The Scams That Broke the Old Rules

AI has erased the typos, grammar errors, and sloppy design that used to reveal a scam. The four most common 2026 attacks are AI phishing, ClickFix popups, voice clone calls, and MFA fatigue prompts, and each one requires a new defense: evaluating what a message is asking you to do, not how polished it looks.

For a long time, the best way to spot a scam was to look for a mistake.

You looked for the misspelled word in the subject line, the blurry logo, or the "Dear Customer" greeting that felt a little too generic. It was a game of spot the difference. If the email looked sloppy, you knew it was a fake.

That strategy worked because scammers were limited by their own reach. They were casting wide nets, hoping to catch the few people who wouldn't notice a typo.

In 2026, the typos are gone.

AI doesn't misspell words. It doesn't get your name wrong. It has likely scanned your social media profile and knows where you went to school and which conference you attended last Tuesday. The spot-the-difference era is over.

The question has to change: instead of asking whether a message looks real, we have to start asking what it is trying to get us to do.

We run IT for Alberta businesses, and attacks like the ones below land in client inboxes every week.

The Perfect Email: AI-Generated Phishing

Imagine an email lands in your inbox on a Tuesday morning. It is from a lawyer you don't know, but the firm is real and the signature block is clean. The subject line reads, "Quick question on the Edmonton office lease." The email congratulates you on the expansion, mentions the LinkedIn post you wrote last week, and explains that their legal team flagged a conflict in standard lease language that usually costs tenants money at signing. There is a redline attached. They would like your thoughts before your Thursday meeting.

Every detail checks out. The expansion is real. The Thursday meeting is on your calendar. The LinkedIn post is three days old. You might not even remember writing it.

The message is an AI-generated fake, assembled from public information in about five minutes. The attacker has never met you, has never been to your city, and knows nothing about lease law. What they have is a scraper, a language model, and your name.

The only part of the email worth trusting or doubting is the request at the end: open this attachment. The flattery, the specificity, the perfect grammar, none of it is evidence of legitimacy. It is decoration around an ask.

The Helpful Popup: ClickFix Attacks

The same pattern shows up on websites. You are trying to open a document a supplier sent you. The page flickers, a window slides in over the document, and a message tells you something went wrong: the file failed to load, or your browser needs an update, or you need to verify you are human. The branding is correct. The design is clean. But instead of a download button, the page gives you a line of code and asks you to copy it, open your computer's command terminal, and paste it in.

This is called ClickFix, and it is the fastest-growing attack of the last two years. It works because the scammer knows that if they send you a virus, your security software will probably catch it. If they can get you to run the command yourself, you are opening the door and inviting them in. Security software cannot protect you from you.

A page you did not go looking for should never ask you to paste a command into a terminal. That is not how legitimate software fixes itself. Any page that does is the problem, not the fix.

The Familiar Voice: AI Voice Cloning Scams

Text is one thing. Voice is another.

AI can now clone a recognizable version of a human voice from less than five seconds of audio. A podcast clip, a video on social media, or a voicemail greeting. Any of those is enough. If your voice has ever been online, a usable copy of it is available to anyone who wants one.

Your phone rings on a Saturday afternoon. The caller is your daughter. She is crying. There has been a car accident, she has been taken in by police, and she needs bail money sent right now. She sounds exactly like herself. She asks you not to tell her mother yet, because she is ashamed.

The sophistication is not really the point. The emotional shortcut is. When you are scared for someone you love, you do not pause to look for red flags. You act.

The pattern to watch for is three things together: urgency, secrecy, and an untraceable payment method. Any one of them on its own is just life. All three at once is a machine talking to you. A real relative in a real emergency will accept, "I am going to call you back on the regular number I have saved." A scammer will not.

The Late-Night Buzz: MFA Fatigue Attacks

It is 11:43 on a Tuesday night. Your phone buzzes on the nightstand. It is a login approval prompt, the kind most important accounts now send when someone tries to sign in. You tap deny and roll over. It buzzes again. Deny. Again. And again. By the tenth one you are half-awake and irritated, and you approve just to make the buzzing stop. Then you fall asleep.

The login you just approved was real. Somebody had your password. The prompt on your phone was the last thing standing between them and your account, and you waved it through. That second step, the one you bypassed, is called multi-factor authentication, and it is the single strongest defense most people have. MFA fatigue is an attack on the person holding the phone.

Every MFA prompt is asking a question: did you just try to sign in? If the answer is no, the only correct answer is deny, no matter how many times it buzzes. Noise you did not cause is not a reason to approve something. It is a reason to change your password.

Common questions about modern scams

The questions that come up most often when small businesses start looking at how AI has changed phishing, fraud calls, and account attacks.

What should we do if a staff member already clicked, pasted, or approved something?

The first priority is getting that device off the network: unplug the network cable or turn off Wi-Fi until someone can look at it. Change the person's passwords on email, banking, payroll, and anything that holds money or customer data, and have them signed out of every other device that may still be logged in. Call the IT provider right away, and call the bank or payroll company if those accounts were involved, so they can see what happened on their side and lock the account down. It is tempting to wait and see whether anything bad happens, or to clean up by rebuilding the device, but both instincts make the situation worse for the people who will have to investigate it.

If we already use multi-factor authentication, are we safe from these attacks?

Multi-factor authentication is the strongest defence most people have against account attacks, but it does not stop every attack on this page. MFA fatigue, as the article describes, is itself an attack on MFA, and a well-built fake login page can collect the MFA code the same way it collects the password and use both within seconds. The protection that holds up against both is a stronger form of MFA that uses the phone itself or a small physical key to confirm the sign-in directly, instead of asking the person to type in or tap a code. Microsoft 365 and Google Workspace both support this stronger version, and an IT provider can turn it on as part of the existing licensing, alongside rules that flag sign-ins from unexpected locations or devices.

Aren't email filters and security software supposed to catch most of this?

Email filtering catches a large volume of generic, mass-mailed scams before they reach anyone, but it does not reliably catch AI-written phishing or business email compromise, because the modern attacks are designed to read like the legitimate messages a business already receives. Browser security and modern endpoint software interrupt many ClickFix pages and known-bad scripts, but the entire ClickFix attack pattern exists because the victim runs the command themselves, which bypasses those defences. The protection that holds up against AI-written phishing is not detection at the inbox; it is verifying the request itself through a known channel before any money, credentials, or banking details change hands. The right configuration of email, browser, and sign-in protections still matters and an IT provider should be asked whether they are current, but those layers do not change the answer when a well-crafted message does land, which is to verify the requested action before acting on it.

Are small businesses more or less at risk than larger companies for these attacks?

Small businesses are at higher risk for these specific attacks than they used to be, because making a convincing fake email, page, or voice clone now costs the attacker almost nothing. Attackers used to choose between sending the same generic scam to millions of people and hand-crafting one attack for a large company; AI removes that trade-off, so a 30-person business can now be the target of an attack that would once have only been worth running against a much larger organization. Where SMBs are most exposed is what happens after something goes wrong: a large company has a security team and a contract with an outside firm ready to step in, while a small business has the owner and the IT provider working from whatever process happens to be written down. The result is that each successful attack costs a small business more relative to its size, which is why having a short, written response plan ready before something happens is more useful at this scale than the size of the business might suggest.

How do you spot a modern scam if there are no more typos?

Spotting a modern scam requires evaluating the request inside the message instead of the polish around it. Most scams still combine urgency, secrecy, and a payment method that cannot be reversed, so any message with those signals together is a reason to pause and verify through a different channel.