Resources

Lorem ipsum

Why Process Controls Alone Won’t Protect IT Service Desks Against Social Engineering and Deepfakes

Securing the Human Capital Supply Chain

Guest Blog: Securing the Human Layer – Social Engineering and Identity-Based Impersonation

North Korea’s IT Worker Campaigns Keep Working

Deepfakes Now Have Motion Control

Analyst Report: TAG Top Five Deepfake / Disinformation Detection Vendors (2026)

Deepfake Social Engineering and AI Impersonation Attacks Expose a Critical Gap in Cyber Threat Intelligence

10 minute read

Author

Sam Bakken

Director of Product Marketing

Date

2/19/2026

Blog

When most people think about cyber threat intelligence (CTI), they think of malware hashes, suspicious IP addresses, or malicious domains. Those indicators created the foundation for detecting and responding to adversaries for decades.

Today’s threat landscape has evolved, and the scope of threat intelligence must evolve along with it. Gartner reports that in the past 12 months alone, more than a third of cybersecurity leaders experienced deepfake-powered social engineering attacks against their employees during a video (36%) or audio call (44%).

The increasing prevalence of deepfake social engineering, voice cloning, synthetic personas, and other AI-powered impersonation highlights a new cybersecurity blind spot. Attackers don’t need to rely on zero-day exploits. Instead, they can exploit the lack of zero-trust security applied to business workflows occurring over phone calls and videoconferences. Voice cloning, face swaps, and synthetic personas exploit employee trust in what they see and hear.

A new frontier of threat actor tactics, techniques, and procedures (TTPs), and tooling remains largely invisible to traditional CTI programs. With visibility into those adversarial methods, information security teams can collect related intel to identify and stop these attacks before they cause harm.

What is the Current State of Cyber Threat Intelligence?

Cyber threat intelligence is the practice of understanding how adversaries operate and using that knowledge to proactively defend against them. For decades, CTI programs centered on technical telemetry such as file hashes, IP addresses, domains, email accounts, and exploit kits.

Frameworks like MITRE ATT&CK formalized this approach by mapping adversary “Groups” to the tactics and techniques they use such as Initial Access, Privilege Escalation, and Credential Access.

A recent example is Scattered Spider (G1015), which leverages the Impersonation technique (T1656) under the Defense Evasion tactic (TA0005) to pose as employees and persuade IT service desks to reset passwords or transfer multi-factor authentication (MFA) mechanisms to attacker-controlled devices.

In its current state, this intelligence focuses primarily on system-level attack signals such as:

What infrastructure (e.g., email domains) is the group using?
What systems is the group targeting?
What malware or tools is the group deploying?

Answering these questions remains essential to proactive defenses. However, attackers have increasingly pivoted to manipulating humans in real time over communication channels that remain largely out of sight of today’s security controls.

This gap is not a failure of CTI, but a limitation of its original scope.

A New, Largely Invisible Attack Surface

Threat intelligence starts with visibility. Cybersecurity teams can’t analyze what they can’t see or aren’t collecting and traditional CTI was not designed to monitor:

Video interviews
Voicemails/voice memos
Executive calls
IT service desk conversations
Customer support interactions

Channels such as these make up what we at GetReal Security call the human layer. The human layer is the attack surface created by digital interactions where identity is presented, interpreted, and manipulated in remote human interaction through voice, video, and images.

Every business day consists of countless real-time, remote interactions across these channels. Candidates interview with recruiters. Staff meet with vendors or partners. Customers contact support.

Increasingly, each of these interactions represents a potential initial access vector. There’s rarely any meaningful verification of the identities of participants in these conversations. Adversaries can blend into these remote business processes but, unlike network traffic or endpoint events, they’re not treated as telemetry, which creates an intelligence gap.

Expanding the Scope of Cyber Threat Intel: Real-Time Identity Telemetry

Traditional models tend to view code as the payload. In the human layer, however, identity is the payload. Instead of delivering an exploit or malware, the adversary delivers a voice or video likeness. And if default trust is successfully exploited, the threat actor achieves their objective without deploying malicious code.

As a result, enterprise threat intelligence programs need to expand to include the collection and analysis of these identity-layer artifacts alongside traditional signals.

Examples of Traditional CTI versus Human/Identity-Layer CTI

Traditional CTI Artifacts	Human/Identity-Layer CTI Artifacts
File hashes / malware signatures IP addresses and domains Geolocation E-mail addresses and infrastructure Indicators of compromise tied to system events	Adversary faces and voices Deepfake artifacts and synthetic voice signatures Behavioral anomalies in live interactions Environmental inconsistencies in video calls Impersonated faces and voices Caller/meeting participant IP, geolocation, e-mail

‍

This new form of CTI doesn’t replace existing indicators. Phone numbers, IP addresses, and email addresses remain relevant. But most organizations lack visibility into real-time voice and video platforms meaning even traditional indicators aren’t collected from or applied to these vectors.

Real-time identity-based attacks introduce additional signals that traditional controls do not capture. And both types of indicators can only be leveraged once artifacts from the human layer are also collected and treated as telemetry.

When an attacker calls the IT service desk posing as an executive, the incident shouldn’t be treated in isolation. Security teams need to know whether the executive has been impersonated previously, where those attempts occurred, and what stakeholders may have been exposed. Those signals provide human-layer threat intelligence.

By collecting and analyzing such human-layer identity signals – face consistency, voice characteristics, behavior patterns across interactions – security teams can transform digital communications into actionable intelligence.

Central to this approach is answering these questions in real time in digital interactions:

Is this content real or fake?
Is the presented identity who or what I think it is?
Given those assessments, what action should be taken?
Who’s behind it?

Multimodal identity defense, including platforms such as the GetReal Security Digital Trust and Authenticity Platform (DTAP), can then operationalize that intelligence by correlating and enforcing policy in real time to disrupt repeat and future attacks.

From Blind Spot to Control Plane

When adversaries target your organization at the human layer, they eventually need to connect with a person, typically over phone, videoconference, or other real-time channels. By doing so, they reveal information about themselves.

Whether they present their own face or voice in these communications or synthetic ones, those artifacts can be collected, tracked, and correlated. All of that done to flag it if it reappears, whether within the same or across peer organizations.

Enterprises’s historical lack of visibility into real-time digital interactions creates an intelligence gap that gives adversaries an advantage. By gathering, applying, and sharing indicators from these communication channels:

Impersonation attempts in progress can be disrupted
Adversary faces and voices can be identified and blocked
Attack patterns can be correlated across incidents and organizations

Expanding cyber threat intelligence to include human-layer signals does not replace traditional CTI. It completes it for today’s identity attack surface. Organizations that recognize this can transform what was a blind spot into a control plane, forcing adversaries into the open and leaving them fewer paths to exploit.

Ready to extend your threat intelligence to the human layer? Discover what next-generation CTI looks like in the GetReal Security platform. Schedule a demo to see it in action.

Frequently Asked Questions

What is the human layer in cybersecurity?

The human layer in cybersecurity refers to the attack surface created by remote digital interactions – video calls, voice calls, voice memos, and images – where identity can be manipulated or faked. Unlike traditional network-based attack surfaces, the human layer is exploited through social engineering, deepfakes, and AI-generated voice or video impersonation.

What is human-layer threat intelligence?

Human-layer threat intelligence is the practice of detecting and analyzing identity-based attacks that occur through digital voice, video, and image channels. It tracks signals like adversary voices, deepfake artifacts, and behavioral anomalies in live interactions. This extends traditional cyber threat intelligence beyond file hashes and IP addresses to cover AI-powered impersonation threats.

What are examples of traditional threat intel artifacts versus human-layer threat intel artifacts?

Traditional cyber threat intelligence artifacts typically include file hashes, malware signatures, IP addresses, domains, and email infrastructure. Human-layer threat intelligence artifacts include adversary faces and voices, synthetic voice patterns, deepfake tool signatures, behavioral anomalies in live interactions, and environmental inconsistencies in video calls. Comprehensive threat detection requires both.

‍