Phishing Doesn’t Look Like Phishing Anymore, It Sounds Like Your Boss on a Video Call

Advertisements

Deepfakes now account for 11% of global fraudulent activity, according to 2026 fraud trend data. That number would have sounded like science fiction five years ago. Today it’s a documented, growing slice of a fraud category that used to mean poorly-written emails asking you to click a suspicious link.

Advertisements

The Old Advice Doesn’t Cover the New Attack

For years, the standard phishing advice was: watch for bad grammar, mismatched sender addresses, and urgent language. That advice still applies to basic email phishing, but it does nothing against a video call where the person on screen looks and sounds exactly like your actual manager, because deepfake video call attacks have moved from theoretical to a full production fraud operation in under two years.

Voice Cloning Made CEO Fraud Trivial

Deepfake vishing (voice phishing) now allows attackers to clone a real executive’s voice from public audio, earnings calls, interviews, conference talks, and use it to call an employee with an urgent, off-the-books wire transfer request. This isn’t a hypothetical: it’s become common enough that J.P. Morgan and other major financial institutions have published specific guidance for treasury teams on detecting synthetic voice fraud in payment requests.

Why This Got Cheap and Common So Fast

What used to require real technical skill and expensive tools has been commoditized into complete AI scam toolchains, voice cloning, deepfake video, and unrestricted “dark” language models bundled into services that reportedly cost less than a monthly streaming subscription. That price drop is the actual reason this went from rare to common: the barrier to running a sophisticated scam collapsed at the same time the output quality improved.

What Actually Still Works as a Defense

  • A pre-agreed verification phrase or callback number for any request involving money or credentials, especially urgent ones, something a deepfake can’t know or replicate
  • Treating urgency itself as a red flag, the emotional pressure to act immediately is one of the few things AI-generated scams still can’t remove without weakening the attack
  • A callback to a known number, never one provided in the suspicious call or message itself, this single habit defeats most voice and video impersonation attempts regardless of how convincing the fake sounds

The Uncomfortable Reality

“Does this look or sound legitimate” stopped being a reliable question in 2026. The more useful question is “would this specific request happen through this specific channel, unprompted, right now”, and that’s a habit worth building regardless of how convincing the voice or face on the other end appears.