What makes AI-enhanced phishing harder to spot?

Generative AI removes the classic tells. Messages have correct grammar, match a target's tone and context, and can be personalised at scale using scraped data. The old advice of looking for typos no longer works, so detection must rest on process rather than spotting mistakes.

How do AI voice-cloning (vishing) scams work?

An attacker captures a few seconds of someone's voice — from a voicemail, video, or call — and clones it to leave urgent requests, often pretending to be an executive or family member asking for a transfer or credentials. The voice sounds right, which is exactly why an out-of-band call-back is the defense.

What is the single most effective defense?

Out-of-band verification. Any unusual request involving money, credentials, or sensitive data is confirmed through a separate, known channel — calling back a number you already have, not one supplied in the message. This neutralises a convincing voice, face, or email because the attacker does not control the second channel.

Are deepfake video calls a real threat?

Yes. Real-time deepfakes have been used to impersonate executives on video calls and authorise large transfers. Defenses include code words, asking the person to perform an unexpected action live, and never approving high-value actions on the strength of a video call alone.

Does this replace formal security training?

No. It is an awareness aid. Combine it with your organisation's formal training, technical controls like email authentication and MFA, and clear approval workflows for financial and access requests.

AI Social Engineering Awareness Guide

Generative AI has made social engineering dramatically more convincing. The grammar is perfect, the voice on the phone sounds like your CFO, and the spear phish references a project you really are working on. The defensive instincts that used to work — spotting typos, sensing a “off” tone — no longer hold. This interactive guide walks through the main AI-enhanced attack patterns, the signals that still give them away, and the process-based defenses that work even when the content is flawless.

How it works

Pick an attack type — AI-generated phishing, voice-cloning (vishing), or deepfake impersonation — and the guide shows the way the attack typically unfolds, the detection signals that remain reliable, and the recommended response. The through line is the same across all three: because AI can fake the content, your defense has to rest on process — out-of-band verification, code words, and approval workflows the attacker cannot reach. Nothing is sent anywhere; the guide runs entirely in your browser.

Building organisational defenses

Out-of-band verification. Confirm any money, credential, or data request through a separate known channel — never a number or link in the message.
Approval workflows. Require two-person approval for high-value transfers so no single convincing message can move funds.
Code words. Agree a shared word for sensitive voice/video requests; a clone will not know it.
Assume the content is perfect. Train people that flawless grammar and a familiar voice are no longer reassurance — process is.

AI Social Engineering Awareness Guide

AI social engineering awareness

How it works

Building organisational defenses