Concept illustration of an AI-driven deepfake call targeting a business during tax season. Cybersecurity experts warn that voice cloning attacks are expected to rise significantly in 2026.

For twenty years, I have told CEOs that cybersecurity is a “people problem,” not a “tech problem.” Usually, they nod politely and then go hire another firewall consultant.

But as we enter the 2026 tax season, the bill for that misunderstanding is coming due.

A new report from Thomson Reuters warns that this filing season will be the first “AI-native” fraud event. Criminals are no longer just hacking servers; they are hacking identities. Using readily available AI tools, they can clone a CEO’s voice from a 30-second YouTube clip and use it to call a finance controller, demanding an urgent wire transfer for “tax liabilities.”

The scary part? It works. In a widely publicized case, a finance worker at a multinational firm recently paid $25 million to fraudsters after a video call where the CFO—and everyone else on the call—was a deepfake simulation.

If a global finance team can be fooled, what chance does a small business owner on a cell phone have?

The answer is: None, if they rely on technology alone.

We have reached a tipping point where our senses—our ability to recognize a familiar voice or face—are now vulnerabilities. The traditional advice of “call to verify” is dangerous when the voice on the other end might be a synthetic clone.

This is the “Cyber Poverty Line” in action. Fortune 500 companies have “Zero Trust” architectures and expensive identity verification tools. Main Street businesses have… antivirus software and a hope that their receptionist doesn’t click the wrong link.

As I wrote in Cybersecurity for CEOs, we cannot buy our way out of this. We have to lead our way out.

The solution for the 2026 tax season isn’t a new software patch. It is a “Human Operating System” patch. It requires CEOs to implement non-technical protocols that cost zero dollars but save millions:

1. The “Code Word” Protocol: Never authorize a payment over $5,000 based on voice or video alone. Establish a “challenge-response” phrase (like a specific sports team or childhood street) that must be spoken to validate the request. AI can fake a voice; it cannot guess a secret shared offline.

2. The “Slow Down” Rule: AI-driven fraud relies on urgency (“The IRS will fine us if you don’t wire this now!”). As a leader, you must explicitly give your staff permission to say “No” to you. Tell them: “If I ever call you in a panic demanding money, hang up. It’s not me.”

3. The “Out-of-Band” Verification: If you get an email request, verify it via text. If you get a text, verify it via an internal chat tool. Never reply in the same channel the request came from.

Technologists will tell you we need more AI to fight AI. They aren’t wrong. But for the average business owner trying to survive 2026, the best defense is not artificial intelligence. It is human skepticism.

Your firewall can stop a virus. Only your culture can stop a deepfake.

Sean P. Conroy is the founder of InventiveHQ and author of “Cybersecurity for CEOs: What Every Business Leader Needs to Know” (2025).

Media Contact
Company Name: Inventive HQ
Contact Person: Sean Conroy
Email: Send Email
Phone: (866) 903-2097
Address:2305 Historic Decautr Rd Suite 100
City: San Diego
State: CA
Country: United States
Website: https://inventivehq.com