Mario Paez
Executive Vice President & National Cyber Risk Leader
Artificial intelligence (AI) is capable of impressive advancements, particularly in healthcare. However, it can also produce concerning results.
Cybercriminals are using AI to attack American businesses—extracting money, planting malware, and damaging corporate reputations. These attacks are becoming more common and sophisticated each year.
According to the Wall Street Journal, over 105,000 deepfake attacks on American companies were reported in 2025. This number may understate the issue, as many organizations do not disclose attacks to avoid reputational damage.
Types of deepfakes used in attacks
AI-generated phone messages/calls
Cybercriminals forge or steal identity documents or create entirely computer-generated identities to bypass verification processes. They use manipulation and impersonation tactics to convince victims to share sensitive data or transfer funds.
Creating and promoting malicious links
AI can imitate the writing style and tone of a trusted colleague or executive, mention real projects, or refer to recent transactions, making the link appear legitimate and increasing the likelihood of a user clicking on it.
AI-generated emails and phone messages
According to the VIPRE Security Group, AI-generated emails may account for 40% of email threats against employees at U.S. corporations. These emails, phone calls, or messages can sound like they’re coming from the CEO, CFO, or other managers, vendors, bankers, and more.
Hackers may use AI to analyze CRM data to access relevant details about employees, making social engineering attempts harder to recognize. AI can create highly sophisticated, professional, and grammatically correct text that avoids the mistakes of traditional scams. It can even access past email conversations to make deepfakes appear more authentic.
AI-generated email campaigns may be successful 54% of the time, according to a Cornell University study, and Egress.com reports that 94% of organizations fell victim to phishing attacks in 2024.
AI can even create realistic voice impersonations that can trick employees into believing someone from the C-suite or other managers is requesting a money transfer to an account owned by the hackers. This tactic is known as “vishing,” and it’s on the rise. Keepnet Labs, a risk management platform, found that 70% of organizations have been attacked using vishing, and 77% of AI-powered voice phishing victims lost money as a result of the attack, according to McAfee.
In a landmark case, an employee of a UK engineering firm made a routine transfer of millions of company dollars after a video call with senior management. It turned out the employee hadn’t been talking to company managers at all, but to deepfakes created by AI. The employee was tricked into sending $25 million to criminals.
Deepfake videos on social media
These can be difficult to detect and potentially dangerous. What makes social media attacks different can be the purpose of the attack.
Deepfake videos of high-profile figures promoting fake cryptocurrency schemes are resulting in significant financial losses for victims. In June 2024, a YouTube Live broadcast ran for five hours using a deepfake of Elon Musk that appeared to be from a Tesla event. The livestream successfully instructed over 30,000 viewers to send Bitcoin, Ethereum, or Dogecoin to a fraudulent website.
Other harms from deepfake videos can also be damaging:
- Deepfakes can spread false information to manipulate a company's stock price.
- Malicious deepfakes can spread defamatory content about executives or company practices, damaging a company’s reputation.
- Scammers create deepfake ads using a company's branding to promote fake products or investment opportunities on social media, designed to steal customers’ personal information.
How to protect against deepfake attacks
- Establish strict verification procedures.
- Provide employees with ongoing education and training.
- Rehearse your protocols.
- Require at least two people for approvals.
- Use AI-based detection solutions.
- Be careful with your digital footprint.
Traditional phishing training may help reduce deepfake scams, as any preparation is better than none. However, traditional cybersecurity training doesn’t adequately prepare employees to identify and combat modern deepfake technology. That’s why using AI to combat AI-generated scams may be effective. Simulation training specifically designed to replicate deepfake scams creates more awareness and helps with prevention.
How Marsh McLennan Agency can help
Marsh McLennan Agency (MMA) offers tools and expertise to help ensure your organization is equipped to prevent and respond to potential deepfake cyberattacks. It’s important to work with an insurance partner who understands your needs. MMA can help customize coverage to fit your unique exposures.
We can also provide you with our Cyber Resiliency Network (CRN), a vetted partner resource focused on three key areas of cyber risk management:
- Proactive information security
- Privacy law compliance and risk management
- Employee cybersecurity training and education
At MMA, we aim to provide clients with timely and actionable information so you are prepared to confidently address cyber risk threats and navigate risk transfer solutions and the cyber insurance marketplace.
Contact your local MMA risk specialist to discuss potential vulnerabilities that may be impacting your cybersecurity.
For more on cybersecurity, join MMA’s webinar, AI Compliance & Cybersecurity: Reducing Risk Across Your Organization, with Mario Paez, EVP, National Cyber Risk Practice leader.
