Deepfakes have moved from novelty to a practical weapon — and Brian Long, CEO of Adaptive Security, says most organizations still aren’t built to handle what comes next. Long explains why AI-driven impersonation has become one of the fastest-growing forms of social engineering: it’s cheap, widely accessible, and increasingly convincing across channels that traditional security awareness programs don’t fully cover.

Long breaks down what he calls the “state of the art” in attacks: deepfake personas that combine voice and likeness with open-source intelligence to mimic real employees, executives, or trusted vendors. The result is an attacker who doesn’t just sound right — they can reference real details about roles, locations, coworkers, and family, making the request feel legitimate in the moment.

That’s why he argues awareness alone isn’t enough. As tells in deepfake audio and video fade, teams need updated controls and processes that don’t rely on spotting imperfections. Long points to familiar social-engineering pressure tactics — urgency, secrecy, and requests that break established workflows — as the signals that still matter most. If the message demands an exception, it should trigger verification, not compliance.

Adaptive Security’s approach blends AI with training by “thinking like the attacker.” Long describes how the company analyzes publicly available information about an organization, uses the same kinds of models adversaries would use, and then runs safe simulations to identify where people and processes break down. Those findings can drive targeted training as well as changes to policy and controls.

A key takeaway: the attack surface is widening beyond email. Long warns that voice and SMS are increasingly common paths for impersonation — even in BYOD environments where security teams may assume it’s “not their problem.” In the deepfake era, that assumption can become an open door.