Phishing emails written by LLMs, deepfake voice scams, and AI-automated vulnerability scanning have changed the threat landscape — your defences need to change too.
The same generative AI tools powering business productivity are powering a new generation of attacks. Phishing emails are no longer riddled with typos — they're grammatically perfect, contextually personalised, and generated in bulk in seconds. Voice deepfakes can clone a CEO's voice from a 30-second public clip. The threat model has genuinely shifted, and "spot the bad grammar" is no longer a viable defence.
How Attacks Have Changed
- AI-generated phishing — personalised, well-written, scraped from public LinkedIn/company data for context
- Voice and video deepfakes — used in "urgent wire transfer" social engineering scams impersonating executives
- Automated vulnerability scanning — AI tools probe codebases and exposed endpoints at a scale humans can't match
- AI-assisted malware variation — generating thousands of slightly different malware signatures to evade detection
In documented 2025–2026 incidents, AI voice cloning has been used to authorise fraudulent wire transfers worth millions — using nothing more than a public earnings call or YouTube interview as training audio.
Fighting AI With AI: Modern Defensive Stack
- 1Behavioural anomaly detection — flags unusual login patterns, data access, or transaction requests regardless of how convincing the request looks
- 2AI-powered email security — analyses writing style and intent patterns, not just keyword/spam-filter rules
- 3Out-of-band verification policies — any financial request above a threshold requires a second channel confirmation, no exceptions, even for the "CEO"
- 4Continuous AI-assisted code scanning — matching attacker speed with defender speed in vulnerability detection
The Human Layer Still Matters Most
Technology alone won't solve this. The highest-ROI investment for most businesses in 2026 is updated security awareness training that specifically covers deepfake voice/video scams and AI-personalised phishing — most existing training material still teaches people to spot 2018-era attacks.
Practical Steps for SMBs and Mid-Market Companies
- Establish a mandatory callback verification process for any payment or credential change request
- Deploy AI-aware email/endpoint security rather than relying solely on legacy spam filters
- Run quarterly phishing simulations using AI-generated (not template) phishing content to test real readiness
- Limit how much executive voice/video content is publicly available where feasible, and brief leadership on deepfake risk
