witness
โ† All posts
threat logยทJun 16, 2026ยท18 min read

AI Scams Are Getting Smarter. Here's What You're Actually Up Against.

AI-enabled fraud grew 1,210% in 2025. Voice clones need three seconds. Phishing emails get 4.5x more clicks. A complete breakdown of seven AI scam types and what actually protects you.

WT
Witness Team
Editorial
๐•inโ†—
[ยท]

Key Takeaways

  • AI-enabled fraud grew 1,210% in 2025 while traditional fraud grew just 195% โ€” the gap is accelerating
  • 73% of organizations were affected by cyber-enabled fraud in 2025, with 87% of leaders reporting rising AI vulnerabilities
  • A voice clone needs three seconds of audio and achieves 85% match accuracy
  • AI generates a convincing phishing email in 5 minutes vs 16 hours manually โ€” with a 54% click-through rate vs 12% for traditional phishing
  • Deepfake video scams surged 700% in 2025, with 159,378 unique instances in Q4 alone

The New Economics of Fraud

Something fundamental shifted in 2025. Not a gradual trend โ€” a structural break.

According to Pindrop's research, AI-enabled fraud grew at 1,210% compared to 195% for traditional fraud. That's not a rounding error. AI didn't just make fraud slightly more efficient. It made it a completely different business.

The World Economic Forum's Global Cybersecurity Outlook 2026 quantifies the organizational impact: 73% of organizations reported being affected by cyber-enabled fraud, 87% of leaders said AI-related vulnerabilities are rising, and 72% identified AI fraud as their top operational challenge. AI fraud has overtaken ransomware as the primary concern for CEOs.

The numbers translate directly to money. Deloitte's Center for Financial Services projects AI-enabled fraud losses in the US will hit $40 billion by 2027 โ€” a 32% compound annual growth rate from $12.3 billion in 2023. The FBI's 2024 Internet Crime Report already shows $16.6 billion in cybercrime losses, up 33% in a single year.

Why the explosion? Because the tools are now free, require no expertise, and can be used anonymously. The 2026 International AI Safety Report confirmed this: the barriers to entry have effectively disappeared. Dark web "fraud-as-a-service" platforms sell complete scam kits โ€” voice cloners, document forgers, phishing templates โ€” for $30 to $200 per month. Synthetic identity kits go for as little as $5.

Seven Types of AI Scams Running Right Now

1. Deepfake video scams

Deepfake video scams surged 700% in 2025, with Gen Threat Labs documenting 159,378 unique instances in Q4 alone.

The most devastating example: in January 2024, a finance employee at Arup joined a video call with the CFO and several colleagues. Every person on the call was an AI-generated deepfake. The employee authorized 15 wire transfers totaling $25.6 million before the fraud was discovered through manual verification with corporate headquarters via a separate channel.

This isn't a one-off. Cyble's 2025 analysis found that 30% of high-impact corporate impersonation incidents now involve deepfakes.

2. AI voice cloning (vishing)

McAfee's research found that a voice clone needs just three seconds of audio to achieve an 85% match. Major retailers now receive over 1,000 AI-generated scam calls per day.

The attacks target both businesses and families. 1 in 4 people have encountered an AI voice scam, and 77% of victims lost money. The cloned voices are used to authorize wire transfers, impersonate government officials, and run family emergency scams.

This is where detection infrastructure matters. While human ears can't reliably distinguish a cloned voice, AI-based detection can analyze media for synthesis artifacts โ€” patterns that are invisible to perception but measurable by trained models. Tools like Witness are built to sit inside the surfaces where verification actually happens โ€” browser extensions, mobile share sheets, web apps โ€” so checking suspicious content is one tap away, not a separate workflow. The detection engine runs a multi-modal ensemble across image, video, and audio, covering more attack types than any single detector can.

3. AI-generated phishing

The old advice โ€” "look for typos and bad grammar" โ€” is dead.

IBM X-Force research found that AI generates a convincing phishing email in 5 minutes versus 16 hours manually. KnowBe4 and SlashNext analysis found that 82.6% of phishing emails now contain AI-generated content, and Hoxhunt reports that 40% of business email compromise emails are primarily AI-generated.

The effectiveness difference is staggering. Brightside AI's study measured a 54% click-through rate for AI-generated phishing emails compared to 12% for traditional โ€” a 4.5x effectiveness multiplier. In one test, an AI-enhanced spear phishing campaign targeting 800 accounting firms achieved a 27% click rate.

4. AI-powered business email compromise

BEC is the most expensive category of cybercrime. The FBI IC3 recorded $2.77 billion in BEC losses across 21,442 incidents in 2024.

What's changed is that BEC has evolved from email-only to multimodal campaigns combining email, cloned voice calls, and deepfake video โ€” all coordinated to create a convincing synthetic reality. An attacker might send a legitimate-looking email from the CFO, follow up with a phone call in the CFO's cloned voice, and schedule a video meeting with a deepfake of the CFO to authorize the transfer.

5. Synthetic identity fraud

Instead of stealing a whole identity, attackers now blend a real Social Security Number with fabricated names and addresses to create "phantom personas." Group-IB found that synthetic identity kits sell for as little as $5 on dark web markets.

These synthetic identities can quietly open credit accounts and build credit history for months before any sign appears. The victim โ€” whose SSN was used โ€” often doesn't know until they're denied credit or receive collection notices for accounts they never opened.

6. AI investment and crypto scams

Chainalysis documented $14 billion in crypto scam losses in 2025, with AI-enabled schemes proving 4.5x more profitable than traditional fraud.

The Check Point "Truman Show" operation uncovered in January 2026 used 90 AI-generated "experts" to populate controlled messaging groups. Victims were directed to install a mobile trading app that displayed server-controlled data showing fabricated returns. The entire reality โ€” the experts, the returns, the trading platform โ€” was synthetic.

7. AI romance scams (pig butchering)

Large language models now maintain emotionally intelligent conversations at scale. A single operator can sustain dozens of simultaneous relationships, each with personalized tone, adapted personality, and escalating emotional investment.

The conversations play out over weeks or months on dating platforms before moving to private messaging. The endgame: directing the victim to a fraudulent investment platform. The scale is industrial โ€” and the victims often have no idea they've been talking to a machine.

Why Traditional Defenses Are Failing

The core problem is asymmetry. AI gives attackers three advantages that defenders struggle to match:

Speed: What took a human scammer 16 hours to craft, AI produces in 5 minutes. A campaign that would have taken weeks to personalize for 100 targets can now be personalized for 10,000 in an afternoon.

Quality: AI-generated phishing doesn't have typos. AI-generated voices don't have accents that don't match. AI-generated video doesn't have obvious artifacts. The surface-level tells that training programs focused on are gone.

Scale: A single AI system can run thousands of simultaneous campaigns, adapting each one based on the target's responses. The marginal cost of an additional target approaches zero.

Gartner predicts that by 2026, 30% of enterprises will find standalone identity verification solutions unreliable due to AI-generated content. And by 2028, 1 in 4 candidate profiles could be fake.

The implication: verification cannot depend on a single signal. Not a voice. Not a face. Not an email. Any single channel can be faked. Defense requires multiple independent verification signals โ€” and AI-based detection that operates below the level of human perception.

What Actually Protects You

For individuals

Stop authenticating the media. Authenticate the request. If someone is creating urgency, demanding secrecy, or requesting payment through unusual channels, those are scam signals regardless of how real the voice or video looks.

Establish a family safe word. A short phrase known only to your household. Any emergency call must include it. This single measure defeats the majority of voice cloning family scams.

Use detection tools where you already are. Your eyes can't spot generation artifacts โ€” but a detection layer embedded in your browser or phone can. Witness runs a research-backed ensemble of detection models across image, video, and audio โ€” available as a Chrome extension (right-click any image), a mobile app (share any photo directly from your camera roll or messages), and a web scanner. The point isn't to open a separate app. It's to have verification one step away from wherever you encounter suspicious content.

Freeze your credit. Free at all three bureaus, blocks synthetic identity fraud.

Use phishing-resistant MFA. Hardware keys or authenticator apps โ€” not SMS.

For organizations

Deploy behavioral analytics. Network detection and response identifies anomalous patterns associated with AI scam infrastructure โ€” unusual data flows, voice synthesis traffic, command-and-control communications.

Require dual-approval for financial transactions. Through separate communication channels. No single channel โ€” email, phone, or video โ€” should be sufficient to authorize a transfer.

Upgrade security training. Shift from "spot the typo" to recognizing psychological manipulation patterns: urgency, authority impersonation, and unusual request contexts.

Implement identity threat detection. ITDR flags anomalous authentication patterns, unusual access requests, and behavioral deviations that indicate compromised or synthetic identities.

Accept that detection must be layered and continuous. Deepfake quality will keep improving. The right approach combines multi-modal detection (image, video, audio, and audio-video sync analysis) with behavioral analytics and verification protocols. Tools like Witness cover the media layer โ€” running research-backed ensemble models purpose-built for in-the-wild content, not lab benchmarks โ€” while behavioral analytics and identity monitoring cover the infrastructure layer. For developers and enterprise teams, Witness also provides API and MCP server access to embed detection directly into existing workflows.

Frequently Asked Questions

How can I tell if a video call is a deepfake?

You likely can't โ€” not reliably by looking. Current deepfake video operates in real time with minimal visual artifacts. Instead of trying to detect it visually, require out-of-band verification for any high-stakes request made on a video call. Call the person back on a known number. Use a pre-shared safe word.

What should I do if I think I'm being targeted by an AI scam?

Stop. Do not send money, provide personal information, or click links. Hang up and contact the supposed sender through a channel you independently verify (not a number or link they gave you). Report the attempt to the FBI's IC3 (ic3.gov), the FTC (reportfraud.ftc.gov), and your bank if financial information was involved.

Can AI clone my voice from social media?

Yes. Three seconds of audio โ€” from an Instagram story, a podcast clip, or a voicemail greeting โ€” is sufficient for current voice cloning models. Review your social media privacy settings and consider limiting public video content, especially for older family members who may be targets of family emergency scams.

What is the difference between AI detection and behavioral detection?

AI-based media detection analyzes content itself for generation artifacts โ€” statistical patterns that distinguish synthetic media from authentic content across image, video, and audio. Witness runs a multi-modal ensemble of research-backed models built for real-world content, available wherever verification needs to happen: browser, phone, web, or API. Behavioral detection, by contrast, analyzes patterns of activity โ€” unusual login times, atypical transaction amounts, anomalous communication patterns โ€” that suggest fraud regardless of the media used. Both layers are valuable and complementary.

Are AI scams illegal?

Using AI to commit fraud is illegal under existing fraud statutes. Additionally, the TAKE IT DOWN Act (signed May 2025) specifically criminalizes non-consensual intimate deepfakes. Multiple states including California, Texas, and Colorado have enacted AI-specific laws. Enforcement is still catching up to the technology.

WT
Witness Team
Editorial at Witness. Building a second pair of eyes for everything you see online.
Try Witness โ†’