Understanding Deepfake Risks

There’s a pretty good chance that the shocking rate at which AI is advancing is out-pacing your cyber security training, policies and maybe even technologies. Have you addressed the use of AI and deep fakes in your cyber security policies? In a recent and alarming development that seems to have leapt straight from the pages of a science fiction novel, a Hong Kong based finance worker at a multinational firm was defrauded of $25 million, falling victim to an elaborate scam that employed deepfake technology to impersonate the company's CFO. This incident, which unfolded during a video conference call, marks a disturbing milestone in the intersection of cybercrime and AI, underscoring the urgent imperative for companies to bolster their cybersecurity frameworks, particularly against the backdrop of deepfake technology. The mechanics of the scam were deceptively simple yet devastatingly effective. The finance employee was lured into a video call with several participants, believed to be colleagues and the CFO, only to discover later that each participant was a digital fabrication. The deepfake avatars, mirroring the appearance and voice of real company personnel, instructed the employee to initiate a "secret transaction", leading to the unauthorised transfer of $25.6 million. This incident is not an isolated event but rather a harbinger of the potential threats posed by AI-driven disinformation and fraud. The use of deepfake technology to bypass facial recognition software, impersonate individuals for fraudulent purposes, and undermine the integrity of personal and corporate identities presents a clear and present danger. The case in Hong Kong, where fraudsters successfully manipulated digital identities to orchestrate financial theft, exemplifies the sophistication of contemporary cybercrime. The implications of this event extend far beyond the immediate financial loss. It serves as a stark reminder of the vulnerabilities inherent in digital communication platforms and the necessity for robust verification processes. The reliance on video conferencing and digital communication, accelerated by the global pandemic, has exposed systemic weaknesses ripe for exploitation. In response to this escalating threat, it is incumbent upon companies to adopt comprehensive cybersecurity strategies that address the unique challenges posed by deepfake technology. This includes implementing advanced authentication protocols, raising awareness and training employees on the potential risks of deepfakes, and deploying AI-driven security measures capable of detecting and neutralising synthetic media. As AI output become increasingly indistinguishable from reality, the line between authentic and artificial communication will blur, challenging individuals and organisations to navigate a new frontier of digital authenticity. It compels a reevaluation of the assumptions underpinning digital trust and identity verification, urging a proactive approach to cyber defence.

The New Corporate Threat: Deepfakes That Even Experts Can't Detect Welcome to the new reality where AI doesn’t just generate content, it manufactures convincing lies. You’ve probably seen it: - A CEO announces a fake acquisition. - A politician "says" something they never did. - A voice note "from your boss" requests a fund transfer. It all looks real. But it’s not. It’s a deepfake AI-generated audio, video, or images designed to deceive. Why it matters: Deepfakes are no longer just internet tricks or entertainment. They’re now: - Financial fraud enablers (voice clones used to scam employees) - Corporate risk vectors (fake news impacting stock prices) - Political weapons (manipulated clips used to sway public opinion) - Personal threats (identity misuse, blackmail, defamation) How to spot a deepfake  Look for: - Unnatural blinking or awkward lip sync - Plastic skin or weird lighting - Robotic tone or emotionless speech - Out-of-character statements - No credible source backing the video If it feels off, it probably is. What you can do: - Pause before sharing - Use tools like Deep ware, Microsoft Video Authenticator, or Adobe Verify - Train your teams especially PR, legal, and finance - Push for content provenance in your organization In the GenAI era, trust is currency. Don’t spend it on content you didn’t verify. #artificialintelligence

BSE has now warned investors about a deepfake of their own CEO 4 times in 4 months. The 4th warning came 3 weeks ago. Each time, a fabricated video of BSE MD & CEO Sundararaman Ramamurthy circulates on social media and WhatsApp, supposedly offering stock tips and promising extraordinary returns. Each time, BSE has to put out a public clarification, file complaints, and ask platforms to take the content down. Four times. Four months. The same man's face. The same institution's credibility. Used as a weapon, repeatedly, to steal money from ordinary investors who trusted what they saw. I want to explain what this actually is, because calling it "deepfake fraud" undersells the problem. Because BSE has spent decades building credibility as the institution Indian retail investors rely on. So every deepfake of Ramamurthy isn't just a fraud, it is a direct assault on the reputation of the oldest stock exchange in Asia, weaponised against the very people it exists to protect. In 3 decades of cybersecurity, I've watched every kind of digital attack evolve from technical exploits into social engineering. But right now, the attacker no longer needs to break through your firewall. They just need to make their content look legitimate enough that a retired schoolteacher in Nagpur believes the CEO of BSE is personally recommending a stock to her. That's the attack surface that's wide open right now. And not just BSE. Every recognisable face in Indian finance, business, and government is a potential weapon in someone's fraud campaign. The Pi-Labs data puts it plainly: 550% rise in deepfake-related banking and financial fraud cases since 2019. The platforms that host this content are moving slowly. The legal process is moving slowly. But the technology generating the fakes is moving fast. Which is why cybersecurity can no longer remain limited to protecting systems inside the organisation. Institutions now need visibility into how their brand, executives, and public trust are being exploited outside their own perimeter across social platforms, fake domains, messaging apps, and the dark web. At Seqrite, we are seeing this shift accelerate rapidly. What is your experience around these challenges? #SeqriteDRPS #CyberSecurity #Deepfake #DigitalTrust #AI #FraudPrevention #BrandProtection #Seqrite

There’s more to the $25 million deepfake story than what you see in the headlines. I pulled the original story to get the full scoop. Here are the steps the scammer took: 1. The scammers sent a phishing email to up to three finance employees in mid-January, saying a “secret transaction” had to be done. 2. One of the finance employees fell for the phishing email. This led to the scammers inviting the finance employee to a video conference. The video conference included what appeared to be the company CFO, other staff, and some unknown outsiders. This was the deep fake technology at work, mimicking employees' faces and voices. 3. On the group video conference, the scammers asked the finance employee to do a self-introduction but never interacted with them. This limited the likelihood of getting caught. Instead, the scammers just gave orders from a script and moved on to the next phase of the attack. 4. The scammers followed up with the victim via instant messaging, emails, and one-on-one video calls using deep fakes. 5. The finance employee then made 15 transfers totaling $25.6 million USD. As you can see, deep fakes were a key tool for the attacker, but persistence was critical here too. The scammers did not let up and did all that they could to apply pressure on the individual to transfer the funds. So, what do businesses do about mitigating this type of attack in the age of deep fakes? - Always report suspicious phishing emails to your security team. In this context, the other phished employees could have been an early warning that something weird was happening. - Trust your gut. The finance employee reported a “moment of doubt” but ultimately went forward with the transfer after the video call and persistence. If something doesn’t feel right, slow down and verify. - Lean into out-of-band authentication for verification. Use a known good method of contact with the individual to verify the legitimacy of a transaction. - Explore technology driven identify verification platforms for high dollar wire transfers. This can help reduce the chance of human error. And one of the best pieces of advice I saw was from Nate Lee yesterday, who called out building a culture where your employees are empowered to verify transaction requests. Nate said the following “The CEO/CFO and everyone with power to transfer money needs to be aligned on and communicate the above. You want to ensure the person doing the transfer doesn't feel that by asking for additional validation that they're pushing back against or acting in a way that signals they don't trust the leader.” Stay safe (and real) out there. ------------------------------ 📝 Interested in leveling up your security knowledge? Sign up for my weekly newsletter using the blog link at the top of this post.

Everyone’s talking about Muck Rack’s 2025 State of Journalism report. It’s a doozy. But too many takeaways stop at the surface. “Don’t be overly promotional.” “Pitch within the reporter’s beat.” “Keep it short.” All true. All timeless. But if you work in crisis communications or anywhere near the intersection of trust, media, and AI, those are just table stakes. The real story is what the report says about disinformation and AI’s double-edged role in modern journalism. Here’s where every in-house and agency team should be paying the closest attention: 🧨 The Risk Landscape: What Journalists Are Actually Worried About: 🚨 Disinformation is the #1 concern Over 1 in 3 journalists named it their top professional challenge—more than funding, job security, or online harassment. 🤖 AI is everywhere and largely unregulated 77% of journalists use tools like ChatGPT and AI transcription; but most work in newsrooms with no AI policies or editorial guidelines. 🤔 Audience trust is cracking Journalists are keenly aware of public skepticism, especially when it comes to AI-generated content on complex topics like public safety, politics, or science. 🤖 ‼️ Deepfakes and manipulated media are on the rise As I discussed yesterday in the AI PR Nightmares series, the tools to fabricate reality are here. And most organizations aren’t ready. 🛡️ What Smart Comms Teams Should Do Next 1. Label AI content before someone else exposes it: → Add “AI-assisted” disclosures to public-facing materials—even if it’s just for internal drafts. Transparency builds resilience. 2. Don’t outsource final judgment to a tool: → Use AI to draft or summarize, but ensure every high-stakes message—especially in a crisis—is reviewed by a human with context and authority. 3. Get serious about deepfake detection: → If your org handles audio or video from public figures, execs, or customers, implement deepfake scanning. Better to screen than go viral for the wrong reasons. 4. Set up disinfo early warning systems: → Combine AI-powered media monitoring with human review to track false narratives before they go wide. 5. Build your AI & disinfo playbook now: → Don’t wait for legal or IT to set policy. Comms should lead here. A one-pager with do’s, don’ts, and red flag escalation rules goes a long way. 6. Train everyone who touches messaging: → Even if you have a great media team, everyone in your org needs a baseline understanding of how disinfo spreads and how AI can help or hurt your credibility. TL/DR: AI and misinformation aren’t future threats. They’re already shaping how journalists vet sources, evaluate pitches, and report stories. If your communications team isn’t prepared to manage that reality (during a crisis or otherwise), you’re operating with a blind spot. If you’re working on these challenges—or trying to, drop me a line if I can help.

What happens when deepfake technology becomes a service anyone can buy? I've been tracking the Deepfakes-as-a-Service market, and the numbers are alarming. Deepfake fraud attempts jumped 1,300% in 2024. From one attack per month to seven per day. Here's what keeps me up at night: The February 2024 Arup case. A finance employee joined a video call with the CFO and several colleagues. Everyone looked real. Everyone sounded real. The employee authorized $25.6 million in wire transfers. Every single person on that call was AI-generated. This wasn't some nation-state operation. Underground marketplaces now offer deepfake creation as a point-and-click service. No technical skills required. Just cryptocurrency and malicious intent. The psychology is what makes it work. We're wired to trust what we see and hear, especially when it matches our expectations. A realistic video of your CFO making a familiar request triggers immediate credibility. By the time you think to question it, the money's gone. Traditional defenses aren't enough anymore: → Voice verification systems can be defeated → Video calls don't guarantee authenticity → Even following verification procedures can fail Organizations need multi-channel verification protocols. If someone requests a wire transfer on video, verify through a completely separate channel. Code words. Challenge-response systems. Procedural friction on high-risk transactions. But here's the problem: 99% of security leaders say they're confident in their deepfake defenses. Only 8.4% actually scored above 80% in detection tests. We think we're protected when we're actually vulnerable. Have you updated your verification procedures for the deepfake era? #Cybersecurity #AISecurity #DeepfakeFraud #DigitalRisk #FraudPrevention

Just ten seconds of speech and your voice is now mine. I spoke to CNN's Clare Duffy about surging deepfake voice fraud and how we can protect ourselves. The feeling of hearing a familiar voice at the end of the phone can reflexively comfort or put us at ease, but in 2026, that reflex is being hijacked at an industrial scale. The same dynamics apply to deepfake voice cloning or 'vishing' attacks as many other forms of AI weaponisation. Increasing access, output realism, and efficiency of voice cloning models has led to criminals rapidly adopting them to execute on well established fraud tactics, in this case fraud and impersonation. The reason they're doing it, as always, is that it works. As Clare reports, Americans lost over $893m last year to AI powered fraud, including voice cloning attacks. With decreasing latency for generating voices and improvements in more sophisticated voice cloning tools for voice skinning (being able to speak in near real time with someone else's voice), I cannot see this number going anywhere but up. So what can we do about it? As I stressed to Clare, advising people how to protect themselves can be a difficult balance to strike. The research is clear that when it comes to distinguishing AI generated voices from authentic ones, we're only marginally better than a coin flip, and that's in experimental conditions when participants are actively looking for them. Increased awareness and vigilance is of course important, but we absolutely cannot rely on a future where our ears alone are the ultimate guide. As I say in the piece, “For the everyday person, it is just not fair to expect them to be able to spot this stuff,”. So what can we do? One often provided solution (which I believe I was one of the first to suggest back in 2019 in the Financial Times) is what I called at the time a 'semantic passphrase'. A pre-agreed phrase or word with close colleagues, friends, or loved ones that only they could know. There's value in this approach (which several banks have actively endorsed to their customers), but the reality is the number of these semantic passwords you'd need to remember could be challenging! Another is to remember the basics. AI powered or not, deepfake fraud is still social engineering. If you're receiving calls from unrecognised numbers, being rushed or harried into sending money, or just get the feeling something isn't right from how someone appears to be speaking, either verify through a secure channel or use a pass phrase/ask for information only they could know. Ultimately, as I put it to Clare: “If you suspect that something might not be right, it is much better to have your mum or your brother or your friend laugh at you for thinking that they’re a robot,” Ajder said, “than it is to potentially be running to an ATM.” (In hindsight, maybe "running to your crypto wallet" may have been the more appropriate scenario for the deepfake age!)

🚨 𝗗𝗲𝗲𝗽𝗳𝗮𝗸𝗲 𝗮𝗻𝗱 𝗩𝗼𝗶𝗰𝗲 𝗖𝗹𝗼𝗻𝗲 𝗖𝘆𝗯𝗲𝗿 𝗙𝗿𝗮𝘂𝗱𝘀: 𝙒𝙝𝙖𝙩 𝙔𝙤𝙪 𝙉𝙚𝙚𝙙 𝙩𝙤 𝙆𝙣𝙤𝙬 𝙖𝙣𝙙 𝙃𝙤𝙬 𝙩𝙤 𝙋𝙧𝙤𝙩𝙚𝙘𝙩 𝙔𝙤𝙪𝙧𝙨𝙚𝙡𝙛 🚨 In Conversation with a #CyberSecurity expert with vast experience in analyzing and cracking recent cyber frauds, I've observed a troubling rise in scams involving deepfake and voice cloning technologies. These sophisticated tools are not just the domain of movie studios and tech enthusiasts anymore—they’re being used by cybercriminals to perpetrate increasingly convincing frauds. 𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝘿𝙚𝙚𝙥𝙛𝙖𝙠𝙚 𝙏𝙚𝙘𝙝𝙣𝙤𝙡𝙤𝙜𝙮: Using AI, deepfakes superimpose someone’s likeness onto another's body or digitally alter footage, creating hyper-realistic but entirely fake videos. Fraudsters can impersonate individuals in highly believable ways, leading to potential identity theft and misinformation. 𝙑𝙤𝙞𝙘𝙚 𝘾𝙡𝙤𝙣𝙞𝙣𝙜: Advanced AI can now replicate voices with uncanny accuracy. By capturing a few minutes of someone’s speech, cybercriminals can create convincing audio of the person saying things they never actually said. This is particularly dangerous in business settings, where voice-verified transactions are common. 𝗧𝗵𝗲 𝗠𝗼𝗱𝘂𝘀 𝗢𝗽𝗲𝗿𝗮𝗻𝗱𝗶 1️⃣ 𝙋𝙝𝙞𝙨𝙝𝙞𝙣𝙜 𝙛𝙤𝙧 𝙑𝙤𝙞𝙘𝙚𝙨: Attackers often start by gathering audio samples from social media, interviews, or public speaking events. 2️⃣ 𝘾𝙧𝙚𝙖𝙩𝙞𝙤𝙣 𝙤𝙛 𝘿𝙚𝙚𝙥𝙛𝙖𝙠𝙚𝙨/𝙑𝙤𝙞𝙘𝙚 𝘾𝙡𝙤𝙣𝙚𝙨: Using sophisticated software, they create deepfake videos or clone voices. 3️⃣ 𝘿𝙚𝙘𝙚𝙥𝙩𝙞𝙤𝙣 𝙖𝙣𝙙 𝙁𝙧𝙖𝙪𝙙: These fakes are used to deceive individuals or organizations. Examples include fraudulent financial transactions, fake emergency calls from ‘family members,’ or spoofed communications from company executives. 𝗛𝗼𝘄 𝘁𝗼 𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗬𝗼𝘂𝗿𝘀𝗲𝗹𝗳 💡 𝙎𝙩𝙖𝙮 𝙄𝙣𝙛𝙤𝙧𝙢𝙚𝙙: Awareness is your first line of defense. Understand the potential and capabilities of these technologies. 💡 𝙑𝙚𝙧𝙞𝙛𝙮 𝘾𝙤𝙢𝙢𝙪𝙣𝙞𝙘𝙖𝙩𝙞𝙤𝙣𝙨: Always double-check the authenticity of unexpected communications. If you receive a suspicious call from a known person, verify it using an alternate method. 💡 𝙐𝙨𝙚 𝙎𝙚𝙘𝙪𝙧𝙚 𝘾𝙝𝙖𝙣𝙣𝙚𝙡𝙨: Prefer secure and verified channels for sensitive communications. Multi-factor authentication can add an extra layer of security. 💡 𝙀𝙙𝙪𝙘𝙖𝙩𝙚 𝙔𝙤𝙪𝙧 𝘾𝙞𝙧𝙘𝙡𝙚: Ensure that your family, friends, and colleagues are also aware of these threats and know how to protect themselves. 💡 𝙇𝙚𝙫𝙚𝙧𝙖𝙜𝙚 𝙏𝙚𝙘𝙝𝙣𝙤𝙡𝙤𝙜𝙮: Use tools and software that can detect and flag deepfake content. Let’s stay vigilant and proactive in the face of evolving cyber threats. Share this post to spread awareness and help your network stay safe. 🌐🔒 Enjoy this? ♻️ #Repost it to your network for Awareness Purpose and #Follow SOHAIL #CyberSecurity #Deepfakes #VoiceCloning #FraudPrevention #StaySafe #mentorsohail #LinkedInTopVoice

When a patient hears from a “doctor,” they shouldn’t have to wonder if it’s real. AI deepfakes are already blurring that line - impersonating physicians, promoting unproven treatments, and putting patients at risk. When a physician’s identity is hijacked, it doesn’t just harm one clinician. It undermines the credibility of care itself. That’s why the AMA is calling for clear, enforceable protections against AI-driven impersonation. We’ve outlined a framework grounded in a simple idea: a physician’s identity is not a public utility. It’s a protected right. What does that mean in practice? • No use of a physician’s name, likeness, or voice without explicit, informed, and revocable consent. • Clear labeling and transparency for any AI-generated clinical content. • Shared accountability across platforms, vendors, and institutions. • Real enforcement mechanisms to stop impersonation and protect patients. This isn’t simply about stopping bad actors. It’s about defining the rules of trust in a digital health system. If identity can be manufactured today, what anchors trust in health care tomorrow? #AI #DigitalHealth #PatientSafety #Deepfakes

Fraud no longer hides in the shadows. It might show up disguised as someone you know. Like when the CEO calls and her voice on the phone sounds exactly right. Her urgency feels real, and the wire transfer request to a new bank account seems legitimate, so accounting releases the funds. And just like that, the company loses $20k to a fraudster who weaponized AI. This isn't science fiction. It's happening right now to individuals and organizations alike. Fraudsters are creating disturbingly real AI deepfakes that can fool even the most cautious people. And companies need strategies to combat them. Because those audio and visual cues we've relied on for decades are no longer reliable indicators of authenticity when it comes to AI deepfakes. Organizations can fight back with these defense strategies: ✔ Stay cautious and be wary of anyone requesting money or personal information, even if they look or sound like someone you trust. ✔ Don’t send money or share sensitive data in response to a single phone or video call. Phone numbers can be spoofed, so always verify a person’s identity by contacting them separately at a number you trust. ✔ Use small action requests, like asking a person to turn their head, blink repeatedly, or hum a song while on a video or phone call. If they decline, freeze up, or go silent, it could be a fraudster. ✔ Establish a safe word that only your inner circle knows to confirm the identity of someone claiming to be a colleague, family member, or friend.   ✔ Use strong passwords. Enable multifactor authentication (MFA) on all company devices and accounts whenever possible. And don’t forget to report AI deepfakes to law enforcement and any relevant social media channels, websites, and other platforms where the encounter took place. All of these tips ALSO work for individuals too because hackers like causing havoc with anyone they can. The question isn't whether AI deepfakes will target your organization. It's whether your organization will be ready when it does.   Food for thought as we kick off Cybersecurity Awareness Month.   ♻ Share our infographic to help companies combat AI deepfakes.