When Seeing Is No Longer Believing: The Rise of Deepfakes and BEC

February 19, 2026

BY MICHAEL WAYNE, FULTON MAY SOLUTIONS

In my work helping clients optimize their Microsoft 365 environments and modernize operations, I often say that technology is only as strong as the people using it. We spend months designing scalable environments and refining workflows, but in 2026, the “human element” is under attack like never before.

While we often focus on technical vulnerabilities like unpatched software, research shows that the human element is involved in 74% of all data breaches, whether through phishing, stolen credentials, or simple error. But the “phishing” of today looks nothing like the poorly written emails of the past. It has evolved into a sophisticated financial weapon.

The Silent Financial Threat: Business Email Compromise (BEC)

For professional services firms, the most dangerous threat isn’t always a noisy ransomware attack; it’s the quiet, targeted deception of Business Email Compromise (BEC). This is where criminals impersonate a trusted figure—a senior partner, a client, or a known vendor—to trick an employee into redirecting a legitimate payment.

Attackers generally use two primary methods here:

Hacking: They use malware to gain unauthorized access to a legitimate email account, watching conversations to strike at the perfect moment.
Spoofing: They create a nearly identical email address that deceives recipients who might miss a single substituted letter.

The financial impact is severe. In Australia alone, scammers stole over $152.6 million via these attacks in 2024, a 66% increase from the previous year.

The AI Escalation: The End of “Seeing is Believing”

As if standard BEC wasn’t enough, Generative AI has dramatically lowered the barrier for entry, leading to a surge in sophisticated “vishing” (voice phishing) and deepfake attacks.

The old advice of “hopping on a call to verify” is rapidly becoming obsolete due to two emerging technologies:

AI Voice Cloning: Attackers can now create hyper-realistic impersonations of your executives or IT staff to conduct phone scams that are nearly indistinguishable from the real thing.
Video Deepfakes: This is the new frontier. In a prominent case from 2024, a finance worker at the multinational firm Arup was tricked into paying out $25 million after attending a video call where the CFO and other colleagues were simulated using deepfake technology.

This fundamentally erodes the “seeing is believing” principle, posing a direct threat to verification processes that rely on voice or video confirmation for high-value transactions.

The Human Firewall: Your Primary Defense

Technology and processes are critical, but because these attacks target human trust, your people remain the final defense. AI tools have made social engineering attacks harder to spot, moving beyond the traditional red flags of poor grammar or generic greetings.

So, how do we translate this awareness into practical, “white-glove” service levels for your own internal teams?

Mandate Multi-Factor Authentication (MFA) This is non-negotiable. Immediately enable MFA on all email accounts, remote access systems, and client portals. By requiring a second form of verification, you can block the vast majority of account compromise attempts. It is the single most effective control against the account takeovers that fuel BEC.
Update Your Incident Response Playbooks Don’t just have a plan; test it. Develop a specific playbook for BEC attacks.
– Run a Tabletop Exercise: Ensure your finance and legal teams know exactly who calls whom if money goes to the wrong place.
– Define Roles: Clear communication channels prevent panic and reduce financial impact.
Verify “Out-of-Band” If you receive a request for a payment change or urgent transfer, do not reply to the email. Call the requester on a known, trusted mobile number—not the number in the email signature. If the request comes via video and feels “off,” verify it through a secondary channel immediately.

We are moving into an era where we must “never trust, always verify”. By building these checks into your daily operations, we can protect your firm’s capital without disrupting the speed of business.

48 Minutes to Midnight: Why Your Backups Must Be Air-Gapped

Attackers can move from breach to network-wide access in 48 minutes. Learn why air-gapped backups and MFA are essential for manufacturing cybersecurity.

The $150 Million Invoice: Why Construction is the New Bank Heist

Business Email Compromise has stolen over $150 million from construction companies. Learn how to protect your projects with simple verification protocols.