The urgent call from your "CEO" asking you to move money might be a voice clone. The polished invoice email might be written by a machine. AI has turned fraud into a volume business, and Canadian companies are the ones paying for it.
A new survey from KPMG Canada puts numbers to what a lot of owners are sensing, and they're not reassuring. The takeaway for a small business isn't to panic; it's that the cheap, boring habits that stop this kind of fraud are now non-negotiable.
What the numbers say
KPMG surveyed 251 Canadian business leaders. Among companies that were hit by fraud, 81% said the fraud was AI-enabled. The specific tactics they saw: AI-generated phishing (60%), deepfake documents (39%), and voice-clone impersonation of executives (24%). And the gap that should worry every owner: 94% said they're concerned about AI-powered attacks in the year ahead, but only 26% have a tested response plan that actually accounts for them.
Zoom out and the trend is the same. The Canadian Anti-Fraud Centre says Canadians reported a record $704 million in fraud losses in 2025, and because fewer than one in ten frauds are ever reported, the real figure is far higher. The agency's own commissioner put it plainly: AI has handed fraudsters powerful tools to create convincing impersonations at scale.
Why small businesses are squarely in the blast radius
It's easy to assume deepfakes are a problem for big corporations. They aren't:
- The costliest single hit a small business takes is usually a wire redirected by a fake "boss," business email compromise, and a cloned voice makes that scam far more convincing than a typo-ridden email ever did.
- Small teams are easier to fool. Fewer approval steps, more trust, and a culture of "just help the owner out fast" is exactly what these scams exploit.
- Most don't have a plan. As the KPMG numbers show, the majority of organizations have no tested process for the moment a convincing fake lands, so the decision gets made under pressure, which is how the money leaves.
How to defend (mostly without buying anything)
The good news: the defences that work against AI fraud are process, not product. They're cheap and they're boring, which is why they work:
- Verify money moves out-of-band. Any payment, or any change to banking details, gets confirmed by calling the person back on a known number. A simple callback rule defeats a voice clone every time.
- Require two people for transfers. Dual approval on wires and vendor-banking changes removes the single panicked click.
- Tell your team the rules changed. Make it normal to question an "urgent and secret" request from the boss; urgency plus secrecy is the red flag, not the politeness of the email.
- Cut off the phishing that starts it with MFA and email filtering, and keep a short, tested plan for what to do when something slips through.