A single deepfake voice message can now trigger a five-figure loss—and for small business owners, the risks are growing faster than most realize.
AI-generated deepfakes are turning familiar voices into tools of deception, creating a fast-growing cybersecurity crisis. In 2023 alone, scams and fraud made up 50% of all cyber incidents in Canada, according to Statistics Canada—a six-point increase from just two years prior. But for many small businesses, this has yet to feel tangible, which leaves them dangerously exposed.
“This is a hot topic right now,” said Michael Malfa (pictured), a broker at Boardwalk Insurance, who works closely with small businesses on cyber liability. With over a decade of experience in risk management, Malfa has watched threats evolve rapidly—none more chilling than deepfake scams.
He said that the most alarming cases involve audio deepfakes of executives instructing staff to transfer funds.
“The sophistication of these scams is outpacing most companies’ ability to prepare. And without proper coverage or government-backed prevention support, many are just one fake voice message away from collapse.”
The voice of a CEO, cloned from a public speech or company video, can now be weaponized to defraud staff into wiring money. And the consequences aren’t just financial—they can be reputational, operational, and existential for smaller firms.
“A lot of the small businesses definitely don't have the awareness of cyber risk,” Malfa said. “They're so consumed with the day-to-day operations, leaving little time and bandwidth for them to do any kind of proactive cybersecurity measures or research.”
A 2023 report from the Insurance Bureau of Canada found that more than 60% of small businesses believe they’re too small to be targeted by cybercriminals. That false sense of security can lead to catastrophic oversights, including the assumption that general liability insurance will offer cyber protections. It doesn’t.
“A lot of times they don't even understand what cyber insurance is,” Malfa said. “They think that cyber insurance is just covered under their general liability policy.”
Even when businesses are aware of cyber coverage, they're not always looking at the full picture. Many think only of direct losses, not the ripple effects.
“They’re just thinking first-party… that it just covers them for any first party losses,” Michael said. “They're not thinking about how it can also cover third-party cyber liability losses,” such as customers or vendors impacted by a breach.
And the gap between evolving threats and business readiness is widening. Only 22% of Canadian businesses reported having cyber risk insurance in 2023 —a shockingly low figure given how often fraud now bypasses traditional phishing routes.
“They got the employees’ cell phone numbers, and they were texting the employees, acting as the owner,” Malfa said. “They would give them detailed instructions and very personalized text messages. So, they're getting very creative with how they're coming in.”
In response, some insurers are incorporating AI into their own risk assessment models, using it for monitoring and threat intelligence. But as Malfa noted, even advanced analytics struggle to stay ahead of cybercriminal creativity.
The result is a high-stakes dilemma: a business without strong digital controls might become uninsurable—or only eligible for policies with steep premiums.
“It makes it even [more] difficult for them to acquire that insurance,” Malfa said. “[It’s] very pricey.”
Despite the risks, many businesses still treat cyber coverage as optional.
“They're going to see this as an unnecessary expense,” he said, especially “when they don't understand the risk exposures and what the product covers.”
Malfa said that both insurers and the government have a role to play in closing that gap.
“Subsidizing some kind of knowledge or training,” he said. “Another thing could be, like, potential tax credits or government-funded programs for implementing some at least preventative cybersecurity measures such as MFA, endpoint security or cyber training.”
He also said the insurance industry must do more to ensure brokers and their clients understand what they’re buying.
“They need to educate brokers, so brokers can educate their clients,” he said. “And I think there needs to be more proactive communication around this. Right now, it's a bit of a gap.”
Beyond simply having coverage, the details of a cyber policy matter more than ever.
“They need to make sure they have ransom payments on the policy,” Malfa said. “Incident response costs… regulatory fines and penalties… those are all sort of the things you need to look at.”
And the threat landscape is still evolving. While deepfake video hasn’t become mainstream yet, it may not be far off.
“The video is still early days,” he said. “But the voice, they're starting to really nail down.”
QUICK FACTS
