Traditional email spoofing attacks are technical attacks on protocol vulnerabilities. AI-based messaging is a perceptual exploit against humans. In 2026, they're both in play and the detection systems for one are ineffective against the other. In October 2025, a mid-sized logistics firm reported a business email compromise attack that its security team originally assumed to be a spoofing attack. The CEO's email account was used to request that the CFO initiate a wire transfer. It met the company's DMARC policy. It passed SPF alignment. The DKIM key matched the sending domain's key. After obtaining the complete email headers, they found what the authentication suite wasn't built to detect: it wasn't a spoofed email. The domain was a new lookalike, with legitimate authentication records the SPF, DKIM, and DMARC passing with flying colors.…