Fraudsters in the Age of AI

Lawyers make a living from signs of authenticity. We trust the letterhead, the signature block, the ongoing email thread, and the familiar voice on the phone. Our practices run, in large part, on small familiarities that form the soft machinery of trust.

And fraudsters know this.

In January 2026, the Lawyers Indemnity Fund described a Vancouver case that should stop us cold¹. A fraudster gained access to a firm’s systems and was able to “monitor and intercept emails to control the conversation.” When a civil litigator at the firm reached a $1.4 million settlement and emailed the client for transfer instructions, an email from the client to the litigator’s assistant provided those details. A subsequent email from the litigator—complete with the litigator’s electronic signature on the firm’s wire transfer form—confirmed verification of the transfer instructions. The funds were released.

The trouble was that both emails—the one providing transfer instructions and the one confirming verification—came from the fraudster.

This was not a crude email from a foreign prince. It was a quiet occupation of the firm’s nervous system. And similar stories are becoming familiar: B.C. firms hit with ransomware demands, compromised email threads, false payment instructions, and fraud disguised in ordinary practice.² The Canadian Anti-Fraud Centre recently reported that a Vancouver-area law firm was tricked into sending $2.3 million to Hong Kong in a business email compromise; the funds were recovered only because a Hong Kong bank and authorities moved quickly³.

This was not a crude email from a foreign prince. It was a quiet occupation of the firm’s nervous system. And similar stories are becoming familiar: B.C. firms hit with ransomware demands,

Synthetic authentication

Now add artificial intelligence.

In 2024, Arup, one of the world’s leading consulting engineering firms, confirmed that an employee in Hong Kong transferred about HK$200 million (approx. CAD$35 million) after attending a video call in which fraudsters used deepfakes to impersonate several senior company officers.⁴

Recent reporting on an AI Incident Database analysis describes deepfake fraud as reaching “industrial scale”: inexpensive, accessible, and increasingly tailored.⁵ It’s tempting to think that we will get better at recognizing deepfake fraud as time goes on, just as we did with fake calls and emails.

But AI changes the terrain. It does not merely help fraudsters write better emails; it helps them imitate the cues we use to decide who is real. As artificial intelligence gets better, so do the capabilities of fraudsters, who can leverage AI not only to target us through compromising the technology upon which we rely, but through social engineering as well.

The point is not that every future scam will involve a cinematic deepfake. Most will not. The point is that the old evidentiary cues—the email thread, the voice, the face, the familiar cadence—are becoming easier to manufacture. Fraud is moving from impersonating instructions to impersonating authenticity itself.

For high-risk instructions, voice and video should be treated as communication channels, not authentication methods. These should not be the key that opens the trust account, releases confidential documents, changes payment instructions, or confirms a settlement payout. In the AI era, “I heard them say it” and even “I saw them say it” is evidence to be weighed, not definitive proof.

Although the threat is becoming more sophisticated, the principled response is not necessarily more exotic: do not let the person asking for trust define how trust will be verified.

That is why the current guidance still matters. The Canadian Centre for Cyber Security tells organizations with 499 employees or fewer to do the ordinary things well: know your systems, patch software, use multi-factor authentication, train staff, protect accounts, back up essential information, have an incident response plan, etc.⁶ The Law Society reminds us that compromised practice devices can raise confidentiality and reporting issues.⁷ Law-firm guidance from the CBA and ABA points in the same direction: protect credentials, use multi-factor authentication (MFA), maintain reliable backups, and prepare to respond.⁸

These things are not optional. They are foundational. If you’re in firm leadership, LIF’s “What can you do?” guidance, in response to the story above, is worth reading against your firm’s procedures.

Judgment is not security architecture

AI changes the fraud problem because the adversary may become adaptive, with information-processing abilities no human fraudster could match and, where connected, could access a field of context vastly larger than any person could practically absorb.

Fraudsters no longer have to rely on fake emails or a lucky guess. They may be assisted by systems that can imitate voice and video, probe workflows, exploit organizational context, adjust when their attempts fail, and identify weaknesses in security protocols⁹. AI agents may not merely produce words—they may use tools, follow objectives, remember context, and act autonomously across systems¹⁰. Given enough access, context, and autonomy, the problem starts to look less like a fake message and more like an intelligent adversary. That makes the old “know the scams and avoid them” approach brittle.

We can no longer rely on everyone being well trained, alert, and suspicious every moment of the day. Human vigilance is essential, but it must sit inside systems designed to withstand manipulation: independent callback procedures, known contact channels, dual approval, limited authority, audit trails, and verification steps that do not depend on trusting the very communication being verified.

AI does not make old fraud irrelevant. It makes old fraud more scalable, convincing, and adaptive. The professional response is not panic, and not merely vigilance. It is designing systems that verify high-risk instructions, without relying on our standard signs of authenticity, those that fraudsters are learning to forge.

1. "Million-dollar funds transfer fraud twist: Fraudulent verification" January 22, 2026, Lawyers Indemnity Fund

2. "Four BC firms hit as cybercriminals ramp up attacks for summer" August 21, 2024, Lawyers Indemnity Fund

3. "International collaboration successfully intercepts and returns $2.3 million fraudulent transfer" July 24, 2025, Canadian Anti-Fraud Centre

4. "UK engineering firm Arup falls victim to £20m deepfake scam" May 17, 2024, The Guardian 

5. "Deepfake fraud taking place on an industrial scale, study finds" February 6, 2026, The Guardian

6. "Baseline cyber security controls for small and medium organizations" Government of Canada

7. "Advice Decision-Making Assistant (ADMA)" The Law Society of British Columbia

8. "Business Continuity & Disaster Recovery Planning Guide" CBA Resource | The Best Cybersecurity for Solo and Small Firms, The American Bar Association (login required)

9. "Anthropic Study Finds AI Model 'Turned Evil' After Hacking Its Own Training" November 21, 2025, Time.com

10. "Agentic Misalignment: How LLMs could be insider threats" June 20, 2025, Anthropic.com