AI-powered email threats evolve, creating new security challenges for businesses

Email, long considered the backbone of business communication, has become the primary vector for sophisticated cyber deception campaigns. As attackers blend email with voice and video technology to create seamless multi-channel attacks, organizations face increasing difficulty distinguishing legitimate communications from elaborate fraud.

Security firm Sublime Security’s recent $150 million funding round highlights the urgent need for advanced email threat detection. The investment comes as enterprises struggle to protect what has become attackers’ weapon of choice. According to Valimail’s 2025 Disinformation and Malicious Email Report, while over 7.2 million domains have implemented authentication protocols like DMARC, nearly half use non-enforcing policies, leaving them vulnerable to impersonation attacks.

This creates a troubling contradiction: business’s most established communication medium remains its least secure.

Modern email deception bears little resemblance to the obvious phishing attempts of the past. Gone are the days of spotting scams through grammatical errors or generic urgent requests. Today’s attacks feature linguistically precise messages crafted using generative AI models that can mimic an executive’s communication style by analyzing public statements, press releases, and meeting transcripts.

What makes current attacks particularly dangerous is their cross-channel coordination. An initial fraudulent email might be quickly followed by an AI-generated voice message that sounds identical to the supposed sender. In some cases, a deepfaked video conference call might follow, asking for “final authorization” on a transaction. The email merely initiates the attack—other communication channels complete it.

Certain industries face heightened risk due to their operational structures. Financial services remains a prime target, with Deloitte’s Center for Financial Services projecting losses from AI-assisted impersonation and deepfake-enabled wire fraud to exceed $40 billion by 2027. In financial environments, a single convincing email from a seemingly trusted source can trigger multimillion-dollar transfers within minutes.

Healthcare organizations are equally vulnerable, with Valimail noting only 36% of healthcare domains have adopted any DMARC policy. The sector’s heavy reliance on email for patient data exchange and vendor coordination creates opportunities for impersonation attacks that can compromise sensitive information.

Government agencies face a different threat: narrative manipulation. Rather than financial theft, attackers aim to distribute forged announcements or policy updates from spoofed domains. When these fraudulent communications reach journalists or the public, they can immediately damage public confidence—often irreparably.

Traditional email defenses are increasingly ineffective against attacks that span multiple communication channels. Modern campaigns seamlessly integrate phishing emails with voice impersonation (vishing) and SMS-based lures (smishing). In these coordinated operations, each medium reinforces the others: an email prepares the recipient for a phone call, the call creates urgency, and a follow-up text finalizes the request.

Business email compromise (BEC) attacks affected 64% of businesses in 2024, with average financial losses of $150,000 per incident. In these attacks, email functions as a reconnaissance tool, identifying targets and weakening defenses before the main attack through more personal channels.

Deepfake technology has exacerbated these problems. Modern voice synthesis can clone a human voice with 97% accuracy using just a three-second audio sample. Video synthesis tools can replicate facial expressions and ambient lighting in real-time, making it nearly impossible to visually determine authenticity.

The governance framework around email security remains inadequate. Approximately 48% of Fortune 500 companies still use non-enforcing DMARC policies, 71% of U.S. state government domains remain unauthenticated, and only 20% of enterprises track remediation time for spoofed-domain attacks.

These vulnerabilities persist partly because responsibility for email security is fragmented across departments. IT, compliance, and marketing may all claim partial ownership without effective coordination, creating accountability gaps that attackers readily exploit.

Security experts recommend treating email as an identity verification layer requiring the same rigor as physical access control. Organizations should enforce strict domain authentication, correlate signals across communication channels, expand incident response to check all systems when suspicious emails appear, train employees to recognize multimedia deception, and measure authentication speed to minimize misinformation spread.

As email continues to serve as attackers’ primary entry point, organizations must extend defenses beyond traditional filters and awareness training, developing integrated frameworks that fuse technical validation, behavioral analysis, and executive accountability to distinguish legitimate communications from sophisticated fabrications.