AI-Powered Scams Are Exploding — And Your Public Data Is the Fuel

In January 2024, a finance employee at the British engineering firm Arup joined what looked like a routine video call with the company's CFO and several colleagues. They walked her through 15 wire transfers totaling $25.6 million to bank accounts in Hong Kong. The CFO and the colleagues were not real. Every face and voice on the call was a deepfake. She found out the next day when she called the actual CFO to ask about the "secret transaction."

That single incident, first reported by CNN, was the public alarm bell. Eighteen months later, the numbers behind it are worse than the story. AI scams surged 1,210% in 2025. Deepfake-enabled vishing — scam phone calls using cloned voices — jumped 1,600% from Q4 2024 to Q1 2025. Global losses from deepfake fraud passed $200 million in the first quarter of 2025 alone.

The killer point: AI didn't make scams smarter. It made them cheaper to personalize. And every convincing personalization runs on data scammers pull from your public profile — your employer, your relatives, your address, the conference you spoke at last fall. The more of you is online, the more weaponizable AI becomes against you.

TL;DR

• Voice cloning now needs as little as 3 seconds of recorded audio — roughly one voicemail greeting.
• Generative-AI-enabled scams rose 456% between May 2024 and April 2025.
• Deloitte projects AI-fueled fraud losses in the U.S. will hit $40 billion by 2027, up from $12.3 billion in 2023.
• The first big deepfake voice fraud — a €220,000 wire from a UK energy firm — happened in 2019. The Arup case was 116x larger five years later.
• Every AI scam needs three ingredients: a target, a trigger, and a story. Public data supplies all three.

Why "AI scam" is the wrong framing

The headlines focus on the AI part. The AI part is the easy part. There are open-source voice clones you can run on a laptop and deepfake video tools that cost less than a streaming subscription. The hard part for a scammer was never the technology. It was the script — convincing the target that the call, the email, the video is real.

That's where your public profile comes in. To pull off a believable impersonation, a scammer needs to know:

• Who you trust (your boss, your kid, your bank)
• How those people would actually contact you (Slack, the family group chat, a specific 800 number)
• When you'd plausibly be asked for money (a real wire is pending, a real trip is happening, a real bill is due)
• Enough biographical detail to make the lie pass a sanity check

Twenty years ago, harvesting that took weeks of phishing and social engineering. In 2026, it takes 15 minutes on LinkedIn, a people-search site, and an Instagram scroll. The data broker industry packages your relationships, employers, addresses, and phone numbers into convenient lookup tools. Scammers are just one of many customers.

The voice-clone economics

In 2023, the McAfee researchers who first benchmarked consumer-grade voice cloning found that 3 seconds of source audio could produce a clone an 85% match with the original. That was nearly three years ago. The tools today are cleaner, faster, and free.

Three seconds. That's:

• Your outgoing voicemail greeting
• A clip from a podcast you appeared on
• A TikTok where you narrate something
• The "leave a message" greeting on your business voicemail
• Any of the 30 wedding/baby/birthday videos a relative posted with your voice in the background

You don't have to be a celebrity. You just have to be findable. And findability is exactly what data brokers sell.

The Arup case, broken down

The Arup attack is worth understanding in detail because it's the template for what's coming.

1. Reconnaissance. Attackers identified the Hong Kong office, the finance employee, and the names and faces of senior leadership. Some of this came from the company website, some from LinkedIn, some from press coverage.
2. Trigger. A spear-phishing email landed in the employee's inbox claiming to come from the CFO and referencing a "confidential transaction."
3. Verification trap. The employee was suspicious of the email. She asked to verify the request. The attackers obliged — they offered to set up a video call with the CFO and several colleagues. The call happened. Every participant was AI-generated.
4. Authorization. Under the apparent direction of the deepfaked CFO, she made 15 transfers to five Hong Kong bank accounts totaling $25.6 million in a single day.
5. Discovery. She called the real CFO the next day. No arrests have been made. The money has not been recovered.

The clever part isn't the deepfake. It's that the attackers anticipated the employee would try to verify and built the verification into the trap.

Why "just call back to verify" stopped working

The advice "if someone asks for money, call them back at a known number to verify" is good advice. It's also rapidly being defeated. The Arup employee tried to verify. The verification was the attack.

In April 2025, the FBI issued a public service announcement warning that senior U.S. government officials were being impersonated with AI-generated voice and text messages to current and former federal and state officials. The bureau's guidance: don't trust the voice. Don't trust the number. Independently look up contact info, and call back through that route.

In other words, the FBI is now telling people that hearing your boss's voice on the phone is no longer proof your boss is on the phone.

The doxxing connection

If you read our piece on what to do in the first 24 hours after being doxxed, the next layer is obvious: doxxing isn't just about harassment anymore. A complete dox — name, address, phone, employer, family, daily schedule — is the perfect raw material for an AI-assisted impersonation scam. Scammers don't need to dox you themselves. They can buy a ready-made profile from a data broker for less than a movie ticket.

The same goes for your email address. One email tied to your real name lets a scammer match you across LinkedIn, the breached-password databases, and dozens of broker sites. From there they build the script.

What the numbers tell us about 2026 and beyond

The growth curve is steep and the floor is rising. A few orienting figures:

• Sift's Q2 2025 Digital Trust Index: voice-cloning fraud and AI-powered business email compromise are now the top two highest-risk enterprise scam types.
• Deloitte's Center for Financial Services: generative AI could push U.S. fraud losses to $40 billion by 2027, a 32% compound annual growth rate.
• Sift / Gen Threat Labs: 159,378 unique deepfake scam instances detected in Q4 2025 alone.
• McAfee 2024 survey: 1 in 4 adults reported experiencing a voice-cloning scam; 1 in 10 said they were personally targeted.

The pattern across all of these is the same: AI scaling pushes the per-attack cost down. When the cost is low enough, attackers don't need a 50% hit rate. They need a 0.1% hit rate, and they'll run a million attempts to find it.

What you can do today

1. Set a family safe word. A short phrase that proves you're actually you on a call. The cleanest defense against a voice-clone "I'm in trouble" scam is a question the cloned voice cannot answer. Tell your kids, your parents, and your spouse.
2. Shorten your voicemail greeting — or replace it with a generic robotic one. Your outgoing greeting is sample data. Your carrier provides default text-to-speech greetings on request.
3. Audit what's publicly searchable about you. Run a free scan to see how many people-search sites have your name, age, address, employer, and relatives published. Each row is a script ingredient. Read our pillar essay on why those rows compound for the why.
4. Set a verification protocol for money. No transfer goes out on the basis of one channel — not email, not voice, not video. The rule should be: any movement of money or credentials requires confirmation through a separate channel chosen by the recipient, not the sender. This kills almost every CEO-fraud variant.
5. Lock down your high-leverage public posts. You don't need to delete your LinkedIn. But the public version doesn't need your direct phone number, your exact schedule, or photos of your home and family. Strip the recon ammunition.

---

AI didn't invent fraud. It made personalized fraud cheap. The defense isn't a magic detector — those don't work yet at scale. The defense is taking away the fuel: the public data that turns a generic scam into a personalized one with your name on it.

Leaks happen. The link is the risk. Run a free leak check at leakcheckme.com — see what's actually exposed and what a scrub mission would clear before some scammer beats you to it.

Sources

• CNN: Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee
• Fortune: A deepfake 'CFO' tricked British design firm Arup in $25 million fraud
• Deloitte: Deepfake banking and AI fraud risk on the rise
• DeepStrike: Vishing Statistics 2025 — AI Deepfakes & the $40B Voice Scam Surge
• DeepStrike: Deepfake Statistics 2025 — The Data Behind the AI Fraud Wave
• FBI: Senior U.S. Officials Continue To Be Impersonated in Malicious Messaging Campaign
• American Bar Association: The Rise of the AI-Cloned Voice Scam
• Think Cloud: How Fraudsters Used AI To Mimic CEO's Voice To Steal £220,000 (2019 UK energy case)