Back to Blog

AI-Powered Phishing and Deepfake Fraud: The New Face of Social Engineering

6 July 2026By Eiferone Security Team

Social engineering has always relied on a simple trick: making a fraudulent request look and sound legitimate. In 2026, generative AI has made that trick dramatically more convincing, and dramatically more expensive when it works.

The numbers behind the shift

Recent industry research puts the scale of the shift in stark terms. An estimated 82.6% of phishing emails now contain some form of AI-generated content, and AI-written lures are achieving click rates roughly four times higher than traditional phishing. Deepfake-related incidents grew 680% year over year, with the first quarter of 2025 alone recording more incidents than all of 2024 combined.

The financial impact tracks the sophistication. Traditional business email compromise carries an average loss of around $1.3 million per incident. When a deepfake voice or video is involved, that average jumps past $4.1 million. Voice phishing, or vishing, calls using cloned voices to extract credentials or authorize payments, increased 442% between 2023 and 2024.

Why this works

Generative AI removes the traditional tells: broken grammar, generic greetings, obviously synthetic voices. It also automates reconnaissance, scraping LinkedIn profiles, press releases, and public filings to build a convincing, personalized pretext before the first message ever lands. A deepfake voice call from a "CFO" requesting an urgent wire transfer, timed around a real trip or event on that executive's public calendar, is a fundamentally different threat than a generic phishing email.

What actually reduces this risk

  • Phishing-resistant multi-factor authentication (hardware keys or platform authenticators) rather than SMS or app-based one-time codes, which remain vulnerable to real-time relay attacks.
  • An out-of-band verification step for any payment or credential change request, a callback to a known number, not one supplied in the message itself.
  • Security awareness training that specifically covers voice and video deepfakes, not just email red flags.
  • Clear, tested financial control procedures (dual approval, defined limits) that don't bend under "urgent" pressure regardless of who appears to be asking.

None of these controls are exotic. What's changed is the cost of skipping them. If your last security awareness refresh didn't mention deepfakes, it's worth revisiting before your finance team gets a very convincing phone call.