Last month a friend who runs a twelve-person design studio forwarded me a voicemail and asked, half-joking, if it was really me. It was my voice. My cadence, the little way I trail off at the end of a sentence. The thing is, I never recorded it. Somebody had scraped a few minutes of me talking online, fed it into a tool that costs less than a streaming subscription, and made me say words I have never said. I laughed, because that is what you do when something scares you a little. Then I sat with it, because the studio owner is exactly the kind of person these scams are built to hit now.
For a long time the headline deepfake cases were giant companies. The most famous one is still the $25 million an engineering firm lost when an employee joined a video call where every colleague on screen was a convincing fake. It is easy to read a story like that and think, that is a Fortune 500 problem, not mine. I understand the instinct. I have run small businesses my whole adult life, and when you are making payroll on a Thursday you do not have spare worry to spend on movie-grade fraud.
Here is what changed my mind. The expensive part of these attacks used to be the technology. Now the technology is basically free, and the only scarce ingredient is a target who moves money without a second pair of eyes. That describes almost every small business I know. The FBI's 2024 Internet Crime Report logged 21,442 business email compromise complaints and nearly $2.8 billion in losses, and that figure was climbing before voice and video fakes got this good. Roughly 85% of companies now report at least one deepfake incident, with average losses above half a million dollars. Deloitte projects generative-AI fraud could reach $40 billion in the United States by 2027. Earlier this year a Fortune 500 finance team reportedly wired about $28 million after a single deepfake video call impersonating their CFO. The same cheap tools doing that to a giant are the voice cloning tricks that have been calling families pretending to be a kid in trouble. There is no premium tier of victim. This kind of fraud now runs at industrial scale, and the surge is not slowing.
So what does a small business actually do about it? Not panic, for a start. You do not need a security team. You need a few simple habits that a fake voice cannot fake its way around.
The first one is a verification ritual for money. Pick a rule and make it boring: any request to move funds, change bank details, or buy gift cards gets confirmed on a separate channel you already trust. If the message came by email or video, you call back on the number saved in your phone, not the one in the message. I like a spoken code word for anything involving payment, something only your team knows, never written in an email. A deepfake can copy my face and my voice. It cannot copy the word my bookkeeper and I agreed on over coffee.
The second is to slow money down on purpose. The whole scam depends on urgency, on a "boss" who needs the wire in the next ten minutes. So build a speed bump. Wires over a threshold you set need a second approver, full stop. Yes, it is mildly annoying. So is losing a quarter of your year's revenue to someone who learned your CFO's voice from a webinar.
The third one is the part people skip, and it is the one I care about most. Talk to your team. Tell them plainly that fakes are good now, that a familiar voice or face is no longer proof of anything, and that nobody will ever be in trouble for pausing to verify a payment. Most of these attacks work because an employee did not feel safe slowing down a request from the top. You can fix that culture in a single honest conversation. That is the cheapest security upgrade you will ever buy.
The last thing is to know where your coverage actually ends. I assumed for years that my business policy had me covered for "fraud," in some vague way. Most business policies were never written with synthetic media in mind, which is its own quiet problem I have written about before, because your digital likeness sits in a gap most insurance never planned for. Read your policy. Ask your broker the specific question: if an employee is tricked by a deepfake into authorizing a transfer, are we covered? Get the answer in writing before you need it, not after. And if you want a sense of how exposed your own face and voice already are out there, the targeting has reached the phone in your pocket too.
I do not share any of this to leave you rattled. I share it because the fix is so much smaller than the fear. A code word. A second signature. One honest team meeting. Those three things would have stopped almost every case I just described. The technology got scary fast, but the defense is still wonderfully human, which is the part that gives me hope.
If you want a clear read on where your business and your own likeness stand right now, take our free 2-minute Deepfake Risk Assessment. Ten minutes of prep beats a wire you can never claw back.