Deepfake phishing uses AI-cloned voices and video to impersonate executives. Learn how it works and the verification habits that stop it.
Deepfake phishing is social engineering carried out with AI-generated voice or video that impersonates a real person — usually a senior figure the target already knows. The attacker uses the cloned voice on a phone call, or the synthesised face on a video meeting, to issue an instruction the target would normally trust. For the full incident analysis, attack stages, and training programme guidance, see our deep-dive on deepfake phishing and employee training.
The reference incident remains the 2024 Arup case, in which a finance employee transferred approximately 25 million US dollars after attending a video meeting where every senior participant except themselves was a deepfake. The case is the highest-value documented example, but the pattern is now mature enough that security teams should treat it as an operational risk rather than a future one.
How Deepfake Phishing Works
Two channels matter. Voice cloning attacks impersonate a known voice on a phone call, typically targeting finance, accounts payable, or executive support staff with an urgent transfer or credential request. Producing a credible clone now requires less than a minute of public audio — a podcast, a conference talk, a customer testimonial — so the source material exists for almost any senior figure with a public presence.
Video deepfake attacks impersonate the face and voice of a known figure inside a live video meeting. The pattern observed in the Arup incident involves multiple deepfaked participants reinforcing the legitimacy of the request collectively. The target's mental category of "I would never authorise this from a single email" does not engage, because what they are seeing is not a single email.
Why Red-Flag Training Does Not Stop It
Awareness training built around inspecting sender domains, hovering over URLs, and watching for spelling errors does not apply when the attack arrives on a phone call or a video meeting. The visual artefacts earlier deepfakes produced — unnatural eye movement, audio-video drift — have largely been engineered out of current-generation tooling. Training employees to spot the deepfake itself is training them for a defence that does not survive the next quality improvement.
The deeper problem is psychological. Hearing a familiar voice or seeing a familiar face activates trust circuits that text does not. The same employee who would scrutinise a suspicious email often complies reflexively with a deepfaked voice call from someone who sounds like their boss.
The Verification Habits That Work
The durable defence is not better detection — it is verification norms that operate independently of audio or video.
Out-of-band callbacks. Any high-stakes request is verified by contacting the requester through a channel known in advance, not by responding on the channel the request arrived on. The deepfaked figure cannot answer a callback to their real phone.
Code-word challenges. For executive teams and finance teams, a pre-arranged phrase or challenge question that only the real person would know, established in advance and rotated periodically. The attacker who has cloned the voice does not know the phrase.
Mandatory cooling-off for unscheduled high-value actions. Wire transfers above a threshold, privileged credential resets, and off-cycle vendor changes require a documented confirmation step that cannot be compressed by urgency claims. The deepfake's primary weapon is real-time pressure; cooling-off removes it.
These three habits are organisational policy decisions as much as training topics. Awareness training teaches employees to apply them; the underlying policy is what makes them defensible against pushback in the moment. The full training programme guidance covers role-specific scenarios for finance, executive assistants, and IT teams in detail.
High-Risk Populations
Three groups face elevated risk: finance and accounts payable teams (because they move money), executive assistants and chiefs of staff (because they act on senior figures' behalf), and anyone with privileged access (because their credentials unlock larger downstream compromises). Role-specific training scenarios for each of these populations are more effective than generic deepfake awareness applied uniformly across the workforce.
Related Learning
- What Is Phishing Awareness Training?
- What Is Spear Phishing?
- What Is Social Engineering?
- What Is Smishing?
Related PhishSkill Capabilities
- AI-Powered Phishing Awareness Training — train employees on AI-augmented attack patterns including voice and video impersonation
- WhatsApp Phishing Awareness Training — extend awareness coverage to the mobile channel attackers use alongside voice clones
- Phishing Simulation Software — the simulation engine that measures the behaviour training builds
More Learning Resources
View all learning resourcesWhat Is a Phishing Simulation?
Understand how phishing simulations work and why organizations use them to measure and improve employee security awareness.
Quick Guide: Phishing Statistics
Key phishing statistics that show how common phishing attacks are and why security awareness training matters.
Quick Guide: Phishing Simulation Frequency
Learn how often organizations should run phishing simulations to improve employee security awareness.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.