Deepfake & AI Voice Scams: How Southern Oregon Small Businesses Avoid Wire Fraud

Your bookkeeper gets a phone call. It’s your voice — your tone, your cadence, the way you always rush the end of a sentence — asking her to push a wire transfer through before the bank closes. A vendor’s “accounting department” emails new bank details for an invoice that’s genuinely due. A short video call from someone who looks and sounds exactly like your largest client confirms the change. Every one of those can now be faked, convincingly, by a criminal who has never met you.

This isn’t science fiction, and it isn’t only a big-company problem. AI-generated voice and video scams are among the fastest-growing forms of fraud heading into 2026, and small businesses are squarely in the crosshairs. The good news: the defenses that actually work don’t require expensive technology. They require a process — and that’s something every Grants Pass business can put in place this week.

What deepfake and AI voice fraud actually is

A “deepfake” is media — audio, video, or both — generated by AI to impersonate a real person. The part that should get your attention is how little raw material it takes. Security researchers report that as little as three seconds of recorded audio is now enough to clone someone’s voice with unsettling accuracy.

Where does a criminal find three seconds of your voice? Everywhere. A voicemail greeting. A Facebook or LinkedIn video. A podcast interview, a webinar recording, a clip from a community event. The same is true for your face: a few photos and a short video are enough to drive a real-time “filter” on a video call. The tools that used to take a skilled fraudster weeks of research now produce a passable fake in minutes.

The financial stakes are real. One widely reported 2024 case saw a finance employee wire roughly $25 million after a video call in which every other “colleague” on the screen was an AI fake. Most attacks are smaller and quieter — researchers put the average loss from a successful CEO-impersonation scam at around $125,000 — but the number of incidents is climbing fast, with some estimates showing deepfake fraud attempts doubling year over year.

Why small businesses are the prime target

It’s tempting to assume scammers chase the Fortune 500. They don’t — they chase whatever’s easiest to cash out, and small businesses check every box.

• Real authority, fewer guardrails. In a 12-person company, the owner can authorize a payment with a sentence. There’s no four-layer approval chain to slow a thief down.
• Fast, trusting payment habits. Small teams move money quickly to keep vendors happy and projects moving. “Can you handle this before you leave today?” doesn’t sound unusual.
• Limited security staff. Most small businesses don’t have someone whose job is to question a convincing request — which is exactly the gap an MSP fills. (We wrote more about that division of labor in the role of an IT company in cybersecurity and data protection.)

That’s the same reason small businesses absorb the overwhelming majority of ransomware and fraud attacks generally. Criminals have learned that the smaller shop often has money worth taking and far less standing in their way.

What an attack looks like for a Grants Pass business

These scams follow a recognizable script. Knowing the shape of it is half the defense:

1. Impersonation of someone trusted — the owner, the CFO, a known vendor, or the bank.
2. A money move — a wire transfer, a “corrected” set of bank details on a real invoice, a gift-card purchase, or a request for login credentials.
3. Manufactured urgency — “before the bank closes,” “the deal falls through otherwise,” “I’m in a meeting and can’t talk.”
4. Pressure to break the normal process — “skip the usual sign-off,” “don’t loop in accounting,” “keep this between us.”

When you see urgency plus secrecy plus a request to bypass your normal approval steps, treat it as a fraud attempt until proven otherwise — no matter how familiar the voice sounds.

The defenses that actually work

Here’s the part that surprises people: the most effective protection against a high-tech attack is low-tech. AI can clone a voice, but it can’t fake your internal procedures. Process-based safeguards stop the large majority of these attacks before a dollar moves.

Process first — this is where the real protection lives:

• Callback verification. Any request to move money or change payment details gets confirmed by calling the person back on a known, trusted number — not the number that called you, and not one in the email. This single habit defeats most voice-clone attacks outright.
• The two-person rule. Wire transfers and bank-detail changes above a set dollar amount require a second person to approve. A scammer has to fool two people through two channels instead of one.
• A verbal “safe phrase.” Agree on a private code word with the people who can authorize payments. AI can copy a voice; it can’t know a shared secret you never wrote down.
• Out-of-band confirmation. If the request came by phone, confirm by text or email to a known address — and vice versa. Forcing a second channel breaks the attack.

Technical controls back the process up:

• Email authentication (SPF, DKIM, DMARC). Properly configured, these make it far harder for a scammer to spoof your domain or a vendor’s, cutting off the “fake invoice from a real-looking address” route.
• Multi-factor authentication. If credentials do leak, MFA keeps an attacker from turning that into account takeover and a wave of internal-looking requests.
• Staff awareness training. Your team can’t defend against a threat they’ve never heard of. A short, regular conversation about what these scams sound like is one of the cheapest, highest-return security investments you can make — and it pairs naturally with the broader protections we cover in top small business security solutions.

A verification policy you can adopt this week

You don’t need a consultant to start. Write down a one-page rule and share it with everyone who can touch money:

• Any request to send a wire, change bank or payment details, or buy gift cards is verified by calling the requester back on a number you already have on file.
• Payments over a set threshold need a second approver.
• “Urgent and secret” is itself a red flag, not a reason to hurry.
• When something feels off, the right move is always to slow down and verify — nobody gets in trouble for double-checking.

Tape it next to the desk where payments get made. The whole point is that the rule, not a stressed employee’s judgment in the moment, decides what happens.

When the scam still gets through

If a fraudulent transfer does go out, speed matters more than anything. Contact your bank immediately to request a recall, file a report with the FBI’s IC3 (ic3.gov), and change any credentials that may have been exposed. The same preparation that limits ransomware damage — clean backups, tested recovery, a known incident contact — limits fraud damage too. We walk through that mindset in what a Southern Oregon business should do after an attack.

How we help

ITs Managed has protected small businesses across Jackson and Josephine counties since 1989. We help Grants Pass and Southern Oregon owners put the unglamorous-but-effective pieces in place: email authentication and MFA configured correctly, a payment-verification policy your team will actually follow, and staff training that makes these scams easy to spot. It’s the same plain-English, locally owned approach we bring to every part of our managed IT services — no jargon, no fear-selling, just the controls that keep your money where it belongs.

Worried a convincing call could slip past your team? Schedule a no-obligation meeting and we’ll review your payment process and email security, and help you close the gaps before someone else finds them.