The email looks perfect. It comes from your managing director and asks finance to approve an urgent payment. A follow-up call confirms it, in a voice you know well. Both are fake. AI phishing attacks on UK businesses now work exactly like this. Criminals use artificial intelligence to clone voices, fake video calls, and write flawless scam emails. Old advice about spotting bad grammar no longer protects you. This guide shows how these attacks work, why spotting them fails, and the steps that stop them.
What is an AI phishing attack?
An AI phishing attack is a scam that uses artificial intelligence to impersonate someone you trust. Criminals create fake emails, cloned voices, or deepfake video to trick you into sending money or data. These messages contain no spelling errors and feel personal, which makes them very hard to spot.
Generative AI changed how these scams are made. It writes perfect English in seconds, in any language. It pulls names and details from your website and LinkedIn. The message then reads like a genuine note from a colleague.
The three main types of AI phishing
AI phishing shows up in three main forms:
- Fake emails, often called business email compromise, that impersonate a boss or supplier.
- Voice cloning, known as vishing, where a familiar voice asks for money or data.
- Deepfake video calls, where the faces and voices on screen are fully AI-generated.
Here is how the old threat compares with the new one:
| Feature | Traditional phishing | AI phishing |
| Grammar | Spelling and grammar mistakes | Flawless, professional writing |
| Personalisation | Generic greetings | Uses your real name, role, and projects |
| Channel | Mostly email | Email, phone, and video |
| How to spot it | Look for obvious errors | Errors are gone, so verify instead |
How AI voice scams target UK businesses
Voice cloning scams are real and they now target UK businesses. Criminals copy a voice from a few seconds of public audio. They lift it from voicemail greetings, webinars, YouTube, or LinkedIn videos. The cloned voice then phones your team to approve a payment.
One famous case hit the engineering firm Arup. According to news reporting, a finance worker joined a video call in 2024. Everyone on the call looked and sounded like senior colleagues. All of them were deepfakes. The worker approved 15 transfers worth around 25 million US dollars.
Your business does not need to be huge to be a target. In our work with finance and HR teams across London and the South East, the most common attempt is simpler. A supplier emails to say its bank details have changed. The request looks routine, so the payment goes out to a criminal account.
Phishing is the number one threat to UK organisations. According to the UK Government’s Cyber Security Breaches Survey, around 85% of breached businesses pointed to phishing as the cause. Smaller firms are exposed because they lack the layered checks that large companies use.

Why spotting bad grammar no longer protects you
You can no longer spot AI phishing by hunting for mistakes. The grammar is perfect and the details are accurate. Worse, research suggests people cannot reliably tell a high-quality cloned voice from a real one. Defence has to shift from spotting fakes to verifying requests.
Even the Arup worker was careful. He suspected the first email and asked for a video call to check. The fake call removed his doubts. Trusting your eyes and ears is no longer a safe test.
Warning signs of an AI phishing attack
Most AI scams still share a few red flags. Watch for these signs before you act on any request:
- Sudden urgency, with pressure to act before the end of the day.
- A demand for secrecy, such as a request to keep the matter confidential for now.
- Any request to change supplier or payee bank details.
- A push to skip your normal payment approval process.
- Odd moments on a call, like unnatural pauses or audio that lags the lips.
- Reluctance to switch to a known phone number or channel.
None of these signs proves a scam on its own. Together, they should stop you and trigger a check. The NCSC also publishes free phishing guidance for UK organisations.
How to protect your business from AI phishing attacks
Good process stops these attacks, not guesswork. Build verification into every payment and data request. These steps work for any UK business, whatever its size.
- Verify on a separate channel. Call back on a saved number, never the one in the message.
- Use a pre-agreed code word for senior staff and finance. Rotate it every quarter and never email it.
- Apply a cooling-off rule. Hold urgent or out-of-hours payments until two named people confirm them.
- Require dual sign-off for any payment above a set limit.
- Update staff training. Drop the grammar advice and teach verification instead.
- Lock down the technical layer. Turn on multi-factor authentication and email checks like SPF, DKIM, and DMARC.
That last step is hard to watch alone. Attacks often start by quietly breaking into your email system first. GR.IT provides 24/7 monitoring and proactive threat detection that catches that activity early. We stop attacks rather than clean up after them.
What to do if you think you have been scammed
Act fast if you suspect a scam. Quick steps limit the damage and improve your chance of recovery.
- Call your bank’s fraud team at once. In the UK you can dial 159 to reach your bank safely.
- Report it to Action Fraud, or to Police Scotland if you are in Scotland.
- Check whether personal data was exposed and assess your ICO duties within 72 hours.
- Look for unexpected email forwarding rules, a common sign of a hacked account.
- Reset passwords and ask your IT security provider to check the full extent.
The takeaway for UK businesses
These scams will keep getting better, so your defence cannot rely on spotting fakes. Strong verification habits and constant monitoring are what keep your money and data safe. Build the process now, before a convincing email lands in your inbox.
Want to know how exposed your business is today? Book a security review with GR.IT and we will show you where the gaps are.
If a fake email from your boss asked finance to pay today, would your team know how to check?