For years, the advice for spotting a phishing email came down to one thing: look for the mistakes. Bad grammar, awkward phrasing, a sender name that did not quite match. That advice is finished. New research this week puts AI-generated content in 82.6% of phishing emails, which means the linguistic red flags people were trained to catch are now the exception. The time it takes to build a convincing lure has dropped from days to minutes.
The voice on the phone is the new problem
Email is only half of it. KENSAI and Ponemon report a 300% rise in deepfake-enabled business email compromise since January 2025, and synthetic voice or video now features in most BEC events above 500,000 USD. Their estimate for deepfake-assisted BEC losses in the first quarter of 2026 alone is around 2.1 billion USD worldwide.
Mimecast documented one campaign, tracked as MCTO5005, where attackers impersonate law firms, send documents through DocuSign or Adobe Sign to look legitimate, then follow up with a deepfake voice call to push a fraudulent payment instruction. The targets are banking and financial services, where a single approved wire can be the entire heist.
Why your current filters are losing ground
Content-based detection assumes the attacker leaves traces in the text. AI removes them. The message reads like your vendor wrote it, the invoice matches a real format, and the voice sounds like your CFO because it was built from a few seconds of a recorded talk. One analysis this week found that AI-assisted defenses cut per-incident handling time by about 16%, but the same technology on the offensive side raised volume, speed and evasiveness enough that net risk stayed elevated. Faster triage does not help when the attacks arrive faster still.
What actually holds up
The controls that survive this shift are the ones that do not depend on spotting a fake.
Move your high-risk users, meaning finance, executives and IT admins, to phishing-resistant MFA such as FIDO2 or WebAuthn. SMS and one-time codes do not hold up against real-time relay attacks.
Put out-of-band verification on anything that moves money or changes trust. A call back to a known number, not the one printed in the email. A second approver for new bank details. A mandatory pause on any payment change framed as urgent. These steps feel old-fashioned, and that is the point. A synthetic voice cannot pass a control it never touches.
Shift detection toward behavior rather than language. A changed payment instruction, a new mailbox forwarding rule, a login from an unusual path: none of those signals care how well the email was written. And retrain people on the real shape of the attack. The lesson is no longer "look for typos." It is "verify the request through a separate channel, every time, with no exception for urgency."
Regulators are pushing the same way
The defensive bar is rising in parallel. Under NIS2, the NIS Cooperation Group adopted common incident-reporting templates, and practitioners are treating June 30, 2026 as a real milestone now that most EU member states are enforcing. On DORA, supervisors are publishing detailed reporting timelines, a sign the regime has moved from principles to mechanics. The throughline is that you will increasingly have to show, on a clock, that you can detect, contain and report.
AI did not invent social engineering. It made the cheap version as convincing as the expensive one used to be, and put it within reach of almost anyone. The organizations that hold up are not the ones with the best email filter. They are the ones that assume the message is fake and verify the request anyway. If you would rather see that posture than read about it, the product tour walks through how we turn exposure and live threat intelligence into prioritized action.