What are deepfake email threats?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: your CFO receives an urgent email from the CEO asking for an immediate wire transfer. The sender address looks right. The writing sounds exactly like the boss. The request feels legitimate because it is from someone with authority, just through a deepfake voice message attached to the email. That's the threat.

Deepfakes are AI-generated synthetic media that look or sound real. They're not new technology, but they're getting fast and cheap. For email attacks, there are three main types happening now.

First, deepfake audio messages. Someone sends an email with an MP3 of the CEO's voice asking for payment or data access. The voice was generated from a few seconds of audio samples (a company earnings call, a YouTube video, whatever is public). The message sounds convincing. Most people don't verify audio they receive. They just act on it.

Second, personalized text deepfakes created by language models. These look like phishing emails but they're so tailored to your company, your role, and recent events that they feel impossible to be fake. They reference projects you're actually working on. They mention people you know. They don't have the generic typos of spam.

Third, deepfake video follow-ups. The email arrives. Then a video call request comes in. On the call, you see the executive's face (deepfaked in real-time). They're asking for sensitive info or authorization. By that point you're several steps deep in what feels like a real interaction.

Why this matters for email specifically: email is the attack vector. It's the first touch. It's what makes the victim willing to engage further through voice calls, video, or wire transfers. An email alone might not be enough to fool someone. But an email plus a convincing deepfake audio or video? That's where the real danger is.

The traditional phishing defense is "call the person back using a number you know is real." Deepfakes make that harder because by the time you're calling back, you've already engaged with the fake media, which makes the scammer more credible in your mind. You're trying to verify something that felt legitimate.

What actually stops deepfake attacks: proper email authentication (DMARC, SPF, DKIM) will catch spoofed sender addresses from the start. If the email claims to be from your CEO but fails authentication, it never reaches your inbox. That's not perfect (a compromised internal account bypasses this), but it eliminates the easiest attacks. After that: never send credentials, payment authorizations, or wire requests through email in the first place. That one policy stops most BEC attacks, deepfake or not. Verify requests using a communication channel that's separate from email. When your CFO asks for a wire transfer via email with audio attached, you make a phone call to his office using the main company phone line. That simple out-of-band verification is your strongest defense.

Next step: audit your company's email policies. Do you allow wire requests through email? Do you have a verification protocol for unusual requests? That's where you focus before worrying about deepfake tech specifically.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Understand deepfake attacks through real scenarios.

I'm hearing about deepfake email attacks and it's unsettling. Walk me through a realistic deepfake BEC scenario from the victim's perspective. What would actually happen? What might give it away?

Edit the yellow boxes, then send to the AI of your choice.