How cybercriminals are using AI to trick your team — and how to stay one step ahead
By Andy Lomasky, Senior Director, IT, PMMI
Phishing isn’t just about shady links and misspelled emails anymore. Today’s cyberattacks are powered by AI, making them harder to detect and far more convincing than they used to be. Criminals are using deepfakes, voice clones, and advanced social engineering to impersonate executives, vendors, and partners. Their goal? To trick someone, anyone, into transferring money or giving up credentials. This new wave of attacks falls under a category called Business Email Compromise (BEC), which caused nearly $3 billion in reported losses in past years.
What’s New in Phishing?
🎭 Deepfakes & Voice Clones - AI tools can mimic your CEO’s voice — or create a video of them asking for gift cards or a wire transfer.
📧 Thread Hijacking - Hackers reply to real email chains with fake invoices or urgent requests. They look legit because they started from real conversations.
🔍 Hyper-Personalization -AI scrapes social media and websites to make phishing emails eerily relevant, making references to events, employees, or recent announcements.
☎️ Voice-Based Scams (Vishing) - Some attackers skip email altogether and use cloned audio to call in fake payment requests.
Real-World Example:
An employee in Finance received an email from their CEO:
“Can you wire $24,700 to this vendor ASAP? I’m tied up,can’t talk.”
It looked real. Sounded real. It wasn’t. And the money disappeared.
Who's at Risk?
Trade show teams are especially vulnerable during busy event seasons, when urgency is high and distractions are many.
How to Stay Protected:
✅ Verify, Don’t Assume - If a request involves money or sensitive data — confirm it with a phone call or direct message, using known contact info.
✅ Train Staff Regularly - Simulate phishing emails, include voice/video examples, and talk about BEC openly across departments — not just IT.
✅ Use Email Protections - Implement technical protection mechanisms, including SPF, DKIM, and DMARC, to prevent spoofed emails. Tag external messages using warning banners to make them easier to spot.
✅ Require Multifactor Authentication (MFA) Everywhere - Even if someone gives up their password, multifactor authentication stops the attack cold.
✅ Tighten Public Exposure - Limit what you publish about org charts, executive travel, or personal contact details — especially before major events.
Make Security a Reflex
In an AI-powered threat landscape, trust needs to be earned, not assumed. Empower your team to pause, question, and escalate. That moment of doubt might save your company thousands — or protect your customers’ data. Slow is safe. Fast is phished.
Want a phishing playbook, checklist, or awareness flyer?
We’ve got resources ready — just reach out to cyberhealth@pmmi.org.
