By The Most Secure Man Alive | WISECLICK Ambassador
I've watched it happen in slow motion.
A new technology arrives. The excitement is real. The possibilities are genuine. The consultants appear — confident, well-dressed, holding slides. "This changes everything," they say. And they're right.
What they forget to mention is that the other side noticed too.
AI has given small business owners extraordinary tools. Faster writing. Better decisions. Automation that used to cost ten times as much. I find this genuinely interesting.
I also find it genuinely interesting what it's given the people on the other side of the fence.
What AI Has Done for Attackers — In Plain English
Three things. That's all this requires.
It made the scam email disappear.
The old tells were easy to spot. Broken English. Generic greetings. "Dear Valued Customer." A request so obviously fabricated that most people caught it before they clicked.
AI removed all of that. A modern phishing email is fluent, personalised, and contextually accurate. It knows your industry's language. It references details that feel real. It mirrors the tone of emails you actually receive from people you actually trust.
The volume has also changed. What once required a team of people working across time zones now requires a single laptop and a well-written prompt. One person can now send ten thousand convincing emails before lunch.
The tell is no longer the writing. The tell is the request.
It cloned the voice on the phone.
Thirty seconds of audio is enough. A public video. A voicemail greeting. A podcast appearance. A short clip from a company event posted to LinkedIn.
Thirty seconds of your accountant's voice is often enough to make a phone call that sounds convincingly like your accountant.
This has been used, in documented cases, to instruct bookkeepers to update payment details. To convince CFOs to approve urgent transfers. To bypass processes that would have caught a written request instantly — because the voice felt real, and real felt safe.
The tell here is always the same: urgency. Legitimate people — your actual accountant, your actual supplier, your actual bank — rarely demand immediate action without a paper trail. When a voice call asks you to act now and bypass your normal process, that is not your accountant. That is a prompt.
It researched you before you knew it was looking.
LinkedIn. Your company website. Social media. Public records. News mentions. A profile of your business, your suppliers, your key relationships, and your financial patterns — assembled automatically in minutes from information already public online.
The scam email that references your supplier by name isn't sophisticated. It's just thorough. AI does the thoroughness at a scale no human attacker could match.
Many breaches are not sophisticated. They're simply researched.
The Risk Nobody Is Talking About — And It's Coming From Inside
The threat isn't only incoming.
Every time someone on your team pastes client names, financial data, internal documents, or confidential correspondence into a free AI tool — that information leaves your building. Not because anyone hacked you. Because you handed it over voluntarily, in exchange for a faster first draft.
The major AI platforms have policies. The policies change. The data handling varies by region. The terms are long, and almost nobody reads them.
This is not a reason to avoid AI tools. It is a reason to know which information goes into them and which does not. One clear rule — one sentence, shared with everyone who works in your business — closes most of this exposure before it becomes a problem.
The most dangerous thing about AI isn't what it can do. It's what it lets someone else do to you while you're busy being impressed by it.
I use AI every day. I simply choose what it knows about me.
Three Things Worth Doing This Week
Not ten. Not a project plan. Three.
- Set a verification rule. Any unusual financial request — change of payment details, urgent transfer, unfamiliar invoice — gets confirmed through a second channel. Not a reply to the email. Not a callback to the number that called you. A call to a number you already have, to a person you already know. This one habit stops the majority of AI-powered financial scams.
- Set a simple AI data rule. One paragraph. "Client names, financial information, and internal documents do not go into free AI tools." Share it with everyone who works in the business. It does not require a policy document. It requires a sentence and a conversation.
- Run your Essential 8 assessment. AI doesn't usually create new vulnerabilities. It exploits existing ones faster, at greater scale, with less effort. Your Essential 8 score shows you where those vulnerabilities are — before someone else finds them for you.
Where the Essential 8 Comes In
The Australian Signals Directorate didn't design the Essential 8 for AI. They designed it for the reality that most attacks succeed not because they're clever, but because the basic things weren't done.
AI makes the basic things more important, not less. Patching. Access control. Backups that actually survive. Multi-factor authentication that can't be bypassed with a convincing voice.
If your Essential 8 controls are in place, AI-powered attacks become significantly harder. If they're not, AI makes that gap easier for attackers to use.
That's the honest picture.
Want to know where your business actually stands?
The Essential 8 Gap Assessment shows you exactly that — across all eight controls, in plain English. Your maturity level. Your gaps. Your quick wins.
30 minutes. No tech knowledge needed. $149.
Get My Essential 8 Score — $149 →
The threats are real. So is the answer. Stay protected, my friends.
— The Most Secure Man Alive
Get articles like this delivered to your inbox
Frequently Asked Questions
Is AI being used to attack small businesses in Australia?
Yes. AI is being used to generate convincing phishing emails at scale, clone voices for phone scams, and automatically research targets using publicly available information. These are not theoretical threats — they are documented and occurring now. Small businesses are targeted because they often have fewer verification processes than large organisations.
What is a deepfake voice scam and how does it work?
A deepfake voice scam uses AI to clone a person's voice from a short audio sample — as little as 30 seconds from a public video, voicemail, or social media clip. The cloned voice is then used to make phone calls impersonating that person. In documented cases this has been used to instruct staff to transfer funds or change payment details. The tell is always urgency — legitimate requests rarely demand immediate action without a paper trail.
How can I tell if a phishing email was written by AI?
The old tells — broken English, generic greetings, obvious urgency — are largely gone. AI-written phishing emails are fluent, personalised, and contextually accurate. The more reliable signal is no longer the writing quality but the nature of the request itself. Any email asking you to take an unusual financial action, click an unexpected link, or bypass a normal process warrants a second verification through a separate channel.
Is it safe to use AI tools like ChatGPT in my business?
AI tools are useful and widely used — the risk is not in using them but in what information goes into them. Client names, financial data, internal documents, and confidential correspondence should not be pasted into free AI tools. A simple one-sentence rule shared with your team covers most of this exposure. The tools themselves are not the problem. Knowing what they know about you is.
How does the Essential 8 protect against AI-powered attacks?
AI doesn't usually create new vulnerabilities — it exploits existing ones faster and at greater scale. The Essential 8 covers the basics that AI-powered attacks rely on: patching known vulnerabilities before they're exploited, controlling application access, maintaining backups that survive ransomware, and implementing multi-factor authentication that can't be bypassed by a convincing voice call. With the Essential 8 in place, AI-powered attacks become significantly harder to execute.
Leave a comment
This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.