If you received a FaceTime call from your business partner right now: her face, her voice, her mannerisms all perfectly clear: asking you to wire $15,000 to a new vendor for an “urgent closing,” would you do it? Incidents like this show why cybersecurity solutions for small business are more important than ever.
Most of us would. We trust our eyes and ears. But in the world of modern business fraud, those are the two things you can no longer rely on. Deepfake technology has moved out of Hollywood and into the inbox of small business owners, medical practices, and CPA firms. It’s no longer about a Nigerian Prince sending a broken English email; it’s about a high-definition video of your CEO telling you to change a routing number.
At Keystone IT Connect, we see this evolution every day through our network security monitoring services. The tech has changed, but the goal remains the same: to catch you off guard.
Here is a practical, five-step playbook to protect your cash flow and ensure that your team never falls for an AI-generated impersonation.
1. Formalize Your “Money Roles” in Writing
Most small businesses operate on trust. In a small CPA firm or a local medical clinic, the person who handles the books is often the same person who answers the phone. This lack of “separation of duties” is exactly what fraudsters look for.
The first step isn’t technical; it’s administrative. You need to define exactly who has the authority to request, approve, and execute a payment.
- Authorized Roles: Create a simple list. Only these three people can request a payment change. Period.
- The Four-Eyes Principle: For any payment over a certain threshold: say $2,500: require two different people to sign off. One person requests, a second person verifies.
- The “Urgency” Red Flag: Deepfake scams rely on urgency. Make it a policy that no “emergency” or “confidential” request is exempt from the standard approval process. If a request is truly urgent, it can wait the three minutes it takes to follow the protocol.
By tightening who can move money, you reduce the “attack surface” of your business. If a fraudster manages to trick one person, they still have to get past the second.
2. Implement the Mandatory 2-Channel Verification Rule

This is the single most important rule you can implement. We call it the “Golden Rule” of payment security.
Never approve a payment or a bank detail change based on a single communication channel.
If a vendor sends an email saying they’ve changed their bank, you don’t just update the file. You call them. But: and this is the crucial part: you don’t call the number listed in the email. You call the number you have in your pre-verified records.
For healthcare technology solutions, where patient data and vendor payments are constant, this rule saves firms from devastating losses.
- Channel 1: The request (Email, SMS, or Video Call).
- Channel 2: The verification (A phone call to a known number or a secure message through a client portal).
If the request comes via a video call (even if it looks like your boss), the verification must happen via a separate, trusted channel like a phone call or a face-to-face confirmation.
3. Create a Verbal Passphrase for High-Stakes Requests
Deepfakes are getting scary good at imitating voices. We’ve moved past the “robotic” sounding AI; today’s voice cloning can mimic tone, pitch, and even regional accents after listening to just 30 seconds of a person’s real voice (easily found on LinkedIn or YouTube).
Because we provide 24/7 IT support, we often advise our clients to go “old school” to beat high-tech fraud.
Establish a “Business Safe Word” or a challenge protocol. This is a private passphrase known only to your owners and the finance team.
- The Challenge: If an owner calls and asks for an unusual transfer, the employee says, “I’ll get right on that, but I need to confirm the safety code first.”
- The Response: The owner provides the code. If they hesitate, make excuses, or get angry, the employee is trained to hang up and call the owner back on their personal mobile.
It might feel a little “James Bond” at first, but for a CPA firm in Pennsylvania handling millions in client funds, a simple passphrase is a $0 security solution that works every single time.
4. Run “Sanity Check” Training for Your Staff

Cybersecurity is 10% software and 90% human behavior. You can have the best cybersecurity solutions for small business, but if a tired employee clicks “approve” on a Friday afternoon, the tech can only do so much.
Train your team to look for the “Deepfake Trifecta”:
- Unexpectedness: Did this request come out of the blue?
- Urgency: Is the caller pushing you to “skip the usual steps” or “do this before the bank closes”?
- Anomalies: Does the person on the video call seem to have a glitchy background? Is their voice slightly out of sync with their lips? (These are common deepfake artifacts).
Encourage a culture where it is safe to question the boss. If an employee is afraid to challenge a suspicious request from the CEO, they are a liability. Reward employees who stop and verify. It’s much better to have a slightly annoyed CEO than a bank account with a $50,000 hole in it.
5. Deploy Technical Safeguards and Network Monitoring
While the human element is key, you need a safety net. Modern network security monitoring can identify if a malicious actor is inside your system, observing your payment patterns to prepare for a deepfake attack.
Here are three technical “must-haves”:
- Multi-Factor Authentication (MFA): This isn’t optional anymore. MFA should be on every email account, every banking portal, and every accounting software. If a hacker gets into your email, they can “stage” a deepfake by sending follow-up emails that make the fake video look legitimate.
- ACH Filters and Positive Pay: Talk to your bank. Most offer “Positive Pay” services where the bank will only honor checks or ACH transfers that match a list you’ve pre-uploaded. It adds an extra layer of defense at the point of the transaction.
- Email Guardrails: Set up your email system to flag any message coming from outside the organization with a big red “EXTERNAL” banner. This prevents “cousin domain” spoofing (e.g., @keystoneitconnect.co instead of .com).

Keeping Your Business Resilient
Deepfakes are a sophisticated tool, but they rely on an old-fashioned weakness: the human desire to be helpful and fast. By slowing down, implementing a two-step verification process, and using the right technical monitoring, you can make your business an impossible target for AI-driven fraud.
If you’re unsure if your current network can handle these emerging threats, we’re here to help. Whether you need a full cybersecurity guidebook or a team to watch your back 24/7, Keystone IT Connect treats your business like family.
Don’t wait for a suspicious FaceTime call to realize your defenses are down. Let’s get your protocols in place today.