Here's one that's scary precisely because it's cheap to pull off: a scammer clones a familiar voice (your boss, a supplier, a board chair) from a few seconds of public audio, then calls to push through an "urgent" payment or password reset. It used to be a big-company problem. It isn't anymore.
What's happening
The tools to fake a convincing voice went free and easy this year, and the FTC has been warning about voice-cloning scams as they spread. That drops the effort per target low enough that small businesses, clinics, and nonprofits are now worth a scammer's time. The tell isn't the voice. The voice is good. The tell is the pressure: urgency, secrecy, and a change to how money or access normally moves.
The 5-minute defence
- Set one code word. Anyone authorising a payment or credential change over the phone has to say it. No word, no action. Free, and it beats the fanciest detection tool.
- Make "I'll call you back" the default. Hang up, dial the number you already have on file, never the one they give you. A real request survives a callback. A scam usually doesn't.
- Tell the newest person first. Scammers target whoever's least likely to push back. Your part-time bookkeeper needs this more than you do.
The bigger picture
You don't need to out-tech the attackers. You need one boring human habit that AI can't fake its way around. That's the theme for small orgs right now: the cheapest defence is often a rule, not a product. Spend the five minutes this week.