AI-Driven Fraud: The New Reality for Accountants (and How to Stop It)

Earn CPE with this course

I used to treat phishing emails as a bit of a joke. You know the ones—poorly spelled subject lines, desperate pleas from a “Prince” in a foreign country, or logos that looked like they were pasted in MS Paint. They were annoying, but they were easy to spot.

That era is over.

Yesterday, I received an email that made me pause. It referenced a specific client, included what looked like legitimate tax documents, and used the correct corporate branding. It felt right. But something small felt off, so I verified it off-chain. It turned out to be fake.

If I, someone who lives and breathes tech, almost fell for it, what does that mean for a junior accountant processing hundreds of invoices a day?

In my latest course on EverydayCPE, I dove deep into the data behind AI-driven fraud. The numbers are terrifying, but the solution—surprisingly—isn’t just “buy better software.” It’s about old-school accounting controls.

The End of the “Quality vs. Quantity” Trade-Off

In the past, cybercriminals had to make a choice. They could either:

1. Cast a wide net with low-quality spam (the “Nigerian Prince” approach).
2. Go spearfishing with a high-quality, targeted attack on one person, which took weeks of research.

Generative AI destroyed that trade-off.

According to data from late 2024 through 2026, phishing attacks have increased significantly. Why? Because tools like ChatGPT and other LLMs allow bad actors to scrape your LinkedIn, read your company’s white papers, and generate a personalized, grammatically perfect email to your CFO in seconds.

They can now do high-quality spearfishing at a massive scale.

The Deepfake CFO: A $250,000 Lesson

We aren’t just talking about text anymore. We are talking about audio and video.

I reviewed a case recently where a multinational firm lost $250M because an employee hopped on a video call with their CFO. The CFO asked for a transfer. The employee authorized it.

The problem? The “CFO” was a deepfake.

The technology to clone a voice or face used to cost Hollywood studios millions. Now, a scammer can do it with a few minutes of sample audio (grabbed from a podcast or YouTube) and a subscription that costs less than Netflix.

If your internal control for a wire transfer is “I recognized his voice on the phone,” your controls are broken.

Agentic AI: The Threat That “Thinks”

The research report accompanying the course highlights a shift toward “Agentic AI”.

Unlike a standard script that runs a set of commands, an AI agent can act autonomously. It can:

• Identify a target.
• Find vulnerabilities in the network.
• Deploy malware.
• Mutate its code to evade antivirus detection.

Data shows these agents can deploy malware in under five minutes from initial contact. By the time a human security analyst sees the alert, the damage is often done.

The Solution: Finance Leads, IT Supports

Here is the most important takeaway from my research: This is a finance problem, not just an IT problem.

You cannot rely solely on firewalls to stop a deepfake CFO. You have to rely on Internal Controls.

If you want to fraud-proof your accounting department, you need to go back to the basics of segregation of duties, but update them for the AI age.

• Kill the Single Point of Failure: No single person should be able to authorize a payment based on a phone call or video chat.
• Verify Off-Chain: If you get an email request, verify it via Slack. If you get a Slack request, verify it via phone. Never use the contact info provided in the suspicious message.
• Harden Authentication: SMS 2-factor authentication is weak. I insist on using authenticator apps (like Google or Microsoft Authenticator) that are tied to a physical device and, ideally, biometric data.

Key Takeaways

• Trust Nothing Digital: Phishing attacks are up 1,200%. If an email looks perfect, be suspicious.
• Video is Not Proof: Deepfakes can mimic your boss’s face and voice in real-time. Video calls are no longer sufficient authorization for transactions.
• Update Your Risk Assessment: If your current risk assessment doesn’t explicitly mention “AI-driven social engineering,” it is outdated.
• Process Over Tech: The best defense is a strict approval workflow that requires multiple humans to sign off on outgoing cash.

Want to earn CPE for this topic?

1. Compare Options: See how we stack up against others in our 2025 Flexible CPE Guide
2. Understand the Format: Read how Nano-Learning works for CPAs.
3. Check Your State: Ensure you are compliant with our State Requirements Guide.
4. What is EverydayCPE?

Related Courses:

• Is Finance Tech Finally Moving Beyond Just Cost Cutting?
• Your Old Risk Playbook Is Obsolete: What Accountants Need to Know for 2026
• The Small Firm CPE Budget Guide: Unlimited Group Access Under $1,000
• AI Agents: A Primer for Finance Professionals
• I Investigated How AI is Used in Accounting. The Answer is Accounts Receivable.