Seeing Isn’t Believing: AI Impersonation Forces a New Security Playbook

Key Points

• New research suggests AI-powered impersonation attacks are surging, with attackers using deepfake voice, video, and messaging to exploit human trust.
• 53% of organizations have been impacted by these schemes, but traditional phishing defenses are failing to keep up with AI-driven social engineering risks.
• IANS Faculty say AI removes traditional phishing signals and enables attackers to exploit identity and trust at scale, forcing a shift from awareness-based training to verification-based controls.

Seeing Isn’t Believing: AI Impersonation Forces a New Security Playbook

Security researchers say AI impersonation attacks are rapidly accelerating, opening a “second front” in cyber risk that organizations are unprepared to address.

According to a new report from Outtake, people are the “most exposed and the least protected” attack surface, with executive or employee impersonation impacting over half (53%) of organizations this year.

AI’s ability to create and scale convincing deepfake voices or videos, as well as phishing messages, has lowered the technical barrier for threat actors to impersonate executives or brands.

“Each finding traces back to the same problem: a coordinated, AI-amplified threat operating across channels and surfaces is being met by a fragmented response that no single team owns, and no single platform defends against,” the report states.

Big Picture

AI-impersonation schemes have evolved into one of the most serious threats facing organizations today. Attackers now operate with speed, scale, and precision that compress the window for detection and verification. The tells that once signaled fraud have largely disappeared, replaced by highly convincing, context-aware lures.

"AI has industrialized impersonation. The breakthrough is that attackers can now do it cheaply, at scale, and fast enough to collapse the time available for verification. Bad grammar is gone. Awkward phrasing is gone. The friction that used to expose a scam is disappearing.”  Jeff Brown, IANS Faculty.

The exposure is not limited to executives. While high-authority individuals remain prime targets, the attack surface now extends across anyone capable of executing high-impact actions -- approving payments, changing credentials, or sharing sensitive data.

"Most successful AI-enabled impersonation attacks succeed because organizations still rely on trust signals that AI can now counterfeit: a familiar voice, an executive's likeness, a known email style, or an urgent request that appears to come from a trusted source. We are rapidly approaching a world where ‘seeing is believing’ and ‘hearing is believing’ are no longer valid security assumptions.”  Dave Shackleford, IANS Faculty.

 

IANS Faculty Recommendations

• Update incident response plans: Review IR plans to account for deepfake and AI-enabled social engineering attacks. Conduct tabletop exercises that include specific response plans for AI-generated voice, video, and executive impersonation scenarios.
• Expand phishing training programs: Include voice, video, SMS, collaboration platforms, and social media impersonation threats. Train employees that a familiar voice, face, email, or video is no longer proof of identity.
• Enhance access control: Require out-of-band verification for wire transfers, vendor payment changes, MFA resets, password resets, and privileged access requests and implement stronger identity verification controls for help desks, service desks, and high-risk business processes.
• Assume AI-powered impersonation attempts will increase: Integrate fraud prevention, threat intelligence, executive protection, and cybersecurity teams to improve visibility into impersonation attacks. 

       Dave Shackleford, IANS Faculty

Authors & Contributors

Emily Dempsey, Author, IANS News

Jeff Brown, IANS Faculty

Dave Shackleford, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.