ARTICLE

AI Scams & Social Engineering

Updated 2 May 2025
safetysecurityscamsphishingsocial-engineeringvoice-cloning

AI Scams & Social Engineering

Social engineering — tricking people into doing something they shouldn’t — is as old as fraud itself. What’s new is that AI has supercharged it. Every dimension of a scam — the voice, the face, the email, the backstory, the persistence — can now be AI-generated, personalised, and deployed at scale.

This isn’t hypothetical. It’s happening now. The losses run into billions annually, and the techniques improve with every new model release.

Voice Cloning Scams

The most emotionally devastating category. AI voice cloning can replicate anyone’s voice from a short sample — often scraped from social media, voicemails, or public talks.

How it works:

  1. Attacker obtains a voice sample (15-30 seconds is enough)
  2. AI creates a real-time voice clone
  3. Attacker calls the victim, impersonating a family member, boss, or colleague
  4. Urgency + familiar voice = compliance

Real cases:

  • Parent receives call from “their child” claiming to be kidnapped, demanding ransom
  • CEO’s voice cloned to authorise a $243,000 wire transfer (2023, documented case)
  • Grandparent scams using cloned grandchild voices — FBI has flagged this as rising sharply

Defence:

  • Establish a family code word for emergencies
  • Hang up and call back on a known number
  • Never authorise money based on a phone call alone
  • Be especially cautious with urgent, emotional requests

AI-Powered Phishing

Traditional phishing emails had telltales: bad grammar, generic greetings, obvious URLs. AI has eliminated all of them.

What’s different now:

  • Perfect language — LLMs write flawless, contextually appropriate emails
  • Personalisation — AI can research a target and craft personalised messages at scale
  • Multilingual — Scams in any language, with native fluency
  • Volume — What took a human scammer hours takes AI seconds

Spear phishing at scale — The old trade-off was: generic email → many targets, or personalised email → few targets. AI removes this trade-off. Every email can be personalised. To thousands of targets. Simultaneously.

Defence:

  • Verify unexpected requests through a second channel
  • Don’t click links in emails — navigate to sites directly
  • Use email security tools (they’re also using AI to detect AI-generated phishing)
  • Be sceptical of any urgency (“you must act NOW”)

Fake Identities & Profiles

AI-generated faces (GANs and diffusion models) create convincing profile pictures. Combined with AI-written bios and messages:

  • Romance scams — AI-generated attractive profiles on dating apps, with AI-generated conversations that feel personal and consistent
  • Business fraud — Fake LinkedIn profiles for social engineering (gain trust → extract information)
  • Fake reviews/testimonials — Entire review profiles that look authentic
  • Astroturfing — Fake social media accounts pushing narratives at scale

How to spot them (getting harder):

  • Reverse image search (less effective with generated images)
  • Check for inconsistencies in claimed history
  • Be suspicious of too-perfect profiles
  • Verify through independent channels

Fake Customer Service

AI chatbots impersonating legitimate company support:

  1. Victim searches for help (e.g., “how to contact my bank”)
  2. Scam site appears in search results with AI chatbot
  3. Chatbot is conversational, helpful, and convincing
  4. Eventually asks for login credentials, account numbers, or payment details

This works because AI chatbots are now good enough to pass casual scrutiny. They answer questions, maintain context, and sound professional.

Investment & Financial Scams

AI enables sophisticated financial fraud:

  • Fake trading bots — AI-generated testimonials and fabricated performance data
  • Deepfake endorsements — Celebrities “recommending” investment schemes
  • Automated persuasion — AI chatbots that patiently build trust over weeks before pitching a scheme
  • Fabricated documents — AI-generated financial statements, contracts, and regulatory filings

The Scale Problem

This is what makes AI scams different from traditional fraud: the economics have flipped.

DimensionBefore AIWith AI
Cost per scamHigh (human time)Near zero
PersonalisationManual researchAutomated
Language barriersSignificantEliminated
ScaleLimited by humansUnlimited
ConsistencyVariablePerfect
Emotional manipulationSkill-dependentSystematised

A single operator with AI tools can run thousands of personalised scam campaigns simultaneously. The old bottleneck — human time and skill — is gone.

What Regulators Are Doing

  • FTC (US) — Increasing enforcement against AI-enabled fraud, proposed rules on AI impersonation
  • Europol — Published reports on AI-enabled crime, cross-border coordination
  • EU AI Act — Transparency requirements for AI-generated content
  • UK — Online Safety Act provisions, fraud-specific enforcement
  • Banks — Implementing AI-based fraud detection (fighting fire with fire)

See Regulator Watch for ongoing tracking of regulatory responses.

What You Can Do Today

  1. Verify urgency — Real emergencies survive a 5-minute delay. Scams don’t.
  2. Use code words — Establish verification phrases with family and close colleagues
  3. Second-channel verification — If someone contacts you via one channel, verify via another
  4. Don’t trust voices or faces — They can both be faked. Trust actions and verification.
  5. Update your mental model — The “poorly written email from a Nigerian prince” era is over. Modern AI scams are sophisticated, personal, and patient.
  6. Talk to vulnerable people in your life — Elderly relatives, less tech-savvy friends. They need to know.

Go Deeper

Sources

enes