Home / Articles / Defending Against AI-Powered Phishing and Deepfakes
Defending Against AI-Powered Phishing and Deepfakes
Cybersecurity

Defending Against AI-Powered Phishing and Deepfakes

AI has made phishing and deepfakes cheap, fast and frighteningly convincing. Here is a layered defence that actually holds up against modern social engineering.

Published 16 April 2026 11 min

## A new generation of social engineering

The phishing email used to be easy to spot. Bad grammar, generic greeting, suspicious link. In 2026 those signals are gone. Generative tools produce flawless prose in any language, mimic a colleague\u2019s tone after reading a few public posts and craft pretexts that match real internal context. Voice and video deepfakes are now realistic enough to fool a casual observer in a short call.

User awareness training alone cannot carry the load anymore. The defence has to be layered, technical and assumption-friendly: assume some users will be fooled, and design controls so that being fooled is not catastrophic.

## Identity is the new perimeter

Most successful AI-powered attacks end with a stolen session or a fraudulent transaction. Both fall back to identity. The strongest single investment a business can make right now is phishing-resistant authentication.

If you only do one thing this year, push passkeys across the workforce. The reduction in account takeover is dramatic.

## Email defences that go beyond keywords

Legacy mail filters look for known bad URLs and suspicious words. AI-generated phishing breezes past both. Modern defences add:

None of these is perfect on its own. Combined, they cut delivery of the most dangerous campaigns by an order of magnitude.

## Defending against deepfake voice and video

Vishing with a cloned voice is no longer rare. The CFO calls finance and asks for a wire transfer to a new vendor. The voice is right. The pretext is right. The pressure is right.

The answer is process, not technology heroics:

For video calls, train staff to ask the caller to perform a simple action that current deepfakes still struggle with, such as covering part of the face with a hand or turning their head sharply.

## Detection and response

Assume some campaigns will land. Make sure you can see and react quickly:

## Training that matches the new reality

Annual click-the-link training is no longer enough. Run frequent, realistic simulations that include voice and chat-based pretexts. Reward reporting, not just non-clicking. Share anonymised examples of recent attempts so staff see what current campaigns actually look like.

AI-powered social engineering is not going away. Layered defences, phishing-resistant identity and disciplined process turn it from a likely breach into a manageable risk.