Email has always been the nervous system of business communication and is trusted, immediate and universal. But that same trust has made it the most exploited vector for deception. It’s not just a tool for phishing or fraud, it is now the gateway to full-spectrum disinformation campaigns that blend text, voice and video into a single, coordinated deception.

When Sublime Security announced a $150 million funding round this October to scale its AI-powered email threat detection, it underscored an uncomfortable reality that enterprises are scrambling to protect a channel that attackers already treat as their primary weapon. At the same time, Valimail’s 2025 Disinformation and Malicious Email Report found that although more than 7.2 million domains have adopted authentication protocols like DMARC, nearly half are still configured with non-enforcing policies, leaving their brands and customers vulnerable to impersonation.

The result is a paradox: the most mature communication medium in business is also the least verified.

The Anatomy of a Modern Email Deception

A decade ago, phishing detection relied on finding grammatical errors and generic urgency. Those crude tactics have vanished. In their place, we now face highly orchestrated campaigns that blend linguistic precision with AI-generated credibility.

Generative models learn an executive’s tone and syntax from public posts, press releases and meeting transcripts. Attackers then craft messages indistinguishable from authentic correspondence. 

But the real innovation isn’t the text, it’s the choreography. A fraudulent email may serve only as the opening move. Within minutes, the target receives a confirming voice message that sounds like the executive whose name appears in the signature block. A deepfaked video may follow, asking for “final authorization.”

Email opens the door; other channels walk through it.

Sector-specific Exposure

Some industries are practically designed for exploitation.

Financial services remain a prime target. Deloitte’s Center for Financial Services projects losses from AI-assisted impersonation and deepfake-enabled wire diversion to exceed $40 billion by 2027. In these environments, an email from a senior partner or client instructing a funds transfer can trigger irreversible movement of capital within minutes.

Healthcare is equally vulnerable. The Valimail report noted that only 36% of healthcare domains have adopted any DMARC policy. Hospitals and insurers rely heavily on email for patient data exchange and vendor coordination, which makes them ripe for impersonation-based breaches that appear compliant on the surface.

Government agencies face a different risk: narrative manipulation. An attacker doesn’t need to steal money; they only need to distribute a forged announcement or policy update from a spoofed domain. When that email reaches journalists or citizens, the damage to public confidence is immediate and often irreversible.

The Cross-Channel Problem

Traditional email defenses are built on a static model that scans for malicious links, attachments or domain anomalies. That model collapses when attacks span channels.

Phishing now converges with vishing (voice impersonation) and smishing (SMS lures). In coordinated operations, one medium legitimizes the other. A phishing email primes the target to expect a call; the call delivers urgency; a follow-up text finalizes the request. It can all seem too convenient to be fake, leading many to fall for it.

A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident. Email, in this structure, functions like reconnaissance artillery. It identifies the target, softens defenses and clears the path for a direct hit through more personal media.

The Illusion of Authenticity

Deepfake synthesis accelerates the collapse of traditional verification. A three-second audio sample can now be used to clone a human voice with 97% accuracy. Video synthesis tools replicate micro-expressions and ambient lighting in real time, making it nearly impossible for recipients to discern authenticity through instinct alone.

Consider an email that includes an embedded .mp4 message: a familiar executive’s face authorizes a change in payment routing or confirms a new vendor account. The message passes authentication checks because the email originates from a legitimate domain. The deepfaked video within becomes the payload.

Security gateways aren’t designed to question whether the face in that video is real.

Governance and Verification Gaps

The weakest link is not technology but policy.

1. Roughly 48% of Fortune 500 companies still use non-enforcing DMARC policies (“p=none”).
2. 71% of U.S. state government domains remain unauthenticated.
3. Only one in five enterprises tracks how quickly spoofed-domain attacks are remediated once identified.

These gaps exist because responsibility for email security often falls between departments. IT, compliance and marketing all claim partial ownership but rarely coordinate enforcement and attackers exploit this diffusion of accountability.

What Needs to Change

Executives must begin treating email not as an operational tool but as an identity verification layer that requires the same rigor as physical access control or payment authorization.

1. Mandate strict domain authentication. “Monitor-only” DMARC is no longer acceptable. Enforcement (“p=quarantine” or “p=reject”) should be standard practice for all corporate and subsidiary domains.
2. Correlate multi-channel signals. Email should not exist in isolation from phone, video or chat logs. Correlation engines can detect when a spoofed domain and a spoofed voice appear in the same transaction window.
3. Reframe incident response. The first suspicious email must trigger checks across all other communication systems, not just mailbox quarantines.
4. Educate for synthesis. Awareness programs must demonstrate not only textual phishing but multimedia deception. Employees should hear what a deepfaked voice sounds like and see synthetic video artifacts firsthand.
5. Measure time-to-trust. Organizations should track the time between detection and authentication to reduce the window during which misinformation can propagate internally or externally.

Beyond Containment

The question is no longer whether email will be exploited; it’s already happening. The question is whether enterprises will continue to treat each communication channel as an island. Attackers have learned to merge them; defenders must do the same.

If email remains the primary entry point, then the defense must extend beyond filters and awareness. It must fuse technical validation, behavioral correlation and executive accountability into a single framework that distinguishes communication from fabrication.

The inbox is no longer neutral territory. It’s the first front in the information war and, increasingly, the place where truth itself is tested.