Fraud scams are nothing new, but the tools and tactics being used have evolved dramatically. AI is enabling criminals to create convincing emails, clone voices, and build fake websites that are increasingly difficult to distinguish from real communications. Complex, personalized attacks can be used to trick even careful people and organizations. 

The types of scams that the cybersecurity team at Venable sees, both through our work with the firm’s clients that are targets of fraud and at the Center for Cybersecurity Policy & Law (CCPL) with cybersecurity companies that do significant research, continue to both change and increase.  Here are the most common threats we are seeing today, how use of AI has changed them, and what we are telling people to do to prevent them. 

Most Common Threats

AI-Enhanced Phishing

Phishing is a technique for attempting to acquire sensitive data, such as passwords or bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator pretends to be a legitimate business or person. While these types of scams have been the biggest concern for decades, AI has enabled bad actors to scale the complexity and scope of their attacks. AI is ideal for collecting and processing large amounts of data quickly and thoroughly. 

With access to massive datasets, including publicly available personal and professional information, scammers can now tailor phishing attempts with a level of personalization that makes them far more difficult to detect. These messages often lack the spelling errors or generic language that once served as warning signs, and may include personal or private information including account information, and seem credible enough to fool more savvy consumers. Specifically, counterfeit online forms that may have previously raised questions now often look identical to the real thing. 

Deepfake Voice and Video Scams

Deepfake scams involve the use of artificial intelligence to replicate a person’s voice or likeness to deceive victims into sharing sensitive information or transferring money. While impersonation scams are not new, advances in AI have made it possible to generate highly realistic audio and video with minimal input data. In some cases, just a short audio clip from social media or publicly available recordings is enough to convincingly mimic an individual’s voice. 

These scams often rely on urgency and emotional manipulation. A victim may receive a phone or video call that appears to come from a trusted source like a family member, colleague, or executive requesting immediate assistance or financial support. Because the voice sounds familiar and the situation feels pressing, individuals may act quickly without independently verifying the request. As with AI-enhanced phishing, the increasing realism of these attacks makes them significantly harder to detect, underscoring the importance of verifying unexpected or unusual requests through trusted, independent channels.

Business Email Compromise (BEC) & Financial Fraud

Business email compromise (BEC) scams involve attackers gaining access to—or convincingly impersonating—a legitimate business email account to trick people into sending money or sensitive information. These schemes often target employees responsible for financial transactions, as well as individuals involved in high-value activities like real estate closings. While BEC attacks have existed for years, AI is making them more effective by enabling attackers to generate realistic messages that closely mimic the tone, style, and timing of legitimate communications.

A common tactic involves sending updated payment or wiring instructions that appear to come from a trusted source, such as a colleague, vendor, lawyer, or mortgage company. These messages often arrive at critical moments -- just before a deadline or transaction is due – creating a sense of urgency that discourages verification. In real estate transactions, for example, a compromised email account may be used to redirect closing funds to a fraudulent account with little warning.

Because these communications often appear legitimate and are contextually accurate, traditional warning signs can be difficult to spot. As a result, it is critical to verify any changes to payment information through a separate, trusted channel before completing a transaction.

Texting Scams

Smishing – phishing conducted via text message – has become an increasingly common entry point for fraud. These messages often appear to come from legitimate sources, such as delivery services, toll operators, or government agencies, and are designed to prompt immediate action, such as clicking a link or providing information. In other cases, the interaction begins with a seemingly harmless “wrong number” text that evolves into an ongoing conversation.

In more sophisticated versions of these scams, known as “pig butchering,” attackers build relationships with victims over a very long period of time, often through text messaging or messaging apps. What starts as casual conversation gradually develops into trust, with the scammer eventually introducing an investment opportunity, frequently involving investments through a specific broker, that appears legitimate but is entirely fraudulent. Victims are encouraged to invest increasing amounts of money and at first seem to be making money, sometimes over weeks or months, before the investment falls apart and the scammer disappears.

These scams are particularly effective because they rely less on technical deception and more on social engineering and emotional manipulation. The combination of persistent communication, perceived personal connection, and the promise of financial gain can make them difficult to recognize until significant losses have occurred.

Elder Fraud

An increasing number of all the scams above and others are targeting seniors’ bank accounts and 401(k)s. In addition to AI-enhanced phishing and deepfake schemes, bad actors use highly targeted tactics targeting seniors’ perceived vulnerabilities, including limited digital savvy. Common scams include fraudulent investment opportunities promising high returns; impersonation of government officials from agencies such as the IRS, Medicare, and the Social Security Administration; romance scams that exploit loneliness to extort money; and fake IT support schemes claiming to fix “broken” software.  These scams are especially effective because they target the elderly, who are often less aware of digital scams and might be more susceptible to the fear, urgency, and misinformation tactics used by scammers.

Practical Steps to Avoid Being Scammed

For all the scams mentioned above, and the many others that exist, the best advice is to remain vigilant and skeptical.  While technical safeguards can help, the most effective defense is a cautious mindset.  Individuals need to be comfortable recognizing and acknowledging situations that seem even slightly off.  Approach unexpected texts, calls, emails, or videos with skepticism, particularly if they come from unknown or unverified sources. If it does turn out to be legitimate, even in the direst situation checking and double-checking is unlikely to make things worse.

The following recommendations are a good place to start to help individuals not fall for scams.

Strengthen Authentication

Most phishing schemes are designed to trick you into handing over your login credentials to an attacker. The most effective defense against these scams is to use authentication methods that can’t be easily shared, reused, or spoofed. Multi-factor authentication (MFA) adds an extra layer of security beyond a password, making it significantly harder for attackers to gain access even if credentials are compromised. However, not all MFA methods are equally secure—one-time passcodes (OTPs), especially those sent via SMS or email, can still be phished or intercepted by sophisticated attackers.

Where available, people should opt for passkeys, hardware tokens, or biometric authentication, which are far more resistant to phishing because they are tied to the user’s device and cannot be easily reused or shared. CCPL’s Better Identity Coalition (BIC), the American Bankers Association (ABA), and the Financial Services Sector Coordinating Committee (FSSCC) created a playbook for financial services firms regarding authentication systems. When possible, banks and other institutions should offer passkeys and hardware tokens. That said, using any form of MFA is far better than relying on a password alone. Even basic MFA can stop many common attacks, so the most important step is to enable it wherever possible and then upgrade to stronger options like passkeys when available.

Verify Before You Act

Many scams rely on creating a sense of urgency to push victims into acting quickly. Taking a moment to pause and independently verify a request can prevent costly mistakes. If you receive an unexpected call, email, or message asking for money or sensitive information, do not respond directly. Instead, contact the individual or organization using a trusted phone number or official website to confirm the request. 

Avoid Engaging with Unknown Contacts

Unsolicited messages, whether by text, email, or phone, should be treated with caution. Responding to unknown contacts can signal that your number or account is active, potentially leading to additional targeting. This is especially true for “wrong number” texts or unexpected outreach that attempts to initiate a conversation. Ignoring or deleting and blocking these messages is often the safest course of action. If you are unsure who you are communicating with and are asked to send money, stop and call a trusted number you already have saved. 

Double-Check All Financial Transactions

Before sending money, particularly through wire transfers, cryptocurrencies, gift cards, or other irreversible methods, confirm the payment details through multiple trusted channels. Fraudsters frequently exploit moments of urgency, such as real estate closings or invoice payments, to introduce fraudulent instructions. Verifying payment information directly with the intended recipient can help ensure funds are not misdirected.

Watch for Payment Red Flags

Certain payment methods are commonly associated with scams. Requests for payment via gift cards should always be treated as fraudulent, as no legitimate organization will require this form of payment. Similarly, demands for cryptocurrency should raise immediate concern due to the difficulty of tracing and recovering such transactions. Unusual payment requests, especially when combined with urgency, are a strong indicator of fraud. The more urgent the request, the more cautious consumers should be. 

Conclusion

As fraud schemes continue to evolve, the common thread across all of these scams is not just technology, but trust. Artificial intelligence has made it easier for bad actors to mimic legitimate communications and exploit moments of urgency, familiarity, and human instinct. What once may have been easy to dismiss as suspicious now often appears credible, targeted, and convincing.

At the same time, the core defenses remain consistent. Taking a moment to pause, verify, and question unexpected requests can make the difference between avoiding a scam and becoming a victim. Strong authentication practices, combined with a habit of independently confirming sensitive requests, provide meaningful protection in an increasingly complex threat environment.

Ultimately, awareness is one of the most effective tools available. By understanding how these scams operate and recognizing their warning signs, individuals and organizations can better protect themselves and reduce the likelihood of financial loss.

‍