There's a new kind of threat making its way into nonprofit inboxes, phone lines, and video calls, and it doesn't look anything like the phishing emails your team learned to spot in last year's training. It sounds like your executive director, it looks like your board chair is on a video call, but it's neither of those people. And that's exactly the problem.
This isn’t meant to scare anyone, but staying informed about how these scams work is one of the best ways organizations can build resilience and protect themselves moving forward.
What Is an AI Deepfake?
The term “deepfake” originally referred to manipulated video content, but in 2026, the technology has evolved into a broader and more accessible tool for scammers, including real-time voice cloning, AI-generated video calls, and highly convincing written impersonation capable of fooling even people who know the target personally.
The technology works by training AI on existing audio, video, or text from a real person. The system can generate new content that convincingly mimics a person from a few minutes of podcast audio, a video from a recorded board meeting, or emails pulled from a data breach. What once required a Hollywood budget now takes a laptop and a free afternoon.
How It Shows Up in Practice
The Urgent Wire Transfer Call. A staff member gets a voicemail from someone who sounds exactly like the executive director. There's an urgent situation, a vendor needs to be paid, and suddenly you’re asked to wire funds? By the time anyone verifies the request, the money is gone.
The Fake Video Confirmation. Your organization asks for video verification before taking sensitive action. Scammers respond with AI-generated video calls appearing to show a trusted board member giving approval. You’d be surprised how realistic these video calls can be, especially if you’re not being vigilant. Under time pressure, details like the lighting being off or strange movements can be overlooked.
The Donor Impersonation. A message arrives written exactly like one of your longtime major donors, with the same warmth and references to past conversations. The message appeared to come from the donor and requested sensitive information before making a gift, including account details, staff contacts, and access credentials. The donor later confirmed they hadn’t sent it.
The reality is that your strongest defense against AI deepfakes isn’t just technology, it’s people and processes. Training your staff to recognize red flags and building clear verification steps into your workflows can make all the difference. AI detection tools can help, but consistent verification practices are what truly protect your organization and finances.
Create a callback protocol. For any request involving money or sensitive data, require confirmation through a different channel. Call back on a number you already have on file. Never use the contact information provided in the suspicious message itself.
Slow down urgent requests. Urgency is a manipulation tactic. Build a culture where "let me verify this first" is expected, not apologetic. Legitimate requests survive a verification step, while fraudulent ones depend on you skipping it.
Require dual authorization for financial transactions. No single person should initiate and approve a significant payment. If that's already your policy, make sure it's actually being followed.
Be intentional about your public presence. Recorded videos, published audio, detailed staff directories — all of it becomes raw material for impersonation. You don't need to disappear online, but it's worth being thoughtful about what you put out and in what format.
Deepfake technology doesn't just circumvent familiar trust cues; instead, it weaponizes them. The organizations that navigate this well won't necessarily have the most advanced security software. They'll be the ones who have built verification into their culture, where confirming a request through a second channel is simply how things work.
The technology behind AI scams will continue to evolve, and it’s only becoming more convincing. Over time, it will get harder for any of us to tell the difference between what’s real and what’s generated. That’s why the goal shouldn’t be to rely solely on spotting a fake; it should be creating processes that keep your organization safe even when something looks or sounds believable.
The most effective protection starts with clear protocols, regular staff training, and a culture where verification is encouraged. A quick follow-up call, a second approval step, or taking a moment to pause before acting on an urgent request can prevent a costly mistake. Sometimes, those extra two minutes make all the difference.
For teams that want to go deeper, our Weathering the Storm: Protecting Your Nonprofit and Yourself in Uncertain Times 2026, Part 2 webinar focuses on organizational risk management, baseline protections, internal policies, shared accountability, and incident response planning. It’s a helpful next step for nonprofits looking to strengthen the exact kinds of processes that make deepfake scams and impersonation attempts harder to act on.
Still Have Questions?
You don’t have to navigate evolving cyber threats alone. We’re here to help you strengthen your verification processes, train your team, and reduce the risk of AI impersonation scams.
Schedule a free discovery call today and get the guidance your organization needs to stay cyber safe.