Deepfake phishing is a social engineering attack that uses AI-generated voice, video, or images to impersonate a trusted person and pressure someone into taking action.
Deepfake phishing uses AI-generated voice, video, or images to make an impersonation feel real. Instead of relying only on a fake email or login page, the attacker may sound or appear to be someone the victim trusts.
In Wizer’s deepfake simulations, the most common mistake was acting on urgency before confirming the request through another channel.
What are the main types of deepfake phishing?
| Type | What it looks like | What the attacker wants |
|---|---|---|
| Voice cloning | A call or voice note from a leader or relative | Transfer money or share a code |
| Video impersonation | A fake person on a video call | Approve a payment or disclose data |
| Image impersonation | A fake profile or altered screenshot | Build trust or support a false story |
How Does Deepfake Phishing Work?
Attackers use sophisticated generative AI tools to harvest public synthetic media and exploit human trust. These high-tech scams generally take two primary forms:
Audio Cloning (Voice Phishing)
Using a short, publicly available audio clip (such as an executive's interview, keynote, or podcast episode), an attacker can clone a leader's voice. They then call an employee in finance or HR, sounding identical to the boss, to authorize an urgent, last-minute fund transfer or credential change.
Video Deepfakes
In more advanced scenarios, scammers create synthetic video streams to impersonate entire leadership teams or vendor representatives on live virtual meetings (like Zoom or Teams), tricking organizations out of millions of dollars during real-time discussions.
What Are the Warning Signs of Deepfake Phishing?
Deepfake phishing can be convincing, but there are often warning signs.
The request is unusually urgent
The caller or sender may insist that money, passwords, codes, or sensitive files are needed immediately. Urgency is designed to stop people from pausing and checking.
You are told not to involve anyone else
Be cautious if someone asks you to keep the request private, skip the normal approval process, or avoid contacting another team member.
The request does not match normal behavior
The voice or video may seem real, but the request feels unusual. For example, a leader may suddenly ask for gift cards, a wire transfer, login details, or a change to a vendor’s payment information.
The voice sounds slightly unnatural
Listen for:
- Strange pauses
- Flat or uneven emotion
- Unusual pacing
- Mispronounced names
- Background noise that does not match the setting
These signs are not always present, but they can be clues.
The video looks off
Watch for:
- Poor lip-syncing
- Blurry edges around the face
- Unnatural blinking
- Strange lighting
- Facial movements that do not match the voice
- A person avoiding turning their head
Deepfakes are improving, so visual glitches should not be the only thing employees rely on.
The person avoids verification
A real colleague should understand a quick security check. Be suspicious if they refuse to call back on a known number, answer a personal question, or confirm the request through another channel.
The request bypasses normal process
Any request involving money, account access, sensitive data, or payment changes should follow the usual approval process. A familiar face or voice should never replace verification.
How to confirm a suspicious request
Before acting on an unusual request:
- Pause.
- End the call or leave the meeting.
- Contact the person using a number or account you already trust.
- Confirm the request with another team member.
- Follow the normal approval process.
- Report anything suspicious.
A useful rule: Trust the process, not the voice.
Can MFA stop deepfake phishing?
MFA can help protect an account if an attacker steals a password. It cannot stop a person from being manipulated into approving a payment, sharing sensitive data, or revealing an authentication code.
That is why organizations need both technical controls and clear identity check processes.
Why Our Brains Fall for AI Impersonation
Scammers aren't trying to exploit software vulnerabilities; they are exploiting human nature, trust, and compliance:
- The Trust Trap: Our brains are hardwired to recognize and trust familiar faces and voices.
- The Panic Trigger: By combining a familiar voice with an intense "crisis" scenario, attackers create emotional panic that overrides logical thinking.
Example of a Deepfake Phishing Attack:
An employee receives a voice message that sounds like the CFO. The caller says a confidential payment must be approved before the end of the day and asks the employee not to involve anyone else.
The voice sounds familiar, but the request bypasses the normal approval process.
The safest response is to stop, contact the CFO using a known phone number, and confirm the request with another authorized person.
How to protect your organization from payment fraud
- Require approval from two people
- Confirm changes using a known phone number
- Never approve a new payment method inside the original message thread
- Set a threshold that triggers verbal confirmation
Deepfake FAQ:
Not always. Detection tools can help identify suspicious content, but no single tool will catch every deepfake. Accuracy can drop when a detector encounters content made with methods it was not trained to recognize.
Do not rely only on visual glitches or an unusual-sounding voice. Double-check unexpected requests through a separate, trusted channel.
MFA can help stop an attacker from accessing an account with a stolen password. It cannot stop someone from being manipulated into approving a payment, sharing sensitive information, or resetting another person’s access.
CISA has documented attacks where social engineering was used to convince help desk staff to reset passwords or MFA tokens.
MFA works best alongside clear approval processes and a separate confirmation step for unusual requests.
Voice cloning is the technology used to copy or imitate someone’s voice. It becomes voice phishing, also known as vishing, when a scammer uses that cloned voice to impersonate someone and pressure the target into taking an unsafe action.
The FBI has warned that criminals use AI-generated voice and video messages in fraud attempts targeting both individuals and businesses.
Pause and do not act on the request during the call.
End the call, then contact the person using a phone number, email address, or messaging account you already trust. Confirm the request with another authorized team member and report the incident to your IT or security team.
Do not use contact details provided during the suspicious call. A familiar face or voice should never replace the normal approval process.
Any organization can be targeted, but the risk is higher for teams that regularly handle money, sensitive information, account access, or urgent requests from senior leaders.
Common targets include:
- Financial services and accounting
- Healthcare
- Technology and IT support
- Legal services
- Government
- Education
- Retail and e-commerce
Finance teams, help desks, executives, and employees who can approve payments or access changes are especially attractive targets. The FBI warns that AI-generated voice, video, and email messages can be used to commit fraud against individuals and businesses.
