Technology

Deepfakes and BEC drive $10B+ losses

Deepfakes and BEC drive B+ losses

Criminals are weaponizing AI to scale classic fraud. In early 2024, a finance worker at a Hong Kong firm wired roughly $25 million after attending a video call where deepfaked versions of the company’s CFO and colleagues approved the transfer. That single incident previews a 2025 reality: AI-boosted social engineering, business email compromise, and crypto swindles are converging—and losses are already staggering. U.S. consumers reported nearly $10 billion lost to fraud in 2023 (FTC), while the FBI’s Internet Crime Complaint Center (IC3) tracked more than $12.5 billion in reported losses in the same year. This guide explains the latest scam playbooks, who’s being targeted, and the exact steps to protect your family and business.

AI Deepfake Scams

Recent Cases and Financial Impact

– In February 2024, Hong Kong police reported a deepfake-enabled video conference con that tricked an employee into transferring about $25 million after seeing what appeared to be multiple executives on a call (BBC).
– Europol’s IOCTA 2024 warns that deepfakes are increasingly used to supercharge social engineering, including CEO fraud and sextortion, lowering criminals’ time and skill barriers.
– The Verizon 2024 DBIR underscores that the human element is involved in 68% of breaches, making AI-driven pretexting and impersonation a high-payoff tactic for attackers.

How This Scam Works

  • Recon: Criminals scrape public photos, videos, and voice clips of executives, celebrities, or loved ones.
  • Impersonation: They generate convincing voice clones or video deepfakes (e.g., a “CEO” on a Teams/Zoom call).
  • Urgency pretext: A critical wire transfer, secret M&A, or family emergency demands immediate action.
  • Payment redirection: Funds are sent to mule accounts; crypto may be requested for “speed” and “privacy.”
  • Laundering: Money is rapidly moved through layered accounts or converted to crypto and mixers.

Warning Signs

  • Live video looks slightly off: lip-sync lag, odd blinking, unnatural lighting, or muted gestures.
  • Uncharacteristic requests from leadership: secrecy, bypassing normal approvals, or new beneficiary details.
  • Pressure to rush wires or crypto transfers outside of policy.
  • Voice calls from known contacts with unusual cadence or vocabulary, especially paired with new payment instructions.

Protection Strategies

  • Consumers: Establish a “code word” with family for emergencies; verify by calling a known number or arranging a quick callback with video and gestures (e.g., ask them to hold up a specific object).
  • Business owners: Mandate out-of-band verification (phone callback to a known contact) for any payment or banking change, regardless of who asks. Require dual approval for wires and new vendor banking details.
  • Elderly users: If someone claims to be a grandchild or a bank security officer, hang up and call back using the number on your card or a family contact sheet. Never move funds to “safe accounts.”
  • Tech-savvy users: Use liveness challenges on video calls; deploy anti-deepfake detection plug-ins for conferencing apps and pilot identity-verified meeting rooms for high-risk approvals.

Business Email Compromise (BEC)

Recent Cases and Financial Impact

– BEC remains one of the costliest cyber-enabled crimes: the FBI IC3 reports roughly $2.9 billion in reported losses in 2023 across about 21,000+ complaints.
– The FBI IC3 2023 tallied more than $12.5 billion in total losses across all internet crimes, underscoring BEC’s outsized role in financial impact.
– DBIR 2024 places the human element at the center of many incidents; median BEC transaction amounts hover around $50,000, reflecting the high-dollar, low-volume nature of BEC compared to other fraud types.

How This Scam Works

  • Initial access: Phish a finance user, steal credentials via lookalike login pages, or exploit MFA fatigue.
  • Inbox manipulation: Create mail rules to hide real vendor replies and watch payment workflows.
  • Pretexting: Pose as a CEO or trusted vendor with “updated bank details” or “urgent invoice.”
  • Funds movement: Redirect payments to mule accounts and cash out before detection.

Warning Signs

  • Email domains that differ by a character (example: acme-co.com vs. acmeco.com).
  • Requests to change banking details without prior notice, especially near payment due dates.
  • Messages that pressure secrecy or bypass routine approval steps.
  • New beneficiaries or international accounts for domestic vendors.

Protection Strategies

  • Consumers: When paying large invoices (home repairs, tuition), confirm bank details by phone using a trusted number—not the number in the email.
  • Business owners: Enforce written payment-change procedures with out-of-band callbacks; require two-person approval and payable-name verification. Deploy DMARC, SPF, and DKIM; monitor for domain lookalikes.
  • Elderly users: If you receive an invoice change notice, ask a trusted family member or call the company’s main line listed on their website.
  • Tech-savvy users: Implement conditional access, phishing-resistant MFA (FIDO2/passkeys), and disable legacy email protocols. Use mailbox anomaly detection and vendor risk monitoring.

Tech Support Fraud

Recent Cases and Financial Impact

– The FBI’s Elder Fraud Report for 2023 recorded more than $3.4 billion in losses among victims 60 and older; tech support fraud is one of the top categories impacting seniors.
– IC3 reporting shows tech support scams driving substantial losses (in the billions globally across recent years), often instructing victims to move money to “safe accounts.”
– FTC data indicates that phone calls and social media messages continue to be major initial contact channels for high-dollar fraud.

How This Scam Works

  • Cold calls or pop-up alerts claim your device is infected or your bank account is compromised.
  • Scammers ask to install remote-access tools (RATs) or take you to a spoofed bank site.
  • They “demonstrate” fake problems and urge immediate action to move funds to a “safe” account.
  • Victims are coached to keep the bank and family “in the dark” to avoid “compromising” the investigation.

Warning Signs

  • Pop-ups with numbers to call or links to click for urgent “security help.”
  • Requests to install remote tools (AnyDesk, TeamViewer) from unsolicited contacts.
  • Claims that your bank account must be “emptied” to protect it.
  • Demands for secrecy and isolation from family or bank staff.

Protection Strategies

  • Consumers: Close suspicious pop-ups; do not call numbers in alerts. Reach your bank via the official number on the back of your card.
  • Business owners: Block remote admin tool installs for non-IT users; publish a “how we will contact you” policy; train help desk staff to recognize social-engineering red flags.
  • Elderly users: Keep a printed “trusted numbers” sheet; never move money because a caller says so. Ask a family member to join any call about your finances.
  • Tech-savvy users: Enforce application allowlists, EDR on endpoints, and DNS filtering to block known tech-support scam domains.

Cryptocurrency Schemes

Recent Cases and Financial Impact

– The FTC reports that investment scams were the top category by dollar losses in 2023 at about $4.6 billion; many leveraged crypto as the payment rail.
– Chainalysis’ 2024 Crypto Crime Report notes shifting patterns in crypto-enabled crime, with social-engineering-heavy “pig butchering” and approval phishing contributing to persistent losses despite overall volatility.

How This Scam Works

  • Contact: Scammers approach on social media, dating apps, or messaging platforms with an investment “tip.”
  • Grooming: Weeks of rapport building and screenshots of fake profits on a slick web app.
  • Initial gains: Victims can withdraw small amounts to build trust.
  • Big deposit: After a “limited-time” opportunity, withdrawals are blocked by fake “taxes” or “KYC fees.”
  • Drain: On-chain permissions or seed phrase theft let criminals empty wallets.

Warning Signs

  • Unsolicited investment pitches promising guaranteed high returns.
  • Pressure to move funds off reputable exchanges into unknown sites or to sign unusual wallet permissions.
  • Requests to pay “tax” or “unlock” fees to withdraw your own money.

Protection Strategies

  • Consumers: Treat unsolicited “opportunities” as scams. Use reputable exchanges; never share seed phrases; review wallet approvals regularly.
  • Business owners: Require vendor due diligence for any crypto payouts; use custodial solutions with policy controls and transaction limits.
  • Elderly users: Ask a trusted family member before sending funds to any “investment coach” you met online.
  • Tech-savvy users: Use hardware wallets; restrict token approvals; set spending limits; monitor for drainer signatures and revoke risky approvals.

Romance and Social Engineering (Including Pig-Butchering)

Recent Cases and Financial Impact

– The FTC reports romance scams accounted for about $1.14 billion in reported losses in 2023.
– These scams increasingly overlap with investment fraud (“pig butchering”), where emotional manipulation transitions into crypto “opportunities.”

How This Scam Works

  • Contact: Scammers connect on dating apps, Facebook, Instagram, or WhatsApp.
  • Bond: Weeks of daily chats, gift promises, and future plans to build trust.
  • Financial turn: A medical emergency, customs fee, or “can’t miss” investment appears.
  • Escalation: The scammer asks for secrecy, gift cards, wire transfers, or crypto.

Warning Signs

  • They refuse to meet on live video or repeatedly cancel in-person meetings.
  • They quickly push conversation off-platform to encrypted messaging.
  • They ask for money, investment help, or account access.

Protection Strategies

  • Consumers: Never send money or crypto to someone you haven’t met in person. Reverse-image search profile photos.
  • Business owners: Offer employee awareness training around pig-butchering to reduce off-hours financial harm that can spill into insider risks.
  • Elderly users: Involve a trusted friend or family member before sending money to an online acquaintance.
  • Tech-savvy users: Lock down social profiles; enable profile verification where available; use password managers and MFA to reduce account takeover risk.

Phishing Evolution: AI-Generated Emails, Smishing, and Vishing

Recent Cases and Financial Impact

– Phishing remains the most commonly reported internet crime category by complaint count in the FBI’s 2023 IC3 report, with hundreds of thousands of reports annually.
– Attackers are increasingly using AI to craft multilingual, brand-accurate messages and voice calls (vishing) that defeat traditional “bad grammar” tells.

How This Scam Works

  • AI-crafted lures: Emails or texts mimic banks, parcel services, or IT teams with convincing branding.
  • Credential capture: Links lead to cloned portals to harvest passwords and MFA codes.
  • Pivot to voice: If the victim hesitates, scammers call to “assist” and walk them through the trap.
  • Account takeovers: Stolen credentials fuel BEC, payroll diversion, and crypto theft.

Warning Signs

  • Unsolicited password reset messages, delivery notices, or MFA prompts you didn’t initiate.
  • URLs with subtle misspellings, extra subdomains, or “.help/.support” domains.
  • Phone calls that pressure you to read an MFA code or install remote tools.

Protection Strategies

  • Consumers: Type known URLs directly into your browser; use passkeys or FIDO2 security keys where supported.
  • Business owners: Roll out phishing-resistant MFA, email authentication (DMARC, SPF, DKIM), and role-based access. Conduct realistic phishing and vishing drills.
  • Elderly users: Don’t click links in texts from unknown senders. Call your bank using the number on your card before taking any action.
  • Tech-savvy users: Use DNS filtering, disable email HTML where feasible, inspect link destinations, and monitor for lookalike domains.

Industry Expert Insights

– AI lowers the cost of high-quality pretexting: Voice cloning and video synthesis let scammers scale tailored impersonations without perfect English or design skills.
– BEC remains a board-level risk: With a median transaction around $50,000 (DBIR 2024), one slipped approval can eclipse the cost of an entire year of email security controls.
– Seniors face the largest financial harm: Adults 60+ reported losses exceeding $3.4 billion in 2023 (FBI Elder Fraud Report). Tech support and imposter schemes dominate this group.
– Investment fraud keeps leading by dollars: The FTC attributes about $4.6 billion in 2023 losses to investment scams, many leveraging crypto rails and social media grooming.

Immediate Action Steps

  • Set approval guardrails today: Require two-person verification and callback validation for any wire, banking change, or new vendor.
  • Turn on phishing-resistant MFA: Prefer passkeys or security keys for email, payroll, bank, and admin accounts.
  • Pre-approve communication rules: Publish how your company, bank, or family will request money—and how you’ll verify identity.
  • Freeze data brokers: Reduce social engineering exposure by opting out of data brokers and locking down public profiles.
  • Harden crypto hygiene: Use hardware wallets, least-privilege token approvals, and regular approval revocation checks.
  • Prep an incident playbook: Who to call, how to contact the bank’s fraud desk, and how to file with IC3.gov and the FTC at ReportFraud.ftc.gov.

Conclusion

Tech scams in 2025 are less about malware and more about manipulating people with AI-boosted realism. The playbooks are known: deepfake approvals, urgent wire changes, fake tech support, and “can’t miss” crypto opportunities. The defenses are known, too: out-of-band verification, phishing-resistant MFA, least-privilege payments, and a culture that rewards slowing down when the stakes are high. Put these controls in place now—before a convincing face on a video call asks you to move money.

Related Posts