He shared a strategy with me and I've made back everything I lost in the crash. I only mention it because I feel like I can trust you — I'd never recommend it to just anyone. Start small. See for yourself."

The FTC reported $1.14 billion lost to romance scams in 2023 — but pig butchering losses are typically categorized under investment fraud, which totaled $4.57 billion in the FBI IC3's 2023 data. The Consumer Financial Protection Bureau (CFPB) issued specific guidance on pig butchering, noting that victims often lose amounts averaging six figures and frequently exhaust retirement savings. The Stanford Internet Observatory has published research documenting the infrastructure of pig butchering operations, including the use of AI tools to generate and maintain victim personas at scale.

The single most reliable warning sign: anyone you have never met in person who introduces a cryptocurrency investment opportunity — regardless of how long you've known them online, how credible their story seems, or how small the initial investment appears — is almost certainly running a pig butchering operation. No legitimate investment platform is introduced through a romantic or social relationship with a stranger.

06
Government & Bank Impersonation — The Call You're Afraid to Ignore

Voice cloning and AI-generated scripts have supercharged impersonation of government agencies and financial institutions — the two categories of caller most people feel they cannot afford to ignore. The IRS scam, the Social Security Administration scam, the Medicare scam, and the bank "fraud alert" call all follow the same structure: create urgency, establish fear of a consequence (arrest, account closure, benefit termination), and pressure the target to act immediately before thinking clearly.

What AI adds is consistency and scale. An AI-powered robocall system can make tens of thousands of calls simultaneously with a cloned voice that sounds indistinguishable from a human government employee. The script adapts based on the target's responses. If the target says "let me call back," the AI has a response for that. If they say "I've heard this is a scam," the AI has a counter-script for that too. Older adults, who are more likely to answer unknown calls and more accustomed to treating calls from authorities as legitimate, are disproportionately targeted.

"This is the Social Security Administration. Your social security number has been flagged for suspicious activity linked to a drug trafficking case. To avoid arrest and the suspension of your benefits, you must verify your identity immediately and transfer your funds to a secure government holding account. This is your only warning."

In March 2024, the FTC finalized its Impersonation Rule, explicitly banning AI-generated impersonation of government agencies and companies — and creating new enforcement tools to pursue international scam operations. But enforcement cannot keep pace with automated attack volume.

The rule that applies to every call of this type: hang up. Do not press buttons. Do not stay on the line to "sort it out." Look up the official number for the organization independently (IRS: 1-800-829-1040; SSA: 1-800-772-1213; your bank's number is on the back of your card) and call back on that number. The IRS does not initiate contact by phone. The SSA does not threaten immediate arrest. Your bank will never ask you to transfer money to a "secure account" to protect it from fraud.

The common thread in every AI scam is the same: pressure to act fast, before you can think or verify. Slow down. That single habit defeats the majority of attacks.

How to Protect Yourself and Your Family

Each threat type above has specific defenses noted within the section. These are the cross-cutting protections that apply regardless of attack type:

Establish a family emergency code word. Choose a word no one outside your family knows. Any call or message claiming to be a family member in crisis — regardless of how the voice sounds — requires the code word before any action is taken. Set this up today, before you need it.
Treat urgency as a red flag, not a reason to move faster. Every AI scam depends on the target not having time to think, verify, or ask someone else. Legitimate emergencies, legitimate companies, and legitimate government agencies will give you time to call back, verify, and consult. If a caller, message, or email tells you there is no time — that is the attack signal.
Never verify by staying on the call. If you receive a suspicious call from a bank, government agency, or person claiming to be a family member — hang up. Look up the official number yourself. Call back on that number. Do not use a number given to you by the suspicious caller. Do not press 1 to speak to a representative. Hang up and start fresh.
Enable multi-factor authentication on all accounts. Voice cloning and phishing are often precursors to account takeover. MFA means that even if a scammer obtains your password, they cannot access your account without a second factor you control. Use an authenticator app (Google Authenticator, Authy) rather than SMS where possible — SIM-swap attacks can compromise SMS-based MFA.
Freeze your credit at all three bureaus. A credit freeze prevents new credit accounts from being opened in your name, even if a scammer has your Social Security number and personal information. It's free to place and free to lift. Do it now, before it's needed. Equifax, Experian, and TransUnion each have online portals for this.
Never send money to anyone you haven't met in person. Wire transfers, cryptocurrency, gift cards, Zelle, and Venmo payments are essentially unrecoverable. No legitimate government agency, employer, or investment platform asks for payment via gift card or cryptocurrency. Any payment request using these methods is a scam.
Discuss these tactics with older family members. Adults over 60 lose more money per scam incident than any other age group, per FBI IC3 data — not because they are less intelligent, but because they are more likely to answer calls from unknown numbers, more trusting of authority, and less familiar with these specific attack patterns. Share this article. Have the conversation. Establish the code word together.
Audit your social media audio and video footprint. Voice cloning requires source audio. Reduce what attackers can sample: check your privacy settings on Facebook, TikTok, Instagram, and YouTube. Consider whether videos of you speaking publicly (work presentations, interviews, podcasts, voicemail greetings) give attackers enough material to build a convincing clone of your voice.
Use deepfake detection tools for suspicious video. Tools including Reality Defender and Hive Moderation offer deepfake analysis. If you receive a video you suspect may be synthetic, these services can check for AI generation artifacts. They are not foolproof, but they add a layer of detection that wasn't previously available to individuals.

If You've Been Targeted or Victimized

The most important thing to know if you've already been scammed: stop sending money immediately. Scammers often have a "recovery scam" ready to deploy on victims — a follow-up contact from a fake law enforcement officer or fraud recovery service offering to retrieve your money for a fee. This is the same scammer coming back for more. There is no legitimate recovery service that charges upfront fees to retrieve fraud losses.

01
Contact your bank immediately. Wire transfers can sometimes be recalled within 24–72 hours if the receiving bank cooperates. ACH transfers have a slightly longer reversal window. Call your bank's fraud line — the number on the back of your card — as soon as you suspect fraud. Do not wait.
02
File a report with the FTC. Visit reportfraud.ftc.gov. Reports are shared with law enforcement agencies nationwide and help build cases against organized fraud networks. Even if you don't believe your individual report will recover your money, the aggregate data drives enforcement action.
03
File a complaint with the FBI IC3. For cybercrime including romance scams, investment fraud, BEC, and job scams: ic3.gov. The IC3 reviews complaints and refers them to appropriate federal, state, local, or international agencies.
04
Contact the AARP Fraud Watch Network. The AARP Fraud Watch Helpline at 877-908-3360 is free and open to adults of all ages — not just AARP members. Trained volunteers can walk you through next steps, help you understand what happened, and connect you with local resources.
05
File a local police report. A local police report creates an official record. Some banks and insurance policies require a police report to process fraud claims. Even if local law enforcement cannot pursue the case, having the report on file protects you.
06
Do not pay anyone claiming they can recover your money. This is the second attack. Recovery scammers specifically target people who have already been victimized, knowing they are desperate and may pay significant fees for help that will never arrive.

Key Sources & Further Reading

Verified Primary Sources
01
FTC Consumer Sentinel Network Data Book 2023 — Official fraud loss statistics by category. ftc.gov/reports/consumer-sentinel-network
02
FBI Internet Crime Complaint Center (IC3) Annual Report 2023 — Cybercrime losses, BEC data, investment fraud. ic3.gov/AnnualReport
03
FTC Consumer Alert — "Scammers use AI to enhance their family emergency schemes" (March 2023). consumer.ftc.gov
04
McAfee "Artificial Imposters — Cybercriminals Turn to AI Voice Cloning for a New Breed of Scam" (2023). mcafee.com
05
Reuters — "Hong Kong company loses HK$200 million in deepfake video conference scam" (February 4, 2024). reuters.com
06
Europol Innovation Lab — "Malicious Uses and Abuses of Artificial Intelligence" report. europol.europa.eu
07
Sumsub — Identity Fraud Report 2023 (deepfake fraud increase data). sumsub.com
08
U.S. Department of Justice — Action against cryptocurrency "pig butchering" investment scams. justice.gov
09
Consumer Financial Protection Bureau (CFPB) — Action on pig butchering crypto schemes. consumerfinance.gov
10
FTC — Final Rule on Government and Business Impersonation (March 2024). ftc.gov
11
Global Anti-Scam Alliance — State of Scams 2023 Global Report. gasa.org
12
Stanford Internet Observatory — Research on pig butchering and online fraud infrastructure. cyber.fsi.stanford.edu
13
FTC — Job Scams (consumer guide and loss data). consumer.ftc.gov/articles/job-scams
14
FCC — Ruling on AI-generated voices in robocalls under the TCPA (February 2024). fcc.gov
15
AARP Fraud Watch Network — Resources, helpline (877-908-3360), and scam tracker. aarp.org/money/scams-fraud
Conclusion
The Technology Has Changed. The Leverage Points Haven't.

Every attack described in this article exploits the same three things: urgency that prevents clear thinking, trust that's been carefully engineered over time, and the human instinct to act rather than verify when someone important seems to need help right now.

AI made these attacks faster to deploy and harder to detect by ear or eye. But the countermeasures are not technical. They are habits: slow down, verify independently, establish a code word with your family, freeze your credit before you need to, and talk about this openly with the people around you. Scams work best in silence.

Share this article with someone who needs it. That might be the most useful thing you do today.

S
Sheldon Valentine
Founder · Dear Tech

Sheldon covers AI, security, and the practical impact of emerging technology on everyday life. Dear Tech is committed to sourcing every factual claim — if you find an error or a broken link, reach out through the contact page.

Share
Back to Blog