My name is Jason Kelly, and as a lead strategist at Phoenix AZ Ad Agency, I publish an annual report addressing the evolving digital dangers impacting Arizona businesses. This year, we focus on AI-driven scams targeting both local companies and senior-owned enterprises. Our agency believes that informed clients are empowered ones, and we are committed to ensuring you recognize the threats and avoid costly pitfalls. Our clients mean the world to us, and organizing this information in an easy-to-read and understand manner has continually helped us win over the trust of literally hundreds of small businesses in not only Arizona but nationwide.
It is this trust that has become a foundation we’ve prioritized as we navigate this complex digital era. Our adherence to the Better Business Bureau’s Principles of Trust, membership in key local organizations like the Greater Phoenix Chamber of Commerce and Local First Arizona, as well as recognition such as multiple BBB Torch Award nominations, speaks to our transparency. We’re also a BBB4Good company, and for three consecutive years, we’ve been rated the top website design and advertising agency in Phoenix based on the most verified reviews. All of this ensures that when we warn about scams, we do so from a place of credibility.
AI-Enabled Digital and Business Marketing Scams Affecting Arizona Businesses and Senior-Owned Firms
Arizona businesses—especially small, owner-operated firms and senior-owned businesses—are increasingly targeted by scams that exploit marketing workflows (invoices, ads, reviews, listings, lead forms, and phone outreach) and trust signals (brand names, “Google”/platform authority, celebrity endorsements, and familiar voices). State and federal data show the fraud environment is large and growing: FTC Consumer Sentinel data for 2024 reports Arizona fraud losses of $336.7M (from reports with losses $1–$999,999), with 54,367 fraud reports, 41% of reports indicating a loss, and a median loss of $600. [1] Nationally, the FBI’s Internet Crime Complaint Center (IC3) reports phishing/spoofing as the top complaint category and shows major losses from investment fraud and business email compromise (BEC). [2] Seniors are disproportionately harmed: IC3 reports individuals 60+ filed 147,127 complaints in 2024 with $4.885B in losses and an $83,000 average loss figure in that section of the annual report. [3]
AI changes the scam calculus in three practical ways: it lowers cost, raises realism, and increases scale. Arizona’s Attorney General has explicitly warned Arizonans about AI voice cloning scams (often framed as emergency requests for money) and has partnered with BBB on scam-education PSAs, including a PSA focused on fraudulent celebrity advertisements. [4] These “celebrity-ad” scams map directly onto the rise of deepfakes: Arizona media has documented cases where consumers were deceived by ads using manipulated celebrity likenesses. [5]
For Phoenix-area ad agencies advising senior clients, the highest-leverage protection is to treat marketing operations like finance operations: implement verification gates (identity verification, payment verification, access control), reduce “single-person” approval power, and rehearse a simple, scripted incident response. Arizona regulators are also tightening business-identity protections: the Arizona Corporation Commission (ACC) has moved to require two forms of ID for in-person filings and plans similar identity verification for online filings, explicitly citing “modern tactics and techniques” used to commit fraud. [6]
Scam types most relevant to marketing operations and how AI amplifies each
Marketing-related scams often target (a) the business’s money (fake invoices, subscription traps, ad fraud), (b) the business’s identities and channels (Google Business Profile takeover, social accounts, domains), or (c) the business’s customers via impersonation (spoofed emails/ads/calls that appear to come from the business). BBB’s 2025 business scam study groups business scams into stolen data, impersonation, and fake services, reflecting how most marketing-facing frauds actually work in practice. [7]
Below is an analytical mapping of the scam categories you requested, emphasizing what changes “in the age of AI.”
Phishing and spoofing targeting marketing access (email, ad accounts, listings)
IC3 lists phishing/spoofing as the most common reported crime type by complaint count (193,407 complaints in 2024). [8] For marketing teams, the highest-impact phishes are those that steal access to Google Business Profile, Meta Business Manager, Google Ads, or the email account used as the “owner” on those platforms.
AI amplification: generative AI helps attackers write convincing, brand-specific messages and adapt them to the recipient’s role, eliminating the classic grammar “tells.” National security authorities have publicly warned that AI is being used in “smishing” and “vishing” campaigns (texts + AI-generated voice messages) to build trust and drive clicks or credential capture. [9]
Typical vectors: “Your listing is suspended,” “You must verify your ad account,” “Invoice attached,” “You violated policy—appeal here,” “Ownership request requires approval.”
Deepfake ads and fraudulent celebrity endorsements
Arizona’s AG/BBB campaign launched with a first PSA “focus[ing] on fraudulent celebrity advertisements.” [10] Arizona reporting has documented victims encountering social-media ads using celebrities’ likenesses in misleading ways—illustrating how persuasive “famous face” ads can be even when the advertiser is not legitimate. [5]
AI amplification: deepfake tools lower the barrier to generating plausible video/audio endorsements; AI also helps rapidly generate hundreds of ad variants and landing pages, enabling fast A/B tests to find which message converts best (a classic marketing tactic repurposed for fraud).
Typical vectors: paid social ads (Meta/TikTok/YouTube), “sponsored” posts, fake landing pages with rush/limited inventory hooks, “official partner” claims.
Fake reviews, review hijacking, and fake social-proof
The FTC finalized a rule (effective Oct. 21, 2024) that prohibits, among other practices, selling or purchasing fake reviews/testimonials and explicitly covers reviews that misrepresent they are written by someone who does not exist (including AI-generated fake reviews) or who did not have real experience. [11]
AI amplification: LLMs can mass-produce plausible review text at scale, with varied tone and detail; attackers can also generate large volumes of “customer service replies” to make a fake or hijacked business profile appear legitimate.
Typical vectors: Google reviews, Yelp, Facebook, industry directories; competitor sabotage via fake negative reviews; “review gating” and suppression tactics (now subject to FTC scrutiny under the rule). [12]
Lead-generation fraud and “lead lists” that are poisoned, duplicated, or sold
Lead-gen scams come in two main forms: (1) business-as-buyer fraud (you pay for leads that are bot traffic, recycled data, or fake form fills), and (2) consumer-as-victim lead capture (fake comparison-shopping sites collect consumer info then sell it broadly, leading to downstream robocalls and spam).
Policy reality check: The FCC adopted a “one-to-one consent” approach intended to curb the “lead generator loophole,” but the Eleventh Circuit vacated the relevant part of the FCC’s 2023 order (Part III.D), finding it conflicted with the ordinary statutory meaning of “prior express consent.” [13] The FCC later issued an order conforming its rules to the court mandate, explicitly reinstating the prior definition in 47 C.F.R. § 64.1200(f)(9). [14]
AI amplification: bots can submit highly realistic lead forms; AI agents can hold “conversations” that look like real prospects; cheap voice cloning and synthetic call-center agents can qualify leads with minimal human labor.
Typical vectors: web lead forms, chat widgets, call tracking numbers, affiliate networks, “comparison” sites, and “free quote” funnels.
AI-generated robocalls and conversational “robotexting” that impersonates brands
The FCC has clarified that AI-generated voices are “artificial” under the TCPA; calls using such voices generally require prior express consent absent an exception. [15] Arizona AG has joined multi-state enforcement efforts against illegal robocalls (Operation Robocall Roundup) and warned Arizonans about scam robocalls routed through noncompliant providers. [16]
AI amplification: interactive voice bots can respond in real time, gather info, and tailor pressure tactics; voice cloning raises the emotional stakes (e.g., “grandchild in trouble”), which Arizona’s AG/BBB PSA explicitly warns about. [17]
Typical vectors: inbound “support” calls spoofing Google/platforms; outbound “billing issue” calls; mixed-mode flows where a call is followed by an SMS link.
Business identity theft affecting corporate filings, listings, and reputation
Arizona’s ACC states business identity theft is rising and that their system historically lacked identity verification for filings; it has implemented steps like requiring two IDs for in-person filings and moving toward similar verification online. [18] KJZZ reporting explains the mechanism: bad actors add themselves to a business via filings, then exploit the business’s credit/reputation and “act poorly” under the stolen identity. [19]
AI amplification: AI can generate realistic supporting documents, emails, and scripts; it can also automate monitoring of newly formed entities and target dormant LLCs at scale.
Typical vectors: state business filing systems, data broker records, “new business” public filings (which scammers monitor), dormant entities.
Fake marketing agencies, “platform impersonators,” and paid-service extortion
Google explicitly warns businesses to beware of calls/emails/texts from people offering paid help with Business Profiles, stating Google doesn’t charge for this service and will never ask for OTP/PIN. [20] BBB also documents Google Business Profile theft: scammers click “Own this business?” and rely on someone inside the company approving an access request, then they lock out the legitimate business and misuse its reviews to lure consumers. [21]
BBB’s business scam study includes examples of businesses approached for advertising fees they never agreed to, and it highlights “fake services” as a major category. [7]
AI amplification: scammers can operate “agency fronts” with AI-written websites, portfolios, proposals, and even deepfake sales calls, reducing the cost to appear legitimate.
Typical vectors: cold calls claiming platform affiliation, LinkedIn outreach, email proposals with fake case studies, “urgent suspension” threats.
Subscription traps and dark patterns embedded in marketing offers
Arizona’s AG sued Amazon alleging unfair and deceptive practices; reporting highlighted claims that the Prime cancellation process was intentionally confusing (“Project Iliad”), using manipulative interface design to reduce cancellations. [22] (Regardless of the case outcome, the allegations illustrate the “dark patterns” mechanism businesses should watch for when buying SaaS/marketing tools.)
AI amplification: personalized retention flows, dynamic offers, and auto-generated “support chats” can increase friction to cancel; AI can also scale targeted upsells and “trial-to-paid” conversion manipulation.
Typical vectors: “free trial” martech tools, listing-management subscriptions, contract auto-renewals, payment method “update” prompts.
Ad fraud, click fraud, and traffic laundering
IC3 shows that cryptocurrency-related fraud is enormous nationally, with a “cryptocurrency” descriptor loss of $9.32B in 2024. [23] While not all ad fraud is crypto-related, the same “scale economics” apply: automation creates fake impressions, clicks, installs, and conversions that burn budgets.
Industry estimates vary, but Juniper research has estimated that 22% of online ad spend was lost to ad fraud in 2023, with projections rising over time. [24]
AI amplification: AI-generated bots look more human (mouse movement, browsing paths), evade fraud filters, and can optimize for “conversion-like” behavior to pass basic analytics checks.
Typical vectors: programmatic display, paid search click fraud, affiliate traffic laundering, fake influencer engagement.
SEO poisoning and malvertising that infects marketing workflows
Government and security guidance describe SEO poisoning as a technique that manipulates search results to make malicious sites appear legitimate—leveraging the human tendency to trust top-ranked results. [25] For marketers, SEO poisoning can lead to downloading fake tools (trojanized “analytics,” “Teams,” “PDF converters”), or logging into spoofed ad/admin portals.
AI amplification: AI can generate large volumes of SEO-optimized spam pages, localized to Phoenix neighborhoods or industries; it can also generate “help center” articles that mirror legitimate support content.
Typical vectors: search ads + SEO spam, fake “download” pages, typo-squatted domains, compromised WordPress sites.
How scams reach Phoenix-area businesses and seniors: attack vectors and lifecycle
Marketing scams are best understood as a repeatable operational lifecycle: discover a target, establish credibility, trigger urgency, capture access/payment, monetize, and then erase or shift identities. BBB’s business scam study emphasizes that scams reach “every aspect of a business,” from spam nuisances to full-scale disruption and ransom, which aligns with this lifecycle model. [7]
A. Target discovery
• Public filings
• Google listings
• Social media
• Data brokers
• Vendor invoices
↓
B. Pretext & credibility
• “Google/Meta support”
• Fake agency
• Celebrity endorsement
• Spoofed vendor
↓
C. Delivery channel
• Email (phish/invoice)
• SMS (smishing)
• Phone (vishing/AI voice)
• Paid ads
• Search results / SEO poisoning
• Physical mail
↓
D. Pressure + compliance trigger
• “Urgent suspension”
• “Final notice”
• “Refund / overcharge”
• “Grandchild emergency”
• “Invoice past due”
↓
E. Capture
• Credentials / OTP
• Ownership transfer
• Bank / wire / gift cards
• Card-on-file
• Lead data harvesting
↓
F. Monetize
• Ad spend theft
• Account takeover
• Lead resale
• Fraudulent charges
• Reputation hijack
↓
G. Cover & repeat
• Rotate domains / numbers
• New generative content
• Move funds quickly
• Hit next business
Key Arizona-relevant channels include: robocalls (Arizona AG enforcement focus), [16] business filings (ACC modernization focus), [6] and celebrity-ad style deepfakes (AZ AG/BBB PSA focus and AZ media reporting). [26]
Arizona-focused case studies and recent incidents
Arizona has multiple, well-documented touchpoints that illustrate how “marketing scams” are evolving locally.
Timeline of notable Arizona-related developments
2024-05 : Arizona AG sued Amazon alleging deceptive practices; reporting highlighted “Project Iliad” in Prime cancellation UX (subscription-trap / dark-pattern pattern) [22]
2024-12 : KJZZ: ACC adopted new rules to combat business identity theft; cited lack of ID requirements as a vulnerability [19]
2024-12 : BBB issued alert on Google Business Profile takeover scams (listing hijack + review theft) [21]
2025-01 : ACC news release: steps to prevent business fraud; 2 forms of ID for in-person filings; plans for online identity verification [18]
2025-06 : Arizona AG + BBB launched education campaign; first PSA focused on fraudulent celebrity advertisements [10]
2025-07 : Arizona AG + BBB PSA focused on AI voice cloning scams and verification tips [17]
2025-08 : Operation Robocall Roundup: Arizona joined multistate crackdown; warning letters to noncompliant voice providers [27]
2025-12 : Arizona AG sued Temu alleging Arizona Consumer Fraud Act violations incl. faking reviews and deceptive advertising practices [28]
What these incidents teach Phoenix ad agencies and senior-owned businesses
Arizona’s AG/BBB PSAs highlight two practical “AI-era” pivots: fraudulent celebrity ads and voice cloning. [4] For agencies, those map onto two real risks: (1) seniors being targeted as consumers/investors, and (2) businesses being impersonated or pressured into “urgent payment” flows.
The ACC identity-theft work shows that business identity theft is not just a cyber issue—it’s a business governance / registry issue. ACC emphasizes its historic lack of enforcement authority and the need to update “outdated statutes and administrative code” to match modern fraud tactics. [18] Agencies should treat corporate identity (who can file, who can sign) as part of reputational safety, because reputation is a marketing asset.
The BBB Google Business Profile takeover alert shows “marketing channel identity theft” is real: if someone inside the business approves an ownership request, attackers can control the profile and exploit accumulated reviews to deceive customers—especially in urgent-need categories (e.g., locksmith scams). [21]
Legal and regulatory landscape relevant to Arizona marketing scams
Arizona state law and regulators
Arizona’s Consumer Fraud Act broadly prohibits deceptive or unfair acts and misrepresentations in connection with the sale or advertisement of merchandise, declaring them unlawful practices. [29] Civil penalties can be sought for willful violations, up to statutory limits per violation. [30]
For identity misuse, Arizona criminal law prohibits taking the identity of another person or entity, including use of “entity identifying information” without consent and with unlawful intent. [31] Arizona also criminalizes computer tampering (unauthorized access/alteration with intent to defraud), which can apply to compromised marketing/admin systems. [32]
Arizona’s Attorney General has an active consumer protection posture and a public-facing scams portal for reporting and education. [33] The ACC is also implementing administrative controls to deter fraudulent business filings. [18]
Federal consumer protection and communications regulation
The FTC’s Consumer Sentinel Network tracks fraud nationwide; FTC press data notes consumers reported $12.5B lost to fraud in 2024, with investment scams the highest loss category and imposter scams next. [34] Arizona-specific fraud totals and median losses appear in FTC’s Data Book appendix. [1]
For reviews and social proof, the FTC’s rule on consumer reviews/testimonials prohibits multiple review-manipulation tactics and explicitly addresses AI-generated fake reviews. [11]
For robocalls, the FCC’s declaratory ruling confirms AI-generated voices are “artificial” under the TCPA, bringing AI-voice robocalls under familiar consent rules. [15] Lead-generation consent policy has shifted: the Eleventh Circuit vacated the FCC’s 2023 “one-to-one consent” restrictions (Part III.D), and the FCC later conformed its rules accordingly. [35]
Senior-focused support and resources
AARP’s Fraud Watch Network is positioned as a free resource for scam education and guidance, including helpline support. [36] AARP research also indicates older adults are concerned about criminals using AI for deepfakes and voice cloning. [37] In Arizona specifically, the AG/BBB PSA provides voice-cloning safety tips (don’t answer unknown calls; verify via trusted numbers), which are especially relevant to senior-owned businesses where the owner’s personal phone is often the business phone. [17]
Economic impact and Phoenix-area risk profiles
What the numbers say for Arizona
FTC Consumer Sentinel fraud reporting shows Arizona recorded $336.7M in reported fraud losses for 2024 (in the appendix’s definition range), with a median loss of $600 and 41% of reports indicating a loss. [1] Separately, IC3’s 2024 annual report shows Arizona ranked high in cryptocurrency complaints and losses: 4,145 crypto complaints and $177.6M in crypto losses in the “overall state statistics” crypto tables. [38] This matters because many deepfake “investment opportunity” ads route victims into crypto-payment rails, consistent with broader FTC observations that bank transfer and crypto channels are heavily used by scammers. [34]
Why small Phoenix-area and senior-owned businesses have elevated exposure
From a practical operations standpoint (not a moral one), small and senior-owned businesses tend to have four structural risk factors:
They have fewer staff, so a single person may control email, ad accounts, listings, and payments—making approval and verification weaker by default. BBB notes business scam reports range from “nuisance” to “complete disruption,” and it highlights the broad reach of impersonation and fake services. [7] They rely heavily on reputation channels (Google reviews, Maps listing) that can be hijacked. [21] They face high scam volume via phone and SMS, with Arizona AG actively targeting robocalls, implying a significant local burden. [27] They are in an ecosystem where seniors are heavily targeted: IC3 shows extremely large dollar losses among 60+ complainants nationally. [3]
Comparative risk table for Phoenix-area businesses
The matrix below is a practical, Phoenix-ad-agency-oriented assessment. “Likelihood” reflects how often Phoenix SMBs typically encounter the scam channel; “Impact” reflects potential financial + reputational harm; “AI involvement” reflects how much AI is currently used to scale/convince; “Detection difficulty” reflects how hard it is for typical staff to identify quickly.
| Scam type | Likelihood (PHX SMB) | Potential impact | AI involvement | Detection difficulty | Best-first mitigation |
| Phishing / spoofing for marketing/admin credentials | High | High (account takeover, billing fraud) | High (personalized lures) [39] | Medium–High | Phishing-resistant MFA + “no-OTP-ever” policy; separate admin accounts; DMARC/SPF/DKIM |
| Deepfake ads / fraudulent celebrity endorsements | Medium (as consumers) | Medium–High (financial loss; trust harm) | High [26] | High | “Stop–verify–research” script; avoid impulse purchases/investments from social ads |
| Fake reviews / fake social proof | High | High (reputation + revenue) | High [11] | Medium | Review monitoring + evidence capture; use FTC rule awareness; platform dispute process |
| Lead-gen fraud (fake leads, consent abuse, lead resale blowback) | Medium–High | Medium–High | Medium–High [40] | High | Contract-hardening; lead validation sampling; consent language audits; call recording rules |
| AI robocalls / vishing + smishing | High | Medium–High | High [41] | Medium | “Known-number callback” rule; carrier filtering; staff scripts; report to AZ AG/FCC |
| Business identity theft (corporate filings) | Medium | High (credit/reputation/legal) | Medium | High | ACC monitoring + authorized-filer controls; rapid response to notices [6] |
| Listing/account hijack (Google Business Profile) | High | High | Medium | Medium | Strict access control + 2SV; never approve unknown owner requests [42] |
| Fake marketing agencies / “Google partner” impersonators | High | Medium–High | High (AI websites/proposals) [43] | Medium | Vendor vetting checklist; written SOW; no upfront wire; references |
| Subscription traps / dark patterns | Medium | Medium | Medium | Medium | Contract review; cancellation calendar; single-use virtual cards; dispute process [22] |
| Ad fraud / click fraud | Medium (higher with programmatic) | Medium–High (budget burn) | High | High | Bot filtering, placement exclusions, conversion QA; conservative attribution; anomaly alerts [24] |
| SEO poisoning / malvertising | Medium | High (malware, credential theft) | Medium–High [44] | High | “No search-to-download” rule; allowlisted installers; endpoint protection; browser isolation |
Detection, prevention, and crisis response playbook for Phoenix ad agencies and senior clients
Prioritized checklist for Phoenix ad agencies advising senior clients
This checklist assumes mixed tech literacy and minimal IT staff; it focuses on controls that are realistic in small-business settings.
Start with the identity and access “non-negotiables.” Lock down the channels that, if compromised, let scammers rewrite reality: email, listings, ad accounts, and phones. Google explicitly advises limiting Business Profile access, keeping owner access, and watching for ownership requests; it also warns Google doesn’t charge for Business Profile services and will never ask for OTP/PIN. [20]
Priority actions (highest ROI first): 1. Establish a Known-Number Callback Rule: any urgent call (billing, listing suspension, bank, “platform support”) triggers hang-up and callback via a number from a saved contact list or official site—never the number provided in the call/SMS. This aligns with Arizona AG/BBB voice-cloning guidance to verify through trusted numbers. [17]
2. Turn on phishing-resistant MFA for: email, Google account(s), Meta/IG, Google Ads, and the registrar/domain host. (Do not rely on SMS-only where avoidable; treat SMS as a weak factor.)
3. Create two separate roles: Marketing Operator (day-to-day) and Marketing Owner (admin/ownership). Only the owner can approve: new admins, ad spend increases, payout changes, Business Profile ownership requests. (BBB shows that approving an ownership request can enable profile takeover.) [21]
4. Implement a Two-Person Payment Rule for wires, gift cards, ACH changes, and “urgent” invoices. IC3 shows BEC and investment scams drive huge losses; payment verification is where most blue-collar scams become real-dollar losses. [23]
5. Add “vendor realism” gates: require a written SOW, physical address, references, and live screen-share demonstrations for any new marketing vendor. BBB business scam research explicitly documents fake services and vendor impersonation patterns. [7]
6. Harden Google Business Profile: restrict access; remove ex-employees; monitor access requests; enable 2-Step Verification. [20]
7. Build an “incident binder” (paper + digital) with: platform recovery links, registrar login recovery steps, bank fraud hotline, and reporting links (AZ AG, FTC, IC3, BBB, FCC). [45]
Practical detection indicators by scam channel
Email and invoice scams: unexpected “renewal,” vague service descriptions, pressure language, last-minute bank detail changes, payment via gift cards/wire. The FTC specifically warns small businesses about directory listing scams that start with “it’s free” or “just a renewal” and result in a bill. [46]
Google/Maps impersonation calls: requests for payment, threats of suspension, requests for OTP/PIN, demands for immediate action. Google’s own guidance warns against paying for Business Profile maintenance and stresses that Google won’t request OTP/PIN. [20] Google also explains that legitimate automated calls won’t ask you to sign up for a service, pay money, or give personal info. [47]
Voice cloning / AI robocalls: emotional urgency (“emergency”), insistence on secrecy, request for gift cards or immediate transfer. Arizona’s AG/BBB PSA gives exactly these warning markers and advises not answering unknown numbers and verifying through trusted callbacks. [17] FCC notes AI voice cloning has been used to extort family members and impersonate celebrities and officials—reinforcing the legitimacy of adopting “voice is not proof” as a policy. [48]
Review and listing hijack: sudden “ownership request” emails; profile name/address/phone changes; spike in calls complaining about services you don’t offer. BBB explains that approving an ownership request can lock you out and allow scammers to exploit your reviews. [21]
Ad fraud / lead fraud: rising spend with flat revenue, geographic anomalies, suspiciously high CTR with low-quality sessions, conversion events that don’t match sales reality. Industry estimates suggest meaningful portions of spend can be lost to fraud, so anomaly detection is budget protection. [24]
SEO poisoning: users searching for “download” tools and landing on lookalike sites; unexpected browser redirects; fake support tools. Government/security guidance describes SEO poisoning as manipulating search prominence to make malicious sites look authentic. [44]
Crisis-response templates for agencies and businesses
These templates are designed for speed and clarity. Replace bracketed fields.
Internal “stop the bleeding” message (staff Slack/email)
Subject: ACTION REQUIRED: Possible scam / account compromise – pause changes now
Team — We may be dealing with a scam or account compromise affecting [platform/account]. Effective immediately:
1) Do NOT approve any ownership/admin requests.
2) Do NOT click new links from emails/texts about “verification,” “billing,” or “suspension.”
3) Pause outbound payments to any marketing vendor until verified.
4) Forward suspicious messages to [security@ / point person] and take a screenshot.
If you already clicked or entered credentials, call [internal point person] now.
Rationale: These steps directly address the takeover mechanisms described by BBB (ownership requests) and Google (OTP/PIN protection). [49]
Phone script for seniors/staff receiving a “Google listing / ads” call
Thanks. I can’t take action from an inbound call.
I will call back using the official number we have on file.
What is your name, company, and a case/reference number?
(Do not provide any codes or passwords.)
Goodbye.
This matches the AG/BBB emphasis on trusted-number verification and recognizes voice spoofing risk. [17]
Client-facing notice if a listing/profile appears hijacked
Subject: Notice: We are investigating unauthorized changes to [Business Name] online profile(s)
We detected unauthorized changes to one or more online profiles used to display our business information.
We are working with the platform(s) to restore accurate information.
Until further notice:
• Please rely on our official website and published phone numbers for contact.
• If you received a request for payment or personal information claiming to be from us, do not comply.
If you believe you provided information to an impersonator, contact your financial institution immediately.
Grounding: listing hijack and review misuse are explicitly described in BBB guidance. [21]
Recommended policy and industry actions for Arizona’s marketing ecosystem
Because scam losses are too large for self-defense alone, policy and industry coordination matters. Arizona AG has emphasized broad scam enforcement and reports high complaint volumes and consumer recovery efforts, while also partnering with BBB on education—suggesting a multi-pronged strategy of enforcement + awareness. [4]
Recommended actions (agency + industry + public sector): Ad platforms and listing platforms should expand “KYC for advertisers” and stronger controls for high-risk categories (e.g., urgent services) where impersonation is common. BBB notes locksmith scams often leverage Business Profile theft. [21] Telecom and VoIP providers should be pressured to comply with traceback and robocall mitigation requirements; Arizona is already participating through Operation Robocall Roundup. [16] Business-identity systems should continue moving toward verified filers and authorized-signer lists; ACC is explicitly taking steps in this direction. [18] Agencies can professionalize “anti-scam controls” as part of standard marketing ops (vendor vetting, access governance, and proof-of-consent audits), mirroring the categories BBB identifies (stolen data, impersonation, fake services). [7]
Sources prioritized for Phoenix agencies and Arizona small businesses
Primary sources and official guidance
Federal Trade Commission — Consumer Sentinel Network Data Book 2024 (includes Arizona fraud totals and losses). [1]
Federal Trade Commission — Press release: New FTC Data Show a Big Jump in Reported Losses to Fraud to $12.5 Billion in 2024. [34]
FBI IC3 — 2024 IC3 Annual Report (crime types, losses, 60+ impacts). [50]
Federal Communications Commission — Declaratory ruling: AI-generated voices are “artificial” under TCPA (FCC 24-17) + FCC press release. [15]
Arizona Attorney General — Campaign launch (fraudulent celebrity advertisements focus) and AI voice-cloning PSA. [4]
Arizona Attorney General — Operation Robocall Roundup (Phase 1 and Phase 2). [16]
Arizona Corporation Commission — Steps to prevent business fraud and business identity theft (ID verification, authorized filers). [18]
Arizona Legislature — Arizona Consumer Fraud Act unlawful practices statute (A.R.S. § 44-1522) and related provisions. [51]
Arizona Legislature — Identity theft statute including “entity identifying information” (A.R.S. § 13-2008). [31]
Google — Business Profile security and scam warnings (OTP/PIN, paid-service scams, ownership requests, legitimate automated calls). [52]
FTC — Final rule banning fake reviews and testimonials + Federal Register final rule text. [11]
Eleventh Circuit — Insurance Marketing Coalition Limited v. FCC opinion (lead-gen consent rule vacatur) + FCC conforming order. [35]
Arizona news and investigative context
KJZZ — ACC rules to combat business identity theft (mechanism and policy changes). [19]
ABC15 — Arizona deepfake/celebrity-ad scam victim reporting. [5]
ABC15 — Arizona AG lawsuit reporting on “Project Iliad” (subscription trap / dark pattern allegations). [22]
Industry and research context used for impact framing
BBB — 2025 Business Scam Study (business scam categories and examples). [7]
Juniper Research (via press coverage) — estimates of online ad spend lost to ad fraud and projections. [24]
SEO poisoning definitions and risk framing (government/security guidance). [25]
[1] https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf
https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf
[2] [3] [8] [23] [38] [50] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
[4] [10] [26] https://www.azag.gov/press-release/attorney-general-mayes-partners-bbb-protect-arizonans-scams-new-consumer-educational
[5] https://www.abc15.com/news/let-joe-know/arizona-woman-falls-victim-to-deep-fake-scam-using-celebrities-on-social-media
[6] [18] https://azcc.gov/news/home/2025/01/28/acc-corporations-division-taking-steps-to-prevent-business-fraud
[7] https://www.bbb.org/all/scamstudies/Business_scam_study/full-scam-study
https://www.bbb.org/all/scamstudies/Business_scam_study/full-scam-study
[9] [39] https://www.fbi.gov/investigate/cyber/alerts/2025/senior-us-officials-impersonated-in-malicious-messaging-campaign
[11] https://www.ftc.gov/news-events/news/press-releases/2024/08/federal-trade-commission-announces-final-rule-banning-fake-reviews-testimonials
[12] https://www.federalregister.gov/documents/2024/08/22/2024-18519/trade-regulation-rule-on-the-use-of-consumer-reviews-and-testimonials
[13] [35] [40] https://media.ca11.uscourts.gov/opinions/pub/files/202410277.pdf
https://media.ca11.uscourts.gov/opinions/pub/files/202410277.pdf
[14] https://docs.fcc.gov/public/attachments/DA-25-621A1_Rcd.pdf
https://docs.fcc.gov/public/attachments/DA-25-621A1_Rcd.pdf
[15] https://docs.fcc.gov/public/attachments/FCC-24-17A1.pdf
https://docs.fcc.gov/public/attachments/FCC-24-17A1.pdf
[16] [27] https://www.azag.gov/press-release/attorney-general-mayes-launches-operation-robocall-roundup-issues-warning-letters-37
[17] https://www.azag.gov/press-release/attorney-general-mayes-and-better-business-bureau-fight-ai-scams
https://www.azag.gov/press-release/attorney-general-mayes-and-better-business-bureau-fight-ai-scams
[19] https://www.kjzz.org/business/2024-12-23/arizona-regulators-adopt-new-rules-to-combat-business-identity-theft
[20] [42] [43] [52] https://support.google.com/business/answer/14509283?hl=en
https://support.google.com/business/answer/14509283?hl=en
[21] [49] https://www.bbb.org/article/scams/26465-bbb-scam-alert-dont-let-scammers-steal-your-google-business-profile
[22] https://www.abc15.com/news/state/ag-kris-mayes-files-lawsuit-against-amazon-claiming-unfair-and-deceptive-business-practices
[24] https://www.prnewswire.com/news-releases/new-ad-fraud-study-22-of-online-ad-spend-is-wasted-due-to-ad-fraud-in-2023-according-to-juniper-research-301938050.html
[25] [44] https://www.hhs.gov/sites/default/files/june-2023-seo-poisoning-analyst-note-tlpclear.pdf
https://www.hhs.gov/sites/default/files/june-2023-seo-poisoning-analyst-note-tlpclear.pdf
[28] https://www.azag.gov/press-release/attorney-general-mayes-sues-online-shopping-platform-temu-stealing-arizonans-data-and
[29] [51] https://azleg.gov/ars/44/01522.htm
https://azleg.gov/ars/44/01522.htm
[30] https://www.azleg.gov/ars/44/01531.htm
https://www.azleg.gov/ars/44/01531.htm
[31] https://azleg.gov/ars/13/02008.htm
https://azleg.gov/ars/13/02008.htm
[32] https://azleg.gov/ars/13/02316.htm
https://azleg.gov/ars/13/02316.htm
[33] https://www.azag.gov/consumer
[34] https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024
[36] https://www.aarp.org/money/scams-fraud/about-fraud-watch-network/
https://www.aarp.org/money/scams-fraud/about-fraud-watch-network/
[37] https://www.aarp.org/pri/topics/work-finances-retirement/fraud-consumer-protection/ai-fraud-concerns-older-adults/
[41] [48] https://docs.fcc.gov/public/attachments/DOC-400393A1.pdf
https://docs.fcc.gov/public/attachments/DOC-400393A1.pdf
[45] https://reportfraud.ftc.gov/
[46] https://consumer.ftc.gov/media/79947
https://consumer.ftc.gov/media/79947
[47] https://support.google.com/business/answer/6212928?hl=en
