Keith Shaw, host of Today in Tech, recently sat down with our CEO Joël Winteregg to discuss how generative AI is reshaping the business fraud landscape.
According to the 2025 Global State of Scams Report published by Global Anti-Scam Alliance (GASA), global losses from scams reached an estimated amount of USD 442 billion over the past 12 months.
Generative AI can now produce a credible phishing campaign in under five minutes, down from more than 16 hours just a few years ago. The rules of business fraud have changed. The question is whether organisations have changed with them.
From spam filters to deepfake CFOs
A decade ago, the advice was simple: check for bad grammar, suspicious links, and unfamiliar senders. Those signals still matter, but they are no longer enough.
Joël describes a threat landscape that has moved well beyond the phishing email. Today’s business email compromise attacks do not necessarily require compromising an inbox at all. Attackers can organise a Microsoft Teams call, place a convincing AI-generated video of a senior executive on screen, manufacture a sense of urgency, and walk an employee through a payment without ever touching the company’s systems.
The technology has lowered the barrier significantly. What previously required technical skill and persistent access to an executive’s email account can now be assembled from commercially available tools.
Most companies have standard ERP processes with multiple approvals and checks. But every company also has 'urgent' exceptions.
The fraudsters behind these attacks are not operating as lone actors. Joël points to documented cases of scam compounds in Southeast Asia: large-scale, structured operations with dedicated teams for sourcing targets, building scenarios, and executing attacks. AI agents are now helping to scale those operations further.
The detection problem is a shared one
Across every fraud typology Joël discusses, invoice fraud, CEO impersonation, romance scams, investment fraud, one mechanism appears consistently: urgency.
Most companies have standard ERP processes with multiple approvals and checks. But every company also has 'urgent' exceptions.
That is precisely where attackers focus. The goal is not to defeat the process. It is to bypass it by making the exception feel inevitable.
What is new is the precision with which AI enables attackers to manufacture that urgency. Hyper-personalised messages, generated from publicly available information and tailored to the specific victim’s role and context, make the request feel legitimate. By the time someone pauses to verify, the window for intervention has often closed, especially in an environment where instant payments settle in seconds and cannot be recalled.
Awareness training is necessary but not sufficient
Joël is direct on this point. Employee awareness remains important. At Vyntra we run internal phishing simulations, track who clicks, and redirect those individuals to additional training rather than reprimanding them. The culture around that testing matters as much as the testing itself.
Employees who fear blame are less likely to report suspected fraud, which is precisely the outcome organisations cannot afford.
But awareness training alone cannot carry the full weight of fraud prevention. The structural risk created by real-time settlement, and by AI tools that make impersonation more convincing than any training scenario, requires controls that operate independently of human judgement in the moment.
Banks and payment providers also need to help detect suspicious activity. Responsibility needs to be shared.
When an organisation suddenly routes a large payment to a new account, that behavioural signal — unusual counterparty, unusual amount, unusual timing — is precisely what AI-driven anomaly detection is designed to surface, before the funds clear.
The detection problem is a shared one
The conversation points to something that security leaders already understand but that rarely gets framed this way in boardroom discussions: fraud prevention at scale is not a training problem or a process problem in isolation. It is an intelligence problem.
Fraudsters share tools, tactics, and target lists. They operate collaboratively, often across borders and institutions. The financial institutions best positioned to detect these attacks are those that pool behavioural signals across transaction flows and benefit from shared intelligence, knowing in near real time that a payee flagged at one institution is now appearing in payment instructions at another.
That collective approach, combined with AI models that adapt continuously to new attack patterns rather than waiting for rules to be written, is where the gap between reactive and proactive fraud prevention becomes most visible.
What comes next
Joël does not expect the problem to get easier in the near term. AI lowers the barrier to entry for attackers. The skills required to run a convincing impersonation or generate a fake invoice are no longer specialist skills. The volume of attempts will increase, and the quality of individual attacks will continue to improve.
The trajectory for defenders is more encouraging. Financial institutions are investing more heavily in real-time fraud detection, and regulators are reinforcing that expectation. The UK’s authorised push payment reimbursement framework is one example of how policy is shifting accountability and, with it, the urgency of prevention investment.
The baseline has moved. The organisations that recognise that early, and build detection capabilities that match the speed and adaptability of modern fraud, are the ones that will be in a position to absorb what comes next without absorbing the losses.
Want to detect and stop payment fraud before it reaches your customers?
Vyntra can help.
