Attack is Free, Defense is Paid. Face This Structure Head-On

To get straight to the point: AI is dramatically increasing fraud while also dramatically detecting it. In 2025, the major British insurer Aviva announced that it detected 18,400 fraudulent claims totaling £233 million (approximately ¥23 billion) using AI.

The structure behind this number is the real issue. The cost for attackers to generate fake accident photos and documents using AI is effectively zero. With free image generation AI and text generation AI, they have all they need. On the other hand, the cost for companies to implement defensive AI is significant. Large corporations may spend tens of millions annually, while small and medium-sized enterprises (SMEs) may face monthly costs ranging from tens of thousands to hundreds of thousands of yen.

Cost of Attack: Nearly ¥0. Cost of Defense: From ¥30,000 per month.

This asymmetry is structurally driving the explosive increase in fraud. The most affected are SMEs, which have limited resources to allocate toward defense.

—

What’s Happening—The Reality of AI Fraud

Let’s take a closer look at Aviva’s report. The activities of fraudsters can be broadly categorized into three types.

1. Generation of Fake Accident Scene Photos
Using image generation AI, they create photos of accident scenes that never existed. Previously, crude Photoshop manipulations were common, but now generative AI can produce images that look “real” in just seconds. It has become nearly impossible for insurance adjusters to detect these fakes through visual inspection.

2. Exaggeration of Damages
They take minor accidents that actually occurred and, using AI-generated photos and documents, turn them into “major accidents.” A repair bill of ¥200,000 can be inflated to ¥2 million. AI also checks the consistency of documents, eliminating contradictions, making it difficult for human eyes to spot the fraud.

3. Completely Fake Claims
There is no actual accident. Photos generated by AI, accident reports written by AI, and estimates created by AI—all are fakes, yet all seem “plausible.”

Visa’s 2024 Cyber Threat Report also notes a surge in AI-driven fraud. Particularly, there is an increase in cases where deepfake technology is used to bypass identity verification, and sophisticated phishing emails generated by AI are targeting companies.

This is not just a problem for the insurance industry. Invoice fraud, impersonation of business partners, and fake order emails—any business relying on “documents and trust” is a target.

—

Why SMEs Are the Most Vulnerable

Now, let’s consider what large corporations are doing.

Major insurance companies like Aviva are making substantial investments in AI detection systems. The fact that they were able to “detect” ¥23 billion in fraudulent claims indicates that their defensive systems are functioning effectively. Companies that can invest hundreds of millions annually in security can counter attack AI with AI.

But what about SMEs with 10 or 50 employees?

Many companies feel that even a ¥50,000 monthly security tool is “expensive.” It is not uncommon for companies to lack dedicated IT personnel. Whether an email from a business partner is genuine or if a photo of an invoice is real is often judged by the “gut feeling” of the staff on the ground.

Attackers know the limits of that “gut feeling.”

Sophisticated fake emails generated by AI do not fall prey to traditional detection methods like “the Japanese is off” or “the sender looks suspicious.” The text is natural, and the sender’s domain is cleverly disguised.

In other words, the structure looks like this:

• Large Corporations: Attacked by AI, defended by AI. They can absorb the costs.
• SMEs: Attacked by AI, defended by human intuition. They cannot afford the costs.

This gap is set to widen further.

—

Four Actions SMEs Should Take Starting Today

Vague calls to “raise security awareness” are meaningless. Let’s be specific, including cost considerations.

1. Start with Free to Low-Cost AI Security Tools

The notion that “defensive AI is expensive” is outdated. As of 2025, basic AI tools for email filtering and anomaly detection are available for monthly fees starting from just a few thousand yen. AI-based phishing detection is included in the standard features of Google Workspace. The same goes for Microsoft 365 Defender.

Just turning on the security features of the tools you are currently using can make a difference. If you haven’t reviewed your settings, you should do it today. Cost: ¥0.

2. Establish a Rule to Confirm “Change of Bank Account Emails” by Phone

The most vulnerable target for SMEs is the “change of bank account” scam emails disguised as coming from business partners. They receive messages with perfect wording generated by AI stating, “The account has changed.”

The countermeasure is simple. Whenever you receive a request to change the bank account, always confirm by phone with the person directly. Instead of replying to the email, call the number you know. This alone can almost completely prevent such scams. Cost: ¥0. Time: 3 minutes.

3. Create a System to Not Trust “Images” of Invoices and Estimates

In an era where AI can generate fake document images, the judgment that “it’s real because there’s a photo attached” has collapsed.

Specifically, set a rule that for invoices over a certain amount (for example, over ¥100,000), you require not just images but also the original documents to be mailed or sent via a known system. It may seem cumbersome, but considering that one instance of fraud can cost hundreds of thousands of yen, it’s a cheap insurance policy.

4. Share Fraud Cases for 15 Minutes Once a Quarter

There’s no need for elaborate training. Just use 15 minutes of a quarterly meeting or morning assembly to share examples of “recent scams that are trending.”

You can gather examples from the IPA (Information-technology Promotion Agency) published “Top 10 Information Security Threats” or the National Police Agency’s cybercrime countermeasures page, which won’t take more than 30 minutes to prepare.

Many scams can be prevented just by being aware of them. People fall victim because they are unaware. Cost: ¥0.

—

The Real Problem is the Widening “Cost Asymmetry”

The costs for attackers continue to decrease. More free image generation AIs are becoming available, and their performance is continually improving. Deepfake technology for voice can now generate imitations with just a few seconds of sample audio. A phone call mimicking the CEO’s voice instructing, “Transfer the funds urgently”—such attacks are already technically feasible.

On the other hand, while the costs for defenses are also decreasing, they are not dropping at the same speed as those for attacks. This is because defense requires “accuracy.” An attack only needs to succeed once out of a hundred attempts. Defense must stop every single one of those hundred attempts. This asymmetry will not be resolved even as technology advances.

That’s why it’s essential to abandon the notion of “protecting solely with technology.”

The strength of SMEs lies in their smaller organizational structure. Everyone’s face is visible. Voices can be heard. They can ask the person next to them, “Doesn’t this invoice seem off?” In large corporations, there are departmental walls that prevent such “sharing of slight discomfort.”

Being small means that human judgment and verification can be quick. This is a structural advantage for SMEs. While implementing AI defense tools, the final line of defense should be “human verification.” This hybrid approach will be the most cost-effective defense strategy for SMEs.

—

Conclusion: You Can’t Reduce Defense Costs to Zero, But You Can Minimize Them

To summarize:

• The attack cost of AI fraud has effectively dropped to zero.
• Large corporations can counter AI with AI, but SMEs lack the resources for that.
• However, there are several countermeasures that can be implemented for ¥0.
• “Confirm changes in bank accounts by phone,” “don’t trust images alone,” and “share case studies.”
• The “smallness” of SMEs can actually be a weapon in defense.

You might think that the ¥23 billion figure is only relevant to large corporations. However, for attackers, the size of the company doesn’t matter. In fact, SMEs with weaker defenses are often seen as “juicy targets.”

The belief that “we won’t be targeted because we are small” is the biggest security hole.

Today, I want you to do just one thing. Check your company’s email security settings. Establish a confirmation rule for changes in bank accounts. Just that could prevent one instance of fraud tomorrow.