At Cyber
How to Protect Against Deepfake Phishing Scams

Quick Answer: Protect yourself from deepfake phishing scams by always verifying urgent financial or access requests through a separate, pre-confirmed channel – never the one the request arrived on. Combine FIDO2-resistant MFA, identity protection monitoring, and phishing-aware email security to build a layered defense that AI-generated impersonations can’t easily bypass.

A finance worker in Hong Kong joined what looked like a routine video call with company executives in early 2024. His CFO was on screen. Colleagues nodded along. He had initial doubts – then shrugged them off. By the end of the call, he had authorized 15 wire transfers totaling $25.6 million. Every person on that call was an AI-generated deepfake.

That wasn’t a fluke. It was a preview. Deepfake phishing – where attackers use AI to clone voices, faces, and even real-time video to impersonate trusted people – has graduated from a theoretical threat to a documented, growing category of financial fraud. The FBI’s 2025 Internet Crime Report recorded over $893 million in AI-driven fraud losses, and Deloitte projects generative AI could fuel $40 billion in US fraud losses by 2027.

The problem isn’t just that these attacks are convincing. It’s that they target the very instincts we’ve trained ourselves to rely on: trust a familiar voice, believe what you see on a video call, comply when a senior executive makes an urgent request. Deepfake phishing weaponizes human psychology in ways that traditional phishing never could.

According to a Gartner survey of 302 organizations, 62% reported experiencing a deepfake attack involving social engineering in the 12 months prior to mid-2025. Deepfake fraud attempts have increased 2,137% over three years, per Signicat data.

This guide covers what deepfake phishing actually looks like, how to spot the warning signs, and the specific steps – both behavioral and technical – that will protect you, your family, and your business from AI-generated impersonation scams in 2026.

Key Takeaways

  • The most effective protection against deepfake phishing is out-of-band verification: always confirm wire transfers, credential resets, or access requests through a separate, pre-established channel – never the one the request came from.
  • Financial losses from deepfake-enabled fraud exceeded $200 million in Q1 2025 alone in North America, with the average per-incident loss now near $500,000 for businesses.
  • Voice cloning tools can generate convincing audio from as little as 3 seconds of public audio – LinkedIn videos, conference recordings, and earnings calls are all training data for attackers.
  • FIDO2-resistant hardware security keys (like YubiKey) block over 99% of credential-based attacks and are the single highest-impact technical upgrade most households and small businesses can make.
  • Protect your family and accounts from deepfake-enabled identity theft with Batten’s expert-vetted identity protection tools – built for real-world AI fraud threats.

How to Protect Against Deepfake Phishing Scams

What Is Deepfake Phishing – and How Do Deepfake Scams Work?

Deepfake phishing is a form of AI-powered social engineering where attackers use synthetic media – cloned voices, manipulated video, or AI-generated faces – to impersonate a person the target trusts. Unlike traditional phishing, which relies on spoofed email addresses or generic urgency, deepfake phishing bypasses visual and auditory verification entirely.

The mechanics are more accessible than most people realize. Modern voice cloning tools need three to five seconds of someone’s voice to generate convincing audio. Real-time face-swap software can run during a live video call. Attackers harvest source material from public posts, YouTube videos, LinkedIn profiles, recorded webinars, and company conference calls – content executives and professionals post openly every day.

The Five Stages of a Deepfake Phishing Attack

  • Reconnaissance: Attackers scrape LinkedIn, corporate websites, YouTube, and podcast archives to identify a target’s role, their boss’s voice, and the communication norms of the organization.
  • Synthetic Media Creation: Using freely available AI tools, the attacker builds a voice clone capturing intonation, accent, and breathing patterns. For high-value targets, a real-time face-swap filter is built for live video calls.
  • Initial Contact (Spear Phishing): A spoofed email impersonating a trusted executive or colleague establishes urgency – a “confidential transaction,” emergency credential reset, or sensitive vendor payment.
  • Deepfake Confirmation: When the target expresses doubt, attackers escalate to a voice or video call featuring the deepfaked executive. This “social proof” step is what defeats skepticism in the majority of successful attacks.
  • Extraction and Disappearance: Funds are wired, credentials handed over, or access granted. Money is quickly moved through cryptocurrency or cross-border accounts. The average window between transfer and detection is 18 hours – typically after banking hours.
IDShield – Identity Theft Protection
IDShield – Identity Theft Protection
$14.95
Batten.shop

Real-World Case Study: The $25 Million Arup Deepfake Fraud (2024)

In January 2024, a finance employee at global engineering firm Arup was invited to a video conference featuring deepfake likenesses of the CFO and multiple colleagues. The deepfakes were built entirely from publicly available conference recordings and LinkedIn video. The employee – who had initially suspected the original email was phishing – was reassured by the familiar faces on the call and authorized 15 wire transfers totaling $25.6 million to five Hong Kong bank accounts.

Arup’s CIO Rob Greig later described it to the World Economic Forum as “technology-enhanced social engineering” – no systems were breached, no data was exfiltrated. Just psychology, backed by AI. The funds remain unrecovered as of mid-2026. The story was confirmed and reported by Fortune.

AI Voice Phishing, CEO Fraud, and Other Deepfake Attack Types

Deepfake phishing is not a single attack type – it’s a family of related threats. Understanding which type you’re most likely to face helps prioritize your defenses.

AI Voice Cloning Scams (Deepfake Vishing)

Voice cloning attacks generate audio that sounds like a real person, then deliver it via phone call or voice message. These are the most common deepfake attack format because they require less technical setup than video. Vishing surged 442% in 2025, according to multiple cybersecurity firms. Scammers have used this method to impersonate executives for wire transfer fraud, and to run “grandparent scams” targeting seniors by faking the voice of a distressed family member.

Deepfake CEO Fraud and Executive Impersonation Attacks

Business Email Compromise (BEC) attacks layered with deepfake audio or video are the highest-cost variant. Average per-incident losses from AI-augmented BEC now exceed $4.1 million, compared to $1.3 million for traditional phishing. Finance teams, HR departments, and IT help desks are primary targets, since they have authority or access to execute the financial requests attackers demand.

Deepfake Video Call Scams (Zoom/Teams Fraud)

Real-time video deepfakes run during live calls on Zoom, Teams, or Google Meet. As the Arup case proved, multi-person fake video conferences are now operationally viable for large-scale fraud. The NSA, FBI, and CISA’s joint advisory on deepfake threats specifically identifies synthetic media in video calls as a growing organizational risk.

Synthetic Voice Scams Targeting Families

Consumers face “family emergency” voice clones – attackers clone a child’s or parent’s voice and call grandparents claiming to be in immediate danger and needing emergency funds. The FBI reported $893 million in AI-related scam losses in 2025, with older adults accounting for $352 million of that total, per the AARP’s analysis of the 2025 IC3 data. These attacks are fast, emotionally overwhelming, and devastating for families unprepared for them.

⚠️ Warning Sign: Any communication – email, call, or video – that creates urgency around a financial transfer, credential reset, or confidential action should trigger immediate out-of-band verification. Urgency is the most reliable red flag in deepfake phishing attacks, because legitimate requests rarely require bypassing standard security procedures.

Identity Guard – Premium Identity + Credit Protection
Identity Guard – Premium Identity + Credit Protection
$7.99
Batten.shop

How to Spot a Deepfake Scam: Visual and Behavioral Red Flags

Detection technology is improving, but it’s not infallible – current deepfake detection tools achieve at most 85% accuracy against state-of-the-art synthetic media. Human judgment, trained to look for specific anomalies, remains a meaningful first-line defense.

Visual and Audio Tells in Deepfake Video

The FBI and CISA guidance on deepfake identification highlights several artifacts that AI generation still struggles to eliminate consistently:

  • Unnatural blinking patterns or reduced eye movement
  • Lip-sync mismatches where mouth movement doesn’t quite match audio
  • Blurry or inconsistent edges around hair, ears, and jawline
  • Lighting that doesn’t match the claimed environment
  • Skin texture that looks unnaturally smooth or plastic-like
  • Audio that sounds slightly robotic or flattened in emotional range
  • Background elements that shift or distort during head movement

Critically: the absence of these tells does not confirm authenticity. High-quality deepfakes increasingly eliminate them. Detection based on visual inspection alone is a shrinking defense. Process-based verification must be the primary safeguard.

Behavioral Red Flags That Signal Deepfake Social Engineering

  • Manufactured Urgency: “This needs to happen today, before the announcement.” Legitimate financial requests have documented approval chains that tolerate verification delays.
  • Secrecy Demands: “Don’t mention this to anyone else.” Real executives operating within normal business processes rarely ask employees to bypass oversight.
  • Pressure to Skip Verification: “There’s no time for the usual process.” This is almost always a social engineering tactic.
  • Unusual Communication Channels: A CFO who normally emails suddenly calls via WhatsApp or personal phone number.
  • Requests Just Under Approval Thresholds: Attackers often split transfers to avoid triggering automatic review flags.

Explore Batten’s identity protection tools to add a layer of dark web monitoring that alerts you before attackers can build a convincing impersonation profile using your personal data.

Keeper Password Manager
Keeper Password Manager
$3.33
Batten.shop

How to Protect Against Deepfake Phishing: 7 Proven Defenses

No single tool or habit defeats deepfake phishing alone. The defenses that work are layered – combining process controls, authentication technology, and trained skepticism. Each layer addresses a different part of the attack chain.

1. Out-of-Band Verification for All Financial and Access Requests

This is the single most effective defense against deepfake phishing, and the one that would have stopped the Arup fraud outright. Out-of-band verification means confirming any unusual request through a different communication channel than the one it arrived on – using a contact method you established independently, not one provided in the suspicious message itself.

A practical rule: if a wire transfer request arrives by email, verify it by calling the executive directly on their known office number. If a voice call requests a credential reset, verify it through your organization’s internal ticketing system. If a video call makes an unusual financial request, send a separate message through your company’s internal chat system to confirm it’s real.

The FBI’s 2025 advisory on AI-generated voice messages impersonating senior officials independently recommends independently verifying any phone number before responding, as the primary procedural defense against synthetic media attacks.

2. FIDO2-Resistant Hardware Security Keys

SMS-based two-factor authentication and app-based authenticators can be defeated by real-time phishing kits. Hardware security keys based on FIDO2/WebAuthn cryptographically bind authentication to the legitimate website or service – a deepfake phishing site cannot intercept or replay the authentication challenge.

Microsoft has reported that MFA blocks over 99% of opportunistic credential attacks. CISA’s Mobile Communications Best Practice Guidance (2025) specifically recommends FIDO-resistant authentication as the strongest defense for high-value accounts.

Featured Product: YubiKey by Yubico

The YubiKey is a physical security key that requires a touch to authenticate, making it impossible for attackers to use stolen credentials without physical possession of the device. It works across email, password managers, VPNs, and thousands of applications. Even if a deepfake phishing attack captures your username and password, a hardware key stops unauthorized access cold. Read the full YubiKey review on Batten Cyber for setup guidance and use cases.

3. Identity Theft Protection and Dark Web Monitoring

Deepfake attackers need raw material: your voice, your face, your organizational context. They also rely on data breaches to learn your personal details, making impersonation emails more convincing. Identity protection services monitor for your personal information on the dark web, alert you to credential exposures before attackers can act on them, and provide recovery assistance if fraud does occur.

Explore Batten’s identity protection collection for monitored services with real-time breach alerts and fraud recovery support. Our fraud protection services guide walks through the top services and what each covers.

4. All-in-One Security Suites with AI Scam Detection

Modern security suites have begun integrating AI-powered scam detection that flags suspicious emails, phishing links, and unusual attachment behavior before a user interacts with them. Products like Bitdefender Premium Security now include email monitoring and AI scam detection as standard features, while Aura‘s all-in-one platform combines antivirus, VPN, and identity monitoring in a single subscription.

Browse Batten’s all-in-one digital security collection for expert-vetted bundles. The Batten Cyber guide to all-in-one security suites compares Aura, Bitdefender, and Norton for different household needs.

1Password – Password Manager
1Password – Password Manager
$2.99
Batten.shop

5. A Pre-Arranged Family or Team Code Word

One of the most practical defenses against AI voice cloning scams is agreeing in advance on a verification code word with family members and trusted colleagues. The University of Florida IT Security department recommends this specifically for family deepfake scenarios: any unexpected “emergency” call from a family member that doesn’t include the pre-agreed word should be treated as suspicious and verified through a second contact method.

For businesses, this translates to internal verification phrases for high-value transactions – a short, agreed-upon code that executives include when making legitimate unusual requests, which an AI cannot know to replicate.

6. Reduce Your Public Audio and Video Footprint

Attackers build deepfakes from publicly available material. Executives and professionals with extensive public video content – recorded conference talks, podcast appearances, YouTube interviews – provide the richest training data. Being thoughtful about what’s published and reviewing privacy settings on professional profiles can limit an attacker’s material.

For a broader strategy on reducing your digital footprint, see our guide to cloud account security and our overview of spoofing attacks in cybersecurity.

7. Phishing Awareness Training That Includes Deepfake Simulations

Standard phishing training was designed for email-based attacks. It does not prepare anyone for a face they recognize on a video call giving a direct financial order. Adaptive Security’s research found that after approximately a dozen deepfake simulation rounds, employee detection success surged from 34% to 74%.

Effective deepfake awareness training includes simulated voice clone calls, fake Zoom meeting scenarios, and role-based exercises that replicate the exact pressure finance and HR teams face. 

NordVPN
NordVPN
$12.99
Batten.shop

Deepfake Phishing Defense: Key Controls Compared

Different defenses address different stages of a deepfake phishing attack. This table maps each control to what it protects against and who it’s most relevant for.

Defense What It Stops Best For Difficulty Cost
Out-of-Band Verification Wire fraud, credential theft from voice/video calls Everyone Low (process habit) Free
FIDO2 Hardware Keys (YubiKey) Credential phishing, account takeover after data breach Families, remote workers Low (plug and play) $25–$65
Identity Theft Protection Dark web credential exposure, identity fraud recovery Individuals, families Low (monitored) $10–$35/mo
All-in-One Security Suite Email-based AI phishing, malicious links, device compromise Families, home offices Low (single install) $4–$15/mo
Pre-Arranged Code Words Voice clone emergency scams targeting family members Families with elderly relatives Very Low Free
Deepfake Awareness Training Social engineering over video calls; reduces click rates Businesses, remote teams Medium (training program) $15–$50/user/yr
Deepfake Detection Software Real-time synthetic media in video calls (enterprise) Enterprise finance/HR teams High (integration required) Enterprise pricing

For most households and small businesses, the highest return on investment comes from pairing out-of-band verification habits with FIDO2 hardware keys and an identity protection service. This combination costs under $100 upfront and addresses the most common attack vectors without requiring technical expertise.

Browse Batten’s cybersecurity tools – including identity protection, all-in-one security suites, VPNs, and hardware keys – for expert-vetted options.

Deepfake Phishing vs Traditional Phishing: Key Differences

Understanding how deepfake attacks differ from conventional phishing explains why standard security training and tools often fail against them.

Factor Traditional Phishing Deepfake Phishing
Primary Vector Spoofed email, fake login page AI voice call, fake video meeting, cloned audio message
Detection Method Check sender address, hover links, look for typos Behavioral red flags, out-of-band verification – visual checks unreliable
Setup Cost for Attacker Near-zero (automated toolkits) Low and falling: voice clones from 3 secs of audio; face-swap tools widely available
Average Financial Impact ~$1.3M per BEC incident (FBI 2024) ~$4.1M per AI-augmented BEC incident
Bypasses Standard MFA? Sometimes (SIM swap, real-time phishing kits) Yes, when target is manipulated into approving actions verbally
Most Effective Defense Email filtering, phishing-resistant MFA Out-of-band verification, process controls, phishing-resistant hardware keys
Primary Target Types Broad; any credential or payment High-value: finance teams, C-suite, HR, IT help desk, elderly individuals

Traditional phishing relies on deception at the message level. Deepfake phishing attacks happen at the trust level – a convincing-sounding or convincing-looking person you believe you know. That’s a fundamentally harder problem to solve with technology alone, which is why procedural defenses are non-negotiable.

ExpressVPN
ExpressVPN
$4.99
Batten.shop

Protecting Families, Remote Workers, and Businesses from AI Phishing Attacks

AI phishing attacks affect different people in different ways, so the right defence depends on whether you are protecting a household, a remote workstation, or a business payment process. 

Families and Older Adults: Stopping Voice Clone Emergency Scams

Grandparent scams powered by AI voice cloning are among the fastest-growing fraud categories. The FBI’s 2025 IC3 Report found adults 60 and older reported $7.7 billion in fraud losses – a 60% increase from 2024 – with voice cloning scams representing a significant share. The scam works because hearing a grandchild’s panicked voice is deeply disorienting, and attackers exploit that window before the target thinks to verify.

Practical family defenses: establish a code word, discuss these scams openly with older family members, and consider family-plan identity protection that monitors for the entire household. Our hack-proof computer guide covers foundational digital hygiene steps that reduce vulnerability to social engineering across all scam types.

Remote Workers and Home Office Professionals

Remote workers face a compounded risk: no IT team to escalate to, more reliance on digital-only communication, and home networks that may lack enterprise-grade filtering. AI-generated phishing emails have achieved 54% click-through rates versus 12% for manually crafted emails – meaning remote workers encounter more convincing attacks with less institutional support.

Key steps for remote workers: use a business-grade VPN when accessing work systems from public networks, enable phishing-resistant MFA on all work accounts, and never process financial requests received only through a single communication channel. Browse Batten’s VPN collection for privacy tools purpose-built for remote work security.

Finance Teams and Small Businesses: Multi-Person Authorization Controls

Finance teams handling wire transfers and vendor payments are the highest-value targets for deepfake CEO fraud. The most effective organizational control is simple but requires commitment: any wire transfer or vendor payment change above a defined threshold must be approved by two independently verifying individuals, each using an out-of-band channel. This two-person authorization rule would have prevented the Arup fraud – and would prevent the majority of deepfake business payment fraud occurring today.

Small businesses can also benefit from comprehensive fraud protection services that monitor for business identity threats alongside personal identity exposure.

Deepfake Detection Tools and AI Phishing Protection Software

Enterprise-grade deepfake detection tools are now commercially available, though they remain most practical for organizations rather than individual consumers. Understanding what exists helps frame realistic expectations.

Consumer-Accessible Tools and Approaches

  • Email security with AI phishing detection: Products like Bitdefender Premium Security and Norton 360 include real-time scanning of incoming messages for AI-generated phishing content, malicious links, and suspicious attachments.
  • Password managers with phishing protection: Reputable password managers (available in Batten’s password manager collection) won’t autofill credentials on fake lookalike sites – a quiet but powerful defense when a deepfake phishing campaign drives you to a spoofed login page.
  • Identity theft protection with breach monitoring: Services that monitor the dark web for your credentials catch data exposures before attackers can use them to build convincing impersonation profiles.
  • VPN services: Encrypting your connection prevents attackers from intercepting traffic or poisoning DNS to redirect you to fake sites.

Enterprise Deepfake Detection Platforms

Organizations with high-value targets – finance teams, executive communications, HR departments – should evaluate enterprise platforms. Reality Defender and Pindrop Pulse for Meetings analyze voice and video streams in real time during calls, flagging synthetic media before a decision is made. 

Sensity AI offers forensic-grade analysis for legal and compliance use cases. These tools are not infallible – current best-in-class accuracy tops out around 85–98% depending on the attack type – but they add a meaningful layer of automated detection alongside procedural controls.

The critical guidance from Gartner’s 2026 assessment: pair media inspection tools with process controls. No detection tool should be the sole or final verification gate for high-value transactions.

Defending Your Family and Business Against the Deepfake Threat

Deepfake phishing is not a distant, enterprise-only threat. It’s already costing individuals and organizations hundreds of millions of dollars, and the tools to execute these attacks are increasingly cheap, accessible, and effective. The Arup case, the Ferrari near-miss, the WPP WhatsApp impersonation attempt, and the millions of grandparent voice-clone scams hitting ordinary families every year are all the same threat at different scales.

The most important shift is accepting that visual and auditory verification alone is no longer sufficient. Seeing a face or hearing a voice you recognize is no longer proof of identity. Out-of-band verification, hardware-backed authentication, and trained skepticism around urgency are the defenses that stop these attacks – and they’re available to everyone, not just enterprise security teams.

Start with the basics: establish a family code word, enable phishing-resistant MFA on your most sensitive accounts, activate dark web monitoring on your email addresses, and bring everyone in your household up to speed on what voice clone scams sound like. Then layer in a comprehensive identity protection service and security suite for automated monitoring that works while you’re not thinking about it.

Browse Batten’s cybersecurity tools – including identity protection, all-in-one security suites, VPNs, and hardware keys – for expert-vetted options that protect against today’s AI-powered fraud landscape.

Ready to protect your family and home office from deepfake phishing and AI voice scams? Explore Batten’s all-in-one digital security collection – expert-curated tools combining identity monitoring, phishing protection, and device security designed for today’s AI fraud threats.

Frequently Asked Questions

What Is a Deepfake Phishing Scam?

A deepfake phishing scam uses AI-generated audio, video, or real-time face-swap technology to impersonate a trusted person – an executive, family member, or colleague – and manipulate the target into transferring funds, handing over credentials, or revealing sensitive information. Unlike email phishing, these attacks bypass visual and auditory verification by creating convincing synthetic impersonations that feel real in the moment.

How Can You Tell If a Video Call Is a Deepfake?

Watch for unnatural blinking, lip-sync mismatches where mouth movement slightly lags audio, inconsistent lighting, blurry edges around hair or ears, and skin that appears too smooth. Behavioral red flags – manufactured urgency, secrecy demands, requests to skip normal verification – are often more reliable indicators than visual artifacts alone. When in doubt, end the call and verify through a separate, pre-established channel.

Can Scammers Clone Someone’s Voice for AI Voice Phishing?

Yes. Modern voice cloning tools can generate convincing audio from as little as three seconds of recorded speech. Public sources – LinkedIn videos, podcast appearances, earnings call recordings, conference talks – provide more than enough material. Pindrop recorded a 680% year-over-year increase in voice deepfake attempts in 2024. The resulting audio can be nearly indistinguishable from the real person to an untrained ear.

Does Multi-Factor Authentication Stop Deepfake Phishing Attacks?

Standard SMS and app-based MFA does not stop deepfake attacks – an attacker who tricks you into verbally approving an action has already bypassed authentication. FIDO2-resistant hardware keys (like YubiKey) provide much stronger protection by cryptographically binding authentication to the legitimate site or service. MFA blocks credential attacks but cannot substitute for out-of-band verification when social engineering is the primary vector.

What Should Employees Do If They Suspect a Deepfake Scam?

Do not comply with the request. End the call or communication and verify through a separate, independently known contact – call the executive directly on their known office number, or confirm the request through your organization’s internal ticketing system. Report the attempt immediately to your IT or security team. Organizations should have a documented incident response plan that specifically covers deepfake social engineering attempts.

How Can Small Businesses Prevent Deepfake Fraud?

Implement two-person authorization for any wire transfer or vendor payment change above a defined dollar threshold. Require out-of-band verification for all unusual financial requests. Train finance and HR teams with simulated deepfake scenarios – not just standard email phishing exercises. Use email security software with AI-powered phishing detection, and consider identity protection services that monitor for executive credential exposure on the dark web.

What Are the Warning Signs of an AI Voice Clone Scam Targeting Families?

Key warning signs include: an unexpected call from a family member claiming to be in emergency distress; pressure to send money immediately via wire transfer, gift cards, or cryptocurrency; requests to keep the situation secret from other family members; and slight vocal quality differences or unusual phrasing. Establish a family code word in advance – any emergency call that doesn’t include it should be verified before any money moves.

Sources

  • “Why CIOs Can’t Ignore the Rising Tide of Deepfake Attacks”, 2025, Gartner, https://www.gartner.com/en/newsroom/press-releases/2025-09-02-why-cios-cannot-ignore-the-rising-tide-of-deepfake-attacks
  • “2025 Internet Crime Report,” 2026, FBI Internet Crime Complaint Center (IC3), https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
  • “Cryptocurrency and AI Scams Bilk Americans of Billions,” 2026, FBI, https://www.fbi.gov/news/press-releases/cryptocurrency-and-ai-scams-bilk-americans-of-billions
  • “FBI Report: Internet Crime Losses Hit $20.9 Billion,” 2026, AARP, https://www.aarp.org/money/scams-fraud/fbi-ftc-report-2025-losses/
  • “NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats,” 2023, CISA, https://www.cisa.gov/news-events/alerts/2023/09/12/nsa-fbi-and-cisa-release-cybersecurity-information-sheet-deepfake-threats
  • “Senior U.S. Officials Continue To Be Impersonated in Malicious Messaging Campaign,” 2026, FBI, https://www.fbi.gov/investigate/cyber/alerts/2025/senior-us-officials-continue-to-be-impersonated-in-malicious-messaging-campaign
  • “Cybercrime: Lessons Learned from a $25m Deepfake Attack,” 2025, World Economic Forum, https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/
  • “A Deepfake ‘CFO’ Tricked British Design Firm Arup in $25 Million Fraud,” 2024, Fortune, https://fortune.com/europe/2024/05/17/arup-deepfake-fraud-scam-victim-hong-kong-25-million-cfo/
  • “How to Protect Your Company from Deepfake Phishing Attacks,” 2025, Adaptive Security, https://www.adaptivesecurity.com/blog/deepfake-phishing
  • “Deepfake Phishing,” University of Florida IT Security, https://it.ufl.edu/security/learn-security/deepfakes/deepfake-phishing/
  • “Deepfake Statistics 2026: Verified Benchmarks and Risks,” 2026, Keepnet Labs, https://keepnetlabs.com/blog/deepfake-statistics-and-trends
  • “150+ Deepfake Statistics (March 2026),” 2026, Bright Defense, https://www.brightdefense.com/resources/deepfake-statistics/
  • “Vishing Statistics 2025: AI Deepfakes Drive $40B in Losses,” 2025, Deepstrike, https://deepstrike.io/blog/vishing-statistics-2025