bowers.law and alinea would like to keep in touch with you and to keep you informed of developments in the law and the ways in which we can help, advise and share risk with you.

To do this, we need your agreement and we need to make certain commitments to you about how we will use your personal data:

  • We will only use your personal data to send you relevant news and updates, announcements and invitations to events, and information about the firm.
  • We will not pass your personal data to any marketing agencies or other third parties, except for the purpose of us communicating with you, or as required by law.
  • You will be able to access the personal data that we hold about you and to correct it by contacting our data manager at enquiries@bowers.law.
  • You can withdraw your agreement at any time.

If you would like us to keep in touch and keep you informed, please do click the submit button.

We look forward to keeping you interested in what we have to say, and to working with you !

ARTIFICIAL vs. INTELLIGENT

Million Dollar Corporate AI Scams That Can Bring The Walls Down!

July, 2026

For this edition of the bowers.law Room 228 Newsletter, we want to talk about corporate fraud which has entered a highly sophisticated and terrifying era.

Rather than hacking into secure infrastructure, cybercriminals are increasingly exploiting human trust through multi-layered social engineering, real-time video impersonation, and hyper-realistic voice cloning.

AI has made the game bigger than ever, constantly evolving and it’s costing organisations millions! 

If the sting works, the money is almost impossible to recover. So how do companies safeguard against this? Knowledge is your primary weapon – knowing what’s possible, what worked, and what was foiled. We’ll keep you abreast of the latest scams, so you know what to look out for.

Here’s what we know so far…

 

ARUP (US $25 Million Loss)
In one of the most infamous and widely cited AI heists, the UK-based multinational engineering firm Arup was defrauded of HKD 200 million through its Hong Kong branch.  (see our post July 2024 )

  • The Tactic:
    A finance employee received an email supposedly from the company’s London-based Chief Financial Officer regarding a confidential transaction. Though initially suspicious, the employee was entirely convinced after joining a video conference call.
  • The AI Play:
    Every other participant on the video call—including the CFO and several colleagues—was actually a real-time video and audio deepfake generated from publicly available footage. The employee was directed to make 15 separate transfers. The fraud was only realized later, after checking with headquarters.

 

UNNAMED EUROPEAN AUTOMAKER (est. $5-15 Million Loss)
According to cybersecurity data tracked by financial institutions like J.P. Morgan, a prominent European automaker fell victim to an AI voice cloning scheme.

  • The Tactic:
    Fraudsters used an AI-cloned voice of the company’s CEO to orchestrate a “secret acquisition deal.”
  • The AI Play:
    The scammers manipulated payment processes via phone calls and forged documentation. While some parts of the scheme were caught, multiple payment rails executed transfers before traditional verification systems flagged the anomaly, costing the company millions.

 

TORONTO FINANCIAL INSTITUTIONS (US $ 2.8 Million Loss)
Known as ‘Project Déjà Vu’ this multi-player scam had a two-year run before the Financial Crimes Unit closed them down.

  • The Tactic:
    A sophisticated fraud ring created hundreds of entirely fictional “synthetic identities” to open bank accounts, lines of credit, and credit cards across Ontario. Once approved, they maxed out the credit limits through cash withdrawals and online shopping before abandoning the fake personas entirely.
  • The AI Play:
    To bypass modern digital banking verification (KYC) gates, the scammers used generative AI and face-swapping software to alter digital templates of government-issued IDs. They manufactured over 680 unique synthetic identities—all featuring the exact same fraudster’s face, but digitally tweaked with altered biometrics and different fake names to trick automated security algorithms over and over again.

 

Finally this scam is currently in play targeting active invoices, so be vigilant:
4. THE GLOBAL CRYPTO & BANKING VENDOR NETWORK (Escalating Losses)

  • The Tactic:
    Cybercriminals intercept active corporate email threads and cloud-based invoices during high-value payment windows, such as crypto settlements or supply-chain transactions. They subtly alter the routing numbers or digital wallet addresses on real invoices, causing companies to unwittingly wire funds to the hackers.
  • The AI Play:
    The entire scam is automated using weaponized dark-web tools like WormGPT and Agent Zero. Autonomous AI agents scrape LinkedIn and corporate press releases to draft flawless, context-aware emails that perfectly mimic internal company culture and ongoing projects. Simultaneously, machine learning “Invoice Swappers” instantly swap payment data while keeping corporate logos, formatting, and signatures 100% intact.

And here are a couple of scams that were unsuccessful… but only just!
Learn how these were played and saved.

FERRARI  (Narrow Escape $0 Loss)
In July 2024, a high-ranking executive at Ferrari received a barrage of WhatsApp messages seemingly from CEO Benedetto Vigna, complete with his profile picture. The message urged discretion regarding a “confidential acquisition tied to China” that required a rapid currency-hedge transaction.

  • The AI Play: The executive then received a live phone call from the “CEO.” The voice clone was incredibly convincing, but the executive noticed a slightly mechanical, unnatural undertone.
  • The Save: The executive asked a spontaneous security question: “What was the title of the book you recommended to me last week?” The scammer abruptly hung up, saving Ferrari from a massive financial hit.

 

WPP  (Narrow Escape $0 Loss)
Mark Read, the CEO of WPP (the world’s largest advertising group), was targeted in a highly calculated virtual setup.

  • The Tactic: Fraudsters set up a Microsoft Teams meeting using Read’s identity to target an agency leader, trying to trick them into disclosing financial details and setting up a shadow business entity.
  • The AI Play: The scammers used an AI-cloned voice of Read combined with pre-recorded public YouTube footage of him to bypass visual validation. When the “CEO” was off-camera, they used the Teams chat box to give commands.
  • The Save: The targeted executive noticed inconsistencies in the request’s logic and behavioural patterns, terminating the meeting before any funds or sensitive credentials were compromised.

 

Our advice remains:
1. Stay Informedwe’ll endeavour to keep you appraised of the latest tactics, getting the most up-to-date knowledge is your best weapon.

2. Stay ScepticalApproach all unexpected or unsolicited offers with extreme caution. If it seems too good to be true, it probably is.

3. Scrutinise Every Payment – Be hyper vigilant when verifying initial payment details, and be wary of any emails that ask you to deviate from that payment mechanism. Today’s scammers are AI smooth – no spelling errors, perfect grammar, flawless copied logos. Use human checks, highly personal (and frequently changed) identification questions and for big sums; travel, fly, meet, shake hands IRL for the most secure verification.

4. Regularly update internal payment policies / procedures: Ensure they are as foolproof as they can be with multiple layers of verification checks using different approval processes, and increased layers depending on the value of the payments.

5. Be Less Open Publicly – Out of Office auto replies, and social media posts can be too revealing about our personal details and whereabouts. Safe guard your minute-by-minute activities and delay posts until you return so only people who genuinely know you, know where you are, and where you are not.

Join our newsletter

By clicking submit you agree to our
Data collection and use terms