A finance director in Hong Kong sat down for a video call with what she believed was her CFO and five colleagues from headquarters. Every face on the call was a deepfake. Every voice was AI-generated. By the time she disconnected, she had authorized 15 wire transfers totaling roughly $25 million.1 The attackers did not break into anything. They just showed up looking like the people she trusted.
That call happened in Hong Kong in early 2024. Arup, the British engineering firm, was publicly named as the victim months later. What used to require a small team running a months-long social engineering campaign now takes a laptop, a subscription, and a few hours of preparation. That is the shift business owners need to understand. Not because the technology is new. Because the economics changed.
Skilled attackers used to be a rare and expensive resource. AI-powered attacks turned them into a commodity. And the businesses in their path are not ready.
AI Did Not Invent Phishing. It Rewrote the Cost Curve.
For twenty years, the ceiling on how many businesses one attacker could target was human. A convincing spear-phishing email required research, writing skill, and the patience to work one target at a time. Volume attacks worked, but they were low quality — bad grammar, generic greetings, obvious tells. High-quality attacks were expensive to produce. That gap is what protected most small and mid-sized businesses. Not that the attackers could not reach them. That the attackers were busy going after bigger targets, or that the ones who did reach them sent something obvious enough that a trained user could spot it.
Generative AI removed the ceiling. One operator with a language model, a scraper, and a small budget can now produce hundreds of high-quality, individually personalized attacks per day. The FBI’s Internet Crime Complaint Center reported $2.77 billion in confirmed business email compromise losses in 2024, and the true number is widely believed to be several multiples higher because most incidents go unreported.2 Microsoft’s Digital Defense Report tracks roughly 600 million identity-based attacks per day.3
These are not comparable numbers to five years ago. AI-powered attacks are not the same threat with a new hat. This is a category shift.
What AI-Powered Attacks Look Like at Scale
The Arup case is one example of AI-powered attacks that made the news because the loss was too big to ignore. What did not make the news is the same technique running against mid-sized businesses every week, for smaller amounts, without international press coverage.
The mechanics are worth understanding, because they explain why old defenses do not work.
Voice cloning is a commodity. A three-second sample of someone’s voice — pulled from a LinkedIn video, a conference recording, or a company podcast — is enough to generate a convincing clone. The Retool breach in August 2023 started with a text message impersonating the IT team, followed by a phone call where the attacker used a cloned voice of a known IT employee to walk a target through an MFA bypass. The attacker got into 27 customer accounts before Retool caught it.4
Real-time video impersonation is not experimental. The Arup fraud used live deepfake video of multiple executives in a single meeting. The tools that produced it are commercial. Some are free.
Personalized phishing runs at volume. An attacker scrapes LinkedIn, pulls project names and vendor relationships from public sources, and generates unique messages for hundreds of targets in an afternoon. The 2026 Verizon Data Breach Investigations Report found that roughly 60% of confirmed breaches involved a human element, and pretexting incidents at the core of business email compromise nearly doubled year over year.5
Credential attacks got cheaper and more targeted. Phishing-as-a-service kits like EvilProxy and Tycoon 2FA bypass text-message and one-time-code MFA in real time by relaying the login through an attacker-controlled proxy. These kits sell on subscription for a few hundred dollars a month.6 The barrier to entry is a credit card.
None of this required the attacker to be talented. AI-powered attacks only require the attacker to be willing.
What Your MSP Should Be Doing About AI-Powered Attacks
Every one of these AI-powered attacks has a technical or procedural control that stops it. The problem is not that the controls do not exist. The problem is that many MSPs have not deployed them, and many business owners do not know to ask.
The controls that actually change the outcome are unglamorous. They are not new. They just have to be there.
Phishing-resistant MFA on every account with access to money or data. That means FIDO2 hardware keys — YubiKey, Feitian, Google Titan — or passkeys with device-bound cryptography. Not text messages. Not one-time codes typed into a browser. The EvilProxy and Tycoon 2FA kits exist specifically because those older forms of MFA can be relayed through an attacker’s proxy in real time. Hardware keys cannot be phished, because the cryptographic exchange is bound to the actual domain the user is on.
Conditional Access with device compliance. Microsoft Entra Conditional Access, configured with real device compliance checks and location awareness, stops the “logged in from a country nobody in the company is in” attack cold. It does not matter whether the attacker has the password. The login does not succeed from an unmanaged device on a suspicious IP.
Identity threat detection and response. Huntress Managed ITDR, Microsoft Defender for Identity, and Sentinel are watching for the patterns that indicate account takeover — impossible travel, new mailbox forwarding rules, sudden changes to OAuth app consents, mass file downloads. When those alerts fire, someone with the authority to shut down the session is watching. Same day, not next week.
DMARC at reject, not monitor. A DMARC policy set to p=none does nothing to stop attackers from spoofing your domain. p=reject is the setting that actually blocks impersonation. It requires the work of aligning SPF and DKIM across every legitimate sending source, which is why many MSPs stop at p=none and forget to come back. Do not let them forget.
Named-number verification for money. Any request that moves money, changes vendor banking, or updates payroll routing goes through a call-back to a phone number that already existed in your records before the request came in. Not the number in the email. Not the number the person on the call gave you. The number you had on file yesterday. This is a policy, not a suggestion. It applies when the CEO calls too.
None of these are exotic. All of them are available to a business of any size. What separates the MSPs that have deployed them from the ones that have not is discipline, not budget.
The Questions Worth Asking Your MSP Right Now
You do not need to be able to explain the difference between FIDO2 and TOTP. You need to be able to ask a small number of questions and evaluate the answers.
- Are we using phishing-resistant MFA for anyone who can move money, sign contracts, or access customer data? What form?
- Is our DMARC policy set to reject, and can you show me the report?
- Who watches the identity alerts, and what is the response time when one fires?
- Do we have a written call-back policy for financial changes, and has finance signed off on it?
- If a mailbox got compromised right now, how would we know, and how long until it is contained?
Vague answers are answers. “We have MFA” is not the same as “We use FIDO2 hardware keys on privileged accounts.” “We monitor everything” is not the same as “Huntress is watching identity events and their SOC responds within 15 minutes.” The difference is not semantic. It is the difference between a control that would have caught Retool and one that would not.
Where This Leaves You
The threat curve moved. The attacker who used to be too expensive to send after your business is now cheap. The email that used to be worth spotting because it looked wrong now looks right. The voice on the call that used to be a reliable trust signal is now a subscription product.
None of that is a reason to panic. All of it is a reason to check what your MSP is actually doing about AI-powered attacks. Not what they say. What is configured, deployed, and monitored right now, that they could prove if you asked them to.
The businesses that come through the next two years without a serious loss will be the ones whose MSPs took the new economics seriously and moved. The businesses that get hit will be the ones whose MSPs are still running a 2020 defense against a 2026 attack. Which one you are is not a question of budget. It is a question of whether the conversation has happened.
Have the conversation this week.
Sources
1 CNN Business, “Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee,” cnn.com, May 16, 2024.
2 Federal Bureau of Investigation, Internet Crime Complaint Center, “2024 Internet Crime Report,” ic3.gov.
3 Microsoft, “Digital Defense Report 2024,” microsoft.com.
4 Retool, “MFA isn’t MFA,” retool.com, September 2023.
5 Verizon, “2026 Data Breach Investigations Report,” verizon.com.
6 Proofpoint, “EvilProxy Phishing Used for Cloud Account Takeover Campaign,” proofpoint.com.
About Brent Lacy: Brent Lacy has been in the IT industry since 1997. He moved into the managed services world around 2015 and was doing vCIO work before the title even existed. He writes about the operational discipline, trust-based relationships, and strategic thinking that separate MSPs built to last from those built to bill. He is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security.