The Voice on the Phone Isn’t Who You Think It Is: AI Scams Are Coming for Portland Small Businesses

A few years ago, “phishing email” was the scariest phrase in small business IT. Bad spelling, a sketchy link, a fake invoice from “Microsoft Support.” Most of us got pretty good at spotting those.

Now the scam has a face. And a voice. And they sound exactly like your CFO.

Welcome to the era of AI-powered fraud — where criminals don’t need to guess your password anymore. They just need a few seconds of audio from your last company podcast, webinar, or voicemail greeting, and a piece of software anyone can download.

What’s Actually Happening

Over the past two years, deepfake and voice-cloning fraud has gone from “interesting research paper” to “multi-million-dollar business problem” at a startling pace. A few cases that made headlines:

  • The $25 million video call. An employee at the engineering firm Arup joined what looked like a completely normal video call with his CFO and several colleagues. Everyone on the screen was real-looking. Everyone was fake — AI-generated deepfakes of coworkers he’d seen on calls before. He wired $25 million before anyone realized the whole meeting was synthetic.
  • The cloned CEO voice. Multiple companies, from UK energy firms to Hong Kong banks, have reported finance staff receiving calls that sounded exactly like their CEO or a senior executive, urgently instructing a wire transfer. In several cases, the voice was cloned from public interviews, earnings calls, or — yes — podcast episodes.
  • Fake IT support calls. Attackers have used AI voice tools to impersonate internal helpdesk staff, calling employees and “verifying” login credentials or talking them into installing remote access tools. This one hits especially close to home for us, because it’s a direct impersonation of the very trust relationship an MSP is built on.

None of these victims were careless. They were normal, competent employees doing what looked like their job — until the call, the voice, or the video that seemed completely legitimate turned out to be generated by AI in real time.

Why This Isn’t Just a “Big Company” Problem

It’s tempting to read those headlines and think, “That’s an engineering firm with a $25 million dollar wire — not us.” But that instinct is exactly what makes small and mid-sized businesses more exposed, not less.

Here’s why:

Attackers don’t need Fortune 500 money to make it worth their time. Cloning a voice or generating a convincing video used to require expensive hardware and technical expertise. Today it can be done with free or cheap consumer tools and a short audio clip pulled from a company’s own YouTube channel, voicemail, or public Zoom recording. The cost of the attack has collapsed, which means the payout threshold has collapsed with it. A $15,000 wire fraud against a 20-person business is still a great return on ten minutes of setup.

Small businesses have less friction, not more. Larger companies often have multi-person approval chains for wire transfers. Many small businesses run on trust and speed — one bookkeeper, one owner, a quick “yes, go ahead” over the phone. That efficiency is exactly what these scams are built to exploit.

Your own content can be used against you. If your business has a podcast, does customer testimonial videos, posts webinars, or even just has a “meet the team” video on your website, there’s audio and video of your leadership’s real voices and faces sitting in public. That’s raw material for a scammer.

How These Scams Actually Work (In Plain English)

You don’t need to understand the machine learning behind this to protect yourself, but it helps to know the basic playbook, because the defense follows directly from it.

  1. Collection. The attacker gathers audio or video samples of a real person — a CEO, owner, controller, or IT contact — from public sources.
  2. Cloning. AI voice cloning tools need as little as 3-10 seconds of clean audio to generate a convincing synthetic voice. Video deepfake tools need slightly more, but real-time “face swap” tools used in live video calls have become dramatically more accessible.
  3. Pretext. The scammer builds a believable, time-pressured scenario: an urgent wire transfer, a “verify your credentials before the deadline,” a vendor payment that has to go out today because of a fake compliance issue.
  4. Execution. The call, voicemail, or video meeting happens. Because it sounds and looks right, and because it’s urgent, normal verification habits get skipped.

The entire attack is built around exploiting trust and urgency — the same two levers that have worked in fraud since long before computers existed. AI just made the disguise nearly perfect.

What Small Businesses Can Actually Do About It

The good news: you don’t need to become a deepfake detection expert. You need a handful of concrete, boring, repeatable habits — the same kind of layered defense that’s always worked against social engineering, just tuned for this new threat.

1. Create a verification code word or callback policy for financial requests. Any request to move money, change payroll deposit info, or share credentials — especially if it comes with urgency — gets verified through a second channel. Call the person back on a known number (not the number in the email or the caller ID). Use a pre-agreed code phrase for anything over a certain dollar threshold. This single habit defeats almost every version of this scam, no matter how good the AI gets.

2. Assume urgency is a red flag, not a reason to skip steps. Scammers manufacture time pressure because it’s the single best way to short-circuit good judgment. Train your team that “this needs to happen right now” is exactly the moment to slow down, not speed up.

3. Limit what’s publicly available. This doesn’t mean pulling down your podcast or your marketing videos — that content matters for your business. But it does mean being deliberate about what leadership voice/video is public, and building awareness among your team that this material could be repurposed.

4. Layer in real email security. Most of these scams still start with a compromised or spoofed email thread that sets up the “urgent call” that follows. Advanced email filtering (we deploy INKY for a number of our clients specifically because it catches impersonation and social engineering patterns, not just spam) closes off that first step before it ever reaches an inbox.

5. Train your team specifically on this, not just generic phishing. Most security awareness training still focuses heavily on suspicious email links. Your team needs to hear, explicitly, that a phone call or video call that sounds and looks completely real can still be fake — and what to do when something feels slightly off even though everything looks right.

6. Have an incident response plan before you need one. If a wire does go out, speed matters enormously. Knowing who to call — your bank’s fraud department, your MSP, law enforcement — within the first hour dramatically improves the odds of recovering funds.

Where PDX IT Services Fits In

This is exactly the kind of risk that doesn’t get solved by a single tool or a single training session — it takes a layered approach, and it’s the core of what we do at PDX IT Services for small businesses across Portland.

  • Email security and impersonation protection, so the spoofed thread that sets up the scam never lands in an inbox in the first place.
  • Security awareness training that covers the current threat landscape — including AI voice and video fraud — not just a generic once-a-year phishing quiz.
  • Policy development, including verification procedures for financial requests and credential changes, built to fit how your specific team actually operates.
  • Incident response planning, so if something does slip through, you’re not figuring out who to call while the clock is running.
  • Ongoing monitoring and support, because this threat landscape keeps moving, and a “set it and forget it” security posture doesn’t hold up against tools that improve every few months.

We built the Cyber Secure Summit this year specifically because we kept seeing small business owners get blindsided by threats that felt like science fiction six months earlier and are now showing up in their own inbox or on their own phone. AI-powered fraud is the newest version of that pattern, and it won’t be the last.

If you want to talk through what your own business’s exposure looks like — whether that’s your wire transfer process, your email security, or just wanting a second opinion on something that felt “off” recently — reach out. That’s a conversation, not a sales pitch.

PDX IT Services
📞 971.331.4871
🌐 pdxittech.com

And if you want to go deeper on topics like this, catch the conversation on Breaking Down IT with Steve, available on Spotify and YouTube.

Get In Touch

Share On Social Media

Other Recent Blog Articles

Your Cybersecurity Is Only as Strong as Your Weakest Vendor

June 25, 2026

The Nintendo TinyPulse Breach Is a Wake-Up Call for Every Business Nintendo is one of the most recognized brands on the planet. They guard their intellectual property fiercely, have weathered…

Fake IT Workers Are Showing Up at Offices — And They’re After Your Data

June 10, 2026

Cybercrime has never been more brazen. Ransomware gangs have long relied on phishing emails and malicious software to compromise businesses — but a group known as the Silent Ransom Group has taken…

The FBI Is Warning Microsoft 365 Users About a Dangerous New Phishing Platform — Here’s What Portland Businesses Need to Know

June 3, 2026

Published by PDX IT Services | Cybersecurity Alert | 2026 The FBI has issued an urgent warning to Microsoft 365 users about a sophisticated new threat that should have every…