Back to ResourcesSecurity Guide
Defending Against AI Phishing and Deepfake Fraud
Practical controls and employee training steps to counter AI-generated phishing and deepfake-enabled wire fraud, the fastest-growing category of social engineering risk in 2026.
Technical controls
- Adopt phishing-resistant multi-factor authentication (hardware security keys or platform authenticators) for all privileged and finance-adjacent accounts.
- Implement email authentication standards (SPF, DKIM, DMARC) to reduce domain spoofing.
- Deploy anomaly-based email filtering that flags unusual sender behavior, not just known-bad indicators.
Process controls
- Require out-of-band verification, a callback to a known, pre-verified number, for any payment, wire transfer, or account change request.
- Set clear dual-approval thresholds for financial transactions that cannot be overridden by claimed urgency.
- Establish a documented process for employees to report suspected deepfake or AI-generated content without fear of slowing down legitimate business.
Awareness and training
- Update security awareness training to specifically cover voice and video deepfakes, not just traditional email phishing indicators.
- Run simulated exercises that include a realistic voice-phishing scenario, not only simulated phishing emails.
- Brief executives and finance staff directly, they are the most frequently targeted roles in AI-assisted BEC attempts.
