The voice on the phone told an Ontario grandmother that her grandson had been arrested and needed bail money fast. It was his voice, down to the cadence, and it was a clone, stitched by artificial intelligence from a few seconds of audio scraped off the internet.
She nearly sent the money. Swap the grandson for a son still living overseas, or for an officer who claims to be from the Canada Revenue Agency (CRA), and the same trick lands on someone four months into a new country who has no way to know what the real call is supposed to sound like.
A SecureWorld article earlier this year traced why Canadian fraud-prevention infrastructure keeps missing newcomers and named three vectors that land hardest on them: authority impersonation, settlement-workflow scams, and long-rapport investment fraud. Each of those used to require a human on the other end, working one mark at a time. A follow-up argued the gap was an engineering problem for banks to build their way out of. The newer development is who is doing the engineering, and it is no longer only the defense.
The economics of the attack collapsed. Cloning a voice convincingly once took a studio; now it takes three seconds of recorded speech, which is why the U.S. Federal Trade Commission warned that scammers are using AI to sharpen family-emergency schemes. Reported AI voice-scam activity climbed 1,210 percent over the past year by one count. The script did not change; the unit cost of running it a thousand times did.
That is the shift worth tracking. AI did not invent a fourth fraud vector. It industrialized the first three, and an industrialized attack finds the softest segment first.
A 20-year resident has heard a real CRA call, or knows someone who has, and can feel when the cadence is wrong. A person in month four has no such baseline. The reference points that let a long-time resident dismiss a fake are exactly the ones still being assembled in the early months of settling into a new country.
The agencies themselves see this. Immigration, Refugees and Citizenship Canada (IRCC) now warns that some scammers use AI to generate fake content that appears to come from the department, including messages with fake interview links demanding immediate action. The CRA, for its part, publishes a standing reminder on how to verify a real call, because the impersonation of its officers is constant and the agency knows newcomers are among the least equipped to tell the difference.
The exposure attached to the voice channel is not abstract. The segment most at risk is the one that has not yet learned what each institution sounds like, which is precisely the cohort an AI clone targets when it impersonates a relative or an official. An attacker who can spin up a fake son, a fake immigration officer, and a fake bank fraud-line in the same afternoon does not need a high hit rate; the cohort supplies the volume.
Authority impersonation works because it borrows real procedure. A newcomer often does owe the CRA a filing, does have an open file with IRCC, and does expect their bank to call about a flagged transaction. The fraudster does not have to invent a pretext; the legitimate institution has already supplied one. AI removes the last tell that used to give the script away—the stilted accent or the off-key phrasing—and replaces it with a clone trained on the exact voice the victim is primed to trust. The result is a call that matches a real obligation, in a real-sounding voice, arriving at a moment when the customer has the least context to doubt it.
Here is where most onboarding stacks break. A four-month-old account already strains document-and-selfie verification, because the customer is new to every system at once. Feed a deepfake into that same flow and the check fails in a way the old playbook never anticipated.
Fraudsters now defeat identity verification not by forging a better document but by injecting a synthetic human. iProov logged a 2,665 percent surge in native virtual-camera attacks and a 300 percent rise in face-swap attempts, where an AI-generated face is piped through legitimate camera software to fool a liveness check. The same research found that only 0.1 percent of people could reliably spot a deepfake on their own, which is the entire case against leaving the call to human judgment. Veriff reported that deepfakes now drive one in 20 identity-verification failures. Sumsub's annual data shows the "complex multi-step" attack category—the kind that chains a deepfake with stolen data—jumped 180 percent year over year as simpler tactics stopped working.
The cost of getting this wrong is specific. A deepfake that clears onboarding does not produce one fraudulent transaction; it produces a fully verified account that passed every gate, then drains for months before anyone flags it. The question the stack now has to answer is no longer "is this document real?" It is "is this a live human, present right now, and the person they claim to be?"
Liveness and injection detection as the baseline
Two failure modes hide inside that question. A presentation attack holds a photo or replays a video to the camera; an injection attack skips the camera entirely and feeds synthetic video straight into the verification pipeline. Sumsub recorded a 300 percent rise in identity-document fraud as those techniques matured, and injection is the harder of the two to catch because nothing physical is ever presented.
The metric a fraud operations team can pull today is the deepfake-and-injection catch rate on the first-90-day cohort, measured separately from the general population. Run it as its own line. A newcomer segment that quietly underperforms the general detection rate is the blind spot, sized in basis points.
Provenance for the voice channel
The voice channel needs its own answer, because voiceprint authentication is now a liability rather than a control. A system that trusts a matching voiceprint will trust a good clone. The defense is out-of-band: a callback to a number the institution already holds, or verification through a channel the caller did not choose. The CRA's own guidance points the same direction, telling people to hang up and call back on a published line rather than trust the voice in front of them.
For a newcomer cohort, that control has to exist in a language the customer actually speaks, or it does not exist at all. A verification step that only works in English or French excludes the very segment it is meant to protect.
The attacker's marginal cost is near zero. A defense built analyst-by-analyst cannot match a defense that has to clear a thousand synthetic faces an hour, which is the structural reason AI-driven fraud has outpaced single-institution response. SecureWorld's reporting on AI-driven financial crime frames the same arithmetic: tools that scale the attack force the defense to scale or surrender ground.
The prior installment's argument for shared intelligence carries straight into the AI era, with one twist. It is not enough to share a confirmed synthetic identity after the fact. The signal worth propagating at machine speed is the typology itself: a cloned-voice script targeting a specific diaspora, a face-swap pattern hitting one onboarding flow, a fake-IRCC template circulating this week. A typology that surfaces in one institution on Monday should not take until Friday to reach the other five seeing the same campaign.
The latency is where the loss lives. A campaign that runs four days unshared is a campaign that clears four days of onboarding before the second institution recognizes the pattern, and AI lets the same template hit every institution in the country inside that window. The technical posture has to match the threat: automated liveness and injection checks at the point of verification, voiceprint demoted from proof to a single weak signal, and a typology feed that updates in hours rather than at the speed of a quarterly fraud trends report. None of that is exotic. The detection tools exist; what most programs lack is the instruction to point them at the newcomer cohort as a named segment with its own scorecard.
A program is only as honest as the metrics it will commit to in writing. Three map cleanly onto the AI vector.
First, the deepfake-and-injection catch rate inside the first-90-day cohort, held against the general-population rate. Second, the share of high-risk authority-impersonation reports that reached an out-of-band verification step before money moved, broken out by the customer's preferred language. Third, the median latency from the first sighting of a synthetic-voice or synthetic-video typology to a cohort-wide alert across the institutions that share signal. None of the three requires a vendor to define it.
The clone costs three seconds of audio and a few dollars. The callback that defeats it costs a few minutes. That asymmetry—attacker-cheap against defender-cheap—is the entire program brief, and the team that measures the gap is the one that closes it.