Is Email the Entry Point to a Well-Rounded Disinformation Attack?

Email has long been the nervous system of corporate communication, prized for its immediacy and universality. Yet that trust makes it the most attractive attack surface, especially as generative AI lowers the cost of crafting believable messages. While 7.2 million domains now publish DMARC records, the Valimail 2025 report shows nearly 50 % still run in monitor‑only mode, leaving brands exposed to sophisticated impersonation. The paradox is clear: the most mature channel is also the least verified.

Modern BEC campaigns no longer rely on generic urgency; they choreograph email, voice and video into a single deception. Attackers train generative models on an executive’s public statements, then deliver a phishing email that triggers a deep‑faked voice call and an embedded video confirming the request. Financial services anticipate $40 billion in AI‑assisted wire fraud losses by 2027, while only 36 % of healthcare domains enforce DMARC, and 71 % of U.S. state government sites remain unauthenticated. The result is a multi‑modal attack surface where a single inbox breach can cascade into monetary theft or narrative manipulation.

Defenders must treat email as an identity‑verification layer rather than a simple transport mechanism. Enforcing DMARC with quarantine or reject policies, correlating signals across voice, video and SMS, and measuring time‑to‑trust are essential first steps. Organizations should deploy AI‑driven orchestration platforms that flag concurrent spoofed domains and synthetic media, while continuous training exposes employees to deepfake cues. By aligning IT, compliance and communications under a unified governance model, enterprises can close the policy gaps that attackers exploit and restore confidence in the inbox as a secure front line.