Your CFO receives a call from you—your voice, your cadence, a reference to yesterday’s board discussion. The request is urgent but reasonable: authorize a wire transfer before a competitor moves. The call is a fake, built from a few seconds of audio scraped from an earnings call and context pulled from a LinkedIn post your IR team published that morning. AI social engineering works this way because it exploits something no technology can address: trust. And as the tools get cheaper and the fakes get better, the gap that determines whether your organization falls for it is cultural, not technical.

The economics of deception have changed

Social engineering has always worked. Phishing emails, pretexting calls, impersonation schemes—these predate generative AI by decades. What’s different now is the cost curve. Attacks that once required research, language skill, and careful targeting can now be produced at scale, in any language, with personalization that would have been impractical even two years ago.

The numbers reflect the shift. According to SoSafe’s 2025 survey, 87% of security leaders reported an increase in AI-based social engineering attacks over the prior 24 months. Deepfake files grew from roughly 500,000 in 2023 to more than eight million in 2025. Voice cloning tools need as little as three seconds of source audio to produce a convincing match—audio easily pulled from a podcast appearance, a conference keynote, or a company webinar. Resilience has explored what a live deepfake actually looks like in practice, and the results are sobering even for security professionals.

For executives, the exposure is personal. Seventy-one percent of business leaders in that same survey discovered fake profiles of themselves online. Gartner reports that 62% of organizations experienced at least one deepfake attempt in the past 12 months. In one of the most widely reported cases, a finance employee at a multinational firm authorized $25.6 million in transfers after joining a video call where every other participant was an AI-generated deepfake. The employee saw familiar faces, heard familiar voices, and followed what appeared to be a routine instruction.

Why traditional detection methods are failing

For years, security awareness training taught employees to look for signals: misspelled words, suspicious sender domains, unusual formatting. Those heuristics assumed a baseline level of attacker sloppiness. Generative AI has eliminated that assumption. When a third of phishing emails show signs of AI generation—polished grammar, contextually appropriate language, no telltale formatting errors—the old playbook stops working.

The attack surface has also expanded well beyond email. Threat actors are using AI to impersonate executives on WhatsApp, clone voices for callback scams, and create convincing video presences in live meetings. A third of business leaders reported increases in attempts to imitate internal business processes, including workflow approvals and payroll changes. One email spoof was so accurate that the executive whose identity was used initially believed he had written it himself.

The implication for leadership teams is straightforward: if your defense strategy depends on employees catching something that looks wrong, you are relying on a control that is degrading faster than you can improve it.

Security culture determines who gets caught

Culture is the control that separates organizations that catch these attacks from those that don’t. It comes down to whether your people default to verification over speed, and whether leadership has made that behavior safe and expected.

Resilience’s analysis of security maturity across its portfolio reveals sharp differences in how organizations handle this kind of risk. The maturity levels that define how organizations approach security map directly to social engineering resilience. Organizations with a punitive culture—where the response to a clicked phishing link is to blame—train their people to hide mistakes rather than report them. Organizations where security is treated as a procedural checkbox produce employees who complete the annual training and promptly forget it. Neither posture prepares anyone for a deepfake call from the CEO.

The organizations that perform best share a set of cultural traits. They treat verification as standard operating procedure. They empower employees at every level to slow down a transaction, challenge an instruction, or escalate a suspicion without fear of looking foolish. And critically, that behavior is modeled from the top. When the CEO says “I expect you to verify any unusual request, even if it comes from me,” the organization’s threat surface shrinks. Getting security buy-in across the organization starts with leadership making verification a norm, not an exception.

This is what moves an organization from asking “Why did they click that link?” to asking “What is the likely business impact, and are we structured to contain it?”

What executives should do now

For executives, the action items are both cultural and deeply tied to organizational leadership values.  The single most important step executives can take is to embrace the mindset that cyber threats are business threats, not “IT problems.”  When framed in that light, the need for those executives themselves to become vocal security champions across the entire organization quickly becomes self-evident. They need not be experts in cybersecurity or technology, but merely strong and vocal supporters of security initiatives, efforts, and investments. 

They should seek to establish out-of-band verification as policy for any high-value transaction—meaning confirmation through a separate, pre-agreed channel that cannot be spoofed in the same attack. Make it clear across the organization that slowing down to verify is expected and supported behavior. They should also invest in training for scenario-based exercises that go beyond email phishing simulations to include voice and video impersonation, encouraging employees to practice skepticism in the channels where AI social engineering actually lands.

Ask your organizational leadership one question: if someone deepfaked my voice on a call to our finance department today, what would happen? If the honest answer is that the transfer would go through, the problem is not your technology stack, it’s your culture. AI has made deception nearly free, and the organizations that withstand it are the ones where skepticism is a habit, not an afterthought.