in the age of ai-driven fraud, trust is no longer enough

in a recent accounttech webinar, “internal controls in an era of artificial intelligence,” cpa and former auditor cheryl wellman delivered a stark warning:

“trust alone is no longer sufficient. in today’s ai environment, schemes are designed specifically to exploit that trust.”

as ai-powered scams become more convincing, businesses — especially those handling high-volume transactions like real estate brokerages — must rethink how they protect themselves.

the rise of “stolen trust”

fraud is no longer just about stolen passwords or phishing emails. today’s attackers are researching companies, studying leadership behavior, and exploiting human psychology. ai tools can now replicate voices, faces, and communication styles with stunning accuracy. one increasingly common scenario discussed in the webinar:

an employee receives a video call from a distressed executive requesting an urgent wire transfer.
the voice matches. the face matches. the urgency feels real.

but it’s not the executive. it’s a deep fake — an ai-generated impersonation. because these scams mimic authority figures so convincingly, employees often bypass normal procedures to “help” leadership quickly. that’s exactly what fraudsters are counting on.

why traditional fraud detection is failing

for decades, many organizations have relied heavily on detective controls — processes designed to catch mistakes after they happen. in an ai-driven world, that approach is no longer sufficient. by the time fraud is detected:

• the wire transfer is complete
• the funds are gone
• recovery is unlikely

wellman emphasized that companies must shift toward preventative controls — systems designed to stop fraud before it can occur. the key question is no longer:

“did we catch the mistake?” it must become: “did we prevent the system from allowing the mistake to happen?”

4 practical strategies to protect your organization

during the session, wellman outlined actionable safeguards businesses can implement immediately:

1. the “secret phrase” defense - to combat deep fakes, organizations can establish a non-digital safe phrase — something never written down or stored electronically.

for example: “it’s snowing in the jungle.”

if a request feels suspicious, the employee asks for the phrase. an ai clone won’t know it. this simple step creates a powerful human checkpoint.

2. tone at the top

internal controls fail when leadership makes exceptions. if executives prioritize speed over security, employees will follow that example. a culture that allows “just this once” overrides creates instability in the control system. leadership must clearly communicate: integrity and security always supersede urgency.

3. segregation of duties

no single person should:

• create a payment
• approve the payment
• release the payment

separating responsibilities creates natural friction in the system — and friction is what stops fraud. in fast-growing companies, convenience often leads to consolidation of roles. that convenience now carries significantly higher risk.

4. centralized and verified onboarding

“fake vendor” schemes are rising rapidly. before entering a new vendor or agent into your accounting system, businesses should implement:

• irs tin matching
• bank account validation
• independent verification of business identity

fraud prevention begins before the first transaction is ever processed.

the human element is still the ultimate firewall

ironically, while ai is driving the threat, it also reinforces the importance of human judgment. automated attacks are becoming more adaptive. bots can now modify tactics between attempts, learning from failed interactions. but machines still exploit one thing best:

human trust.

“speed is currency in business,” wellman concluded, “but judgment is your protection.”

the organizations that thrive in this new environment will not be the fastest — they will be the most disciplined.

the bottom line

ai-driven fraud is not a future risk. it is a present reality. trust remains important — but trust without verification is now a vulnerability. companies must move beyond reactive detection and build proactive, preventative systems that assume sophisticated impersonation is possible. because in the era of ai-driven fraud, internal controls are no longer optional safeguards. they are business survival mechanisms.