A phone rings. It’s your daughter. She’s crying. She’s been in an accident. She needs you to send money right now, and please don’t tell anyone - she’s embarrassed.
The voice is hers. The cadence is hers. The little catch in her throat when she’s upset - that’s hers too.
It isn’t her.
This is not science fiction. It happened thousands of times in 2025. According to the FBI’s 2025 Internet Crime Report, Americans reported nearly $893 million in losses tied to AI-related scams last year - and that’s only the cases where victims recognized AI was involved. The actual number is almost certainly higher.
I’ve spent the last few weeks reading a new academic book - Cognitive Cyber Crimes in the Era of Artificial Intelligence (Wiley-Scrivener, 2026, ISBN 9781394386574). It’s a serious, dense, 544-page research volume aimed for researchers and forensic analysts. Most people will never read it. They probably shouldn’t have to. But the central message in those pages is one that everyone needs to understand right now, and that’s what this article is - a plain-language translation for the rest of us.
The shift: from your machine to your mind
For thirty years, the cybercrime business was about hacking machines. Find a vulnerability, exploit it, steal the data, encrypt the disk, ransom it back. The defenders got better - firewalls, multi-factor authentication, endpoint protection, zero trust. The technical attack surface got harder.
So the attackers moved.
The easiest path to your money, your accounts, and your company’s wire transfers has never been your firewall. It’s always been you. Artificial intelligence has now turned that path into a highway.
The book frames it without softening: cognitive manipulation is now the primary attack surface. Not your laptop. You.
What actually changed
Three things, all at once, all in the last 24 months.
Cloning got cheap. A usable voice clone can now start with only a few seconds of audio. A passable visual fake can start from very little public material. The barrier is no longer technical. It is almost zero.
Personalization got instant. A phishing message tailored to your role, your boss, your last vacation, your child’s school - generated in the time it takes to read this sentence. By a machine that doesn’t sleep.
Volume got infinite. Attackers no longer pick targets carefully. They spray personalized attacks at everyone. Even a 0.1% success rate against ten million people is ten thousand victims.
The new attack vectors, in plain language
The cloned voice
A “family member” in distress. A “CEO” requesting an urgent wire. A “bank” asking you to confirm a transaction. The voice feels real, because they built it from your LinkedIn video, your podcast appearance, your YouTube channel, your TikTok.
One of the first widely reported cases happened in 2019, when criminals used a deepfaked CEO voice to steal $243,000 from a UK energy firm. In 2024, deepfake fraud at the British engineering firm Arup reached about $25 million in a single video call. The technology has gotten dramatically better and cheaper since.
The perfect message
You used to spot phishing by typos and broken grammar. That era is over. AI writes flawless English, flawless Spanish, flawless anything - and tailors the message to you specifically: your job, your context, your last meeting. There is no reliable language tell anymore.
The face that isn’t there
A Teams call. A Zoom meeting. A LinkedIn video. A job interview. The person on screen looks real, sounds real, and isn’t. As I wrote in When Your Friend Isn’t Your Friend, the question isn’t who appears to be talking to you - it’s how do you verify it’s actually them.
The synthetic stranger
A “person” who doesn’t exist - but has a five-year LinkedIn history, an AI-generated face, a fake network of mutual connections, and an offer that’s actually a phishing pretext. Whole careers, fabricated.
The deep profiler
Attackers feed your public footprint - social media, conference talks, podcast appearances, professional networks - into an AI that builds a profile of your habits, fears, and psychological triggers. Then they craft an attack designed for you. The book calls this Cognitive Persuasion Indexing. Attackers just call it the playbook.
How to spot them - the three awareness habits
You don’t need to be a security expert. You need three reflexes - three small habits that, once installed, change everything.
Habit 1 - The Urgency Reflex
Almost every cognitive attack has the same structure: something is wrong right now and you must act immediately. Real emergencies sometimes feel urgent. So does almost every scam. Treat urgency as the smell of smoke - not proof of fire, but a reason to slow down and look around.
Habit 2 - The Channel Check
Attackers want you off your normal verification rails. “Don’t email me, call this number.” “Don’t use the company chat, use my WhatsApp.” “Don’t tell anyone, this is sensitive.” If someone is pushing you out of your usual channels, that pressure is the attack.
Habit 3 - The Emotional Pause
Authority (“the CEO needs this now”). Fear (“your account will be closed”). Compassion (“your daughter is in trouble”). Greed (“limited investment opportunity, today only”). Cognitive attacks work because they hit your emotions before your reasoning has a chance to engage. When strong emotion arrives with a request, pause.
Three habits. Urgency, channel, emotion. Build them in once, use them for life.
How to defend yourself - six practical moves
This isn’t about installing more software. It’s about installing better habits.
1. Verify through a channel you already trust. If a “family member” calls asking for help, hang up and call them back on the number you already have. If a “boss” asks for an unusual transfer, walk to their desk or call their actual extension. The thirty seconds it costs you is nothing. It costs the attacker everything.
2. Set up a family safe word. Pick a word only your immediate family knows. If anyone calls claiming to be one of them in distress, ask for the word. Voice clones can’t bluff a code they’ve never heard.
3. Reduce your profiling surface. The more public audio, video, and personal data you have online, the easier you are to clone and target. You don’t need to disappear - be intentional. Lock down social media privacy settings. Think twice before long video appearances. Older relatives especially often have far more exposed than they realize.
4. Slow down on emotional money decisions. Almost no legitimate situation requires you to wire money or share a password in the next five minutes. Almost every scam does. Friction is your friend.
5. Move to passkeys wherever you can. Password phishing remains one of the most common ways in. If you don’t have a password to steal, the attacker loses their primary weapon. Most major services now support passkeys - use them.
6. Have the conversation with older relatives. Scams against grandparents using cloned voices are rising fast - the FBI specifically calls out voice cloning of loved ones as part of the 2025 AI fraud picture. The people most at risk are often the least informed. Have the talk now, not after.
The bigger picture
The technical layer of cybersecurity still matters. Firewalls, multi-factor authentication, patching, endpoint protection - none of it goes away. But the new frontier is human, and the attackers have already moved there. The book that prompted this piece names it clearly: cognitive manipulation as the primary attack surface. That’s what it is now.
The good news is that the defenses are also human. Skepticism. Slow thinking. Verification habits. Family safe words. Less digital exposure. None of them need a budget. All of them reduce risk.
The attackers have AI. You have intuition, friction, and the ability to pause.
Use them.
Source: Chakrawarti, R.K., Rawat, R., Singh, K.B., Raj, A.S.A., Singh, A., Rawat, H., Rawat, A. (eds.) (2026). Cognitive Cyber Crimes in the Era of Artificial Intelligence. Wiley-Scrivener. ISBN 9781394386574 (online) / 9781394386543 (print).
By: Cesar Rosa Polanco - Written from a real experience, with artificial intelligence used as an editorial support tool.