Deepfake Fraud in Business – Can You Trust What You See?

Razorthorn has worked with wide range of technically savvy clients who are confident they would spot a fake, but confidence is exactly what makes deepfake fraud so effective. In 2024, a finance manager at engineering firm Arup transferred $25 million to fraudsters after taking part in a video call with what appeared to be his CFO and several colleagues. Every person on that call was fabricated. None of it was real. The technology that made it possible is now widely accessible and the attacks are becoming more frequent and deepfake fraud in business is becoming more frequent and more costly.

Deepfakes are AI-generated audio, video or images that convincingly replicate a real person’s appearance, voice or both. What started as an internet curiosity, poorly rendered face-swaps that were obvious to anyone paying attention, has matured into something far harder to dismiss. Today’s deepfakes are good enough to deceive professionals in real time, pass identity checks and manipulate people into making decisions that cost their organisations significant money, data or reputation. For businesses, this is no longer a just a theoretical risk.

What is a deepfake and why does it matter to your business?

The term deepfake comes from the combination of deep learning and fake, a reference to the machine learning techniques used to generate synthetic media. Simply put, it is content that has been fabricated or manipulated by AI to make someone appear to say or do something they didn’t.

Early deepfakes required substantial computing power and technical skill to produce. The results were unconvincing, with unnatural blinking, distorted edges and audio that didn’t quite match lip movements. Those limitations no longer apply in the same way. Tools that generate realistic synthetic video and voice content are now accessible to people with no technical background, and the output quality has improved to the point where even experienced professionals struggle to detect manipulation in real time.

For businesses, the risk is not abstract. Deepfakes are being used to impersonate executives, fabricate identities, create fraudulent documents and manipulate employees into taking actions they would not otherwise take. The threat spans finance, HR, legal, compliance and operations – anywhere that decisions are made based on who someone appears to be or what they appear to have said.

The reason this matters now, and not at some point in the future, is that the barrier to entry has collapsed. Criminals do not need sophisticated infrastructure or specialist knowledge. They just need a sample of someone’s voice or a handful of images, both of which are readily available for most senior figures in any organisation. The attack is cheap to execute and the potential return is significant.

How deepfakes are being used to attack organisations right now

The Arup case is the most cited example of deepfake fraud in business, but it is far from the only one. Deepfake attacks are occurring across industries and the methods are becoming more varied as the technology improves.

Video call impersonation is currently one of the most damaging attack types. Criminals use AI to replicate the appearance and voice of a senior figure, typically a CFO, CEO or legal counsel, and use that fabricated identity to instruct employees to transfer funds, share credentials or approve sensitive decisions. The victim has no reason to question what they are seeing. The call looks and sounds exactly as expected.

Voice cloning is following a similar pattern. A short audio sample, often taken from a public video, interview or voicemail, is enough to generate a convincing replica of someone’s voice. That replica can then be used in phone-based fraud, directing employees or suppliers to act on instructions that appear to come from someone they trust.

Hiring fraud is another growing area. There have been documented cases of candidates using deepfaked video identities to pass remote job interviews and gain employment at technology companies. In some instances, those individuals have been linked to North Korean state-sponsored operations, using the access gained through employment to extract funds or sensitive data.

Document fraud has also expanded significantly. AI tools can now generate convincing payslips, invoices and receipts that pass a basic visual check. This has been exploited externally, for example in mortgage and loan applications using fabricated proof of income, and internally, with employees submitting AI-generated expense receipts. One organisation that audited its internal expense claims found fraud running at three times the level it had anticipated.

Identity document fraud is moving in the same direction. Deepfaked passports and identity documents have been used to pass KYC checks at financial institutions, raising serious questions about the reliability of document verification processes that depend on visual inspection alone.

Deepfakes and social engineering: a dangerous combination

Social engineering has always relied on exploiting trust. Deepfakes make that exploitation significantly easier because they remove one of the most reliable defences people have, which is recognising who they are talking to.

Traditional phishing and impersonation attacks have weaknesses that people have learned to spot. The email address is slightly wrong, the tone is off, the request feels unusual. People have become reasonably good at spotting those signals, and security awareness training has reinforced that instinct. Deepfakes undercut it entirely. When the person making a request appears to be your CEO, sounds exactly like your CEO and is looking directly at you on a video call, the psychological barriers that would normally trigger scepticism are bypassed.

This is particularly dangerous in high-pressure situations. Fraudsters using deepfakes tend to manufacture urgency, a sensitive acquisition, a regulatory deadline, a payment that needs to clear today. The combination of a trusted face, a familiar voice and a time-sensitive request is extremely effective at overriding normal caution.

Live video calls present a specific challenge because there is no time to pause and verify. A phishing email can be forwarded to a colleague or checked against a known address. A video call demands an immediate response and most people are not conditioned to question the reality of what they are seeing in real time.

Board meetings and high-level executive communications carry additional risk. In some jurisdictions, decisions made in board meetings carry legal weight. If those meetings can be fabricated convincingly enough, the implications extend well beyond financial fraud into governance, legal liability and regulatory exposure.

The lesson here is not that technology alone will solve this. It is that awareness needs to catch up with what is now technically possible. Employees at every level need to understand that seeing someone on a screen is no longer sufficient proof of who they are.

Less obvious deepfake risks

Most of the coverage around deepfake fraud focuses on large-scale financial attacks, and understandably so. But the same technology is being used in ways that receive less attention and carry their own serious consequences for organisations and individuals.

Blackmail and reputational damage using fabricated content is an established and growing problem. Criminals generate compromising images or video of real people using AI tools, then use that material to extort money or compliance. The victim does not need to have done anything wrong. The content is entirely synthetic, but the threat it carries is real. For senior figures in an organisation, the reputational risk alone can be enough to make payment feel like the only option.

Age and access verification is another area where deepfakes are being actively exploited. Digital identity checks that rely on a selfie or a scanned document are increasingly vulnerable to synthetic media. There are documented cases of people, including minors, using AI-generated images to bypass age verification on platforms where access is restricted. The same principle applies to any system that uses visual identity confirmation as a security control.

Internal expense fraud has emerged as a quieter but significant risk. Tools like ChatGPT and other image generation models make it straightforward to produce a convincing receipt or invoice with minimal effort. Employees with access to expense systems can generate fake documentation that passes a basic review. As mentioned in the previous section, one organisation that took a close look at its expense claims found the problem was considerably worse than expected. This is not a niche risk. It is one that most finance teams are not currently equipped to detect at scale.

Insurance fraud follows a similar pattern. Fabricated evidence of damage, injury or circumstances that never occurred can be produced quickly and cheaply, and standard claims processes were not designed with synthetic media in mind.

What connects all of these is that the barrier to execution is now very low. These are not attacks that require technical sophistication or significant resources. They require access to widely available tools and a willingness to use them.

How deepfake detection technology works

Detection technology has developed rapidly alongside the threat, and for organisations serious about managing deepfake risk, it is increasingly a frontline tool.

Forensic AI approaches the problem at the pixel level. Deepfake generation processes leave traces in the image data that are not visible to the human eye but can be identified through algorithmic analysis. Inconsistencies in lighting, unnatural patterns in skin texture, subtle asymmetries in facial movement and artefacts introduced during the generation process all provide signals that something has been manipulated. Audio analysis works on a similar principle, looking for irregularities in speech patterns, breathing and background noise that synthetic generation tends to produce.

When the source material is high quality and the content has not been further processed, detection tools perform reasonably well. As with any security control, attackers look for ways around it, and certain conditions make detection harder..

Screenshots and screen recordings introduce compression artefacts that obscure the original manipulation signals, making it harder for forensic tools to reach a confident conclusion. Overlaying text or graphics on a deepfake has a similar effect. Low-resolution captures degrade the pixel-level data that detection relies on. In a live video call scenario, where the content is being streamed and compressed in real time, detection becomes considerably more difficult.

Despite the limitations, detection technology remains a worthwhile investment. Even imperfect detection provides real value, functioning as both a genuine filter and a deterrent. Organisations that implement detection tooling and are transparent about doing so change the risk calculation for potential attackers. If an attacker knows that deepfake content is being screened, the risk of exposure increases and some attacks will not be attempted as a result.

The more important point is that detection technology should be treated as one layer of a broader response, not a complete solution on its own. No tool will catch everything and the technology on both sides of this problem is continuing to develop.

What your organisation can do about it

The starting point is accepting that visual and audio confirmation is no longer a reliable identity check on its own. That shift in mindset needs to happen at every level of an organisation, not just in the security team.

Zero trust as a principle is well established in network security. It needs to be applied with the same rigour to identity verification in day-to-day operations. Trusting someone because they look and sound like the person you expect is precisely the assumption that deepfake attacks exploit. Verification needs to be built into processes, not left to individual judgement in the moment.

For high-risk communications, pre-agreed challenge questions or code words provide a practical layer of protection that does not depend on technology. If your organisation has a process for verifying payment instructions or sensitive decisions, a shared secret that only the real person would know adds meaningful friction for an attacker. Duress codes, words or phrases that indicate a communication is taking place under pressure, are worth considering for senior figures who may be impersonated or coerced.

Process controls around payments and sensitive approvals should not rely solely on who appears to be making the request. Dual authorisation, call-backs to verified numbers and time delays on large transfers are all straightforward measures that reduce exposure. If a request comes through an unusual channel or carries unusual urgency, that should trigger additional verification rather than speed.

Staff awareness training needs to be updated to reflect the current threat. Most security awareness programmes cover phishing and social engineering in their traditional forms. Fewer address synthetic media explicitly. Employees who understand that a convincing video call is no longer proof of identity are better placed to pause, question and verify before acting.

For organisations handling high-value transactions or sensitive data at scale, deepfake detection tooling should be a serious consideration rather than an optional extra. It strengthens a layered defence, acts as a deterrent and, when communicated openly, changes behaviour on both sides of the threat. No single control eliminates risk entirely, but detection technology is one of the more practical and deployable options available right now, and the case for it is only getting stronger as the attacks become more sophisticated.

Finally, governance matters. Organisations should review which processes currently rely on visual or voice confirmation as a primary control and assess whether that reliance is still appropriate. In some cases the answer will be that existing controls are sufficient. In others, it will become clear that the process was designed for a world where synthetic media did not exist and needs updating accordingly.

The technology is already good enough to deceive professionals. The question is whether your processes are good enough to catch it.

Frequently Asked Questions

What is a deepfake attack in cybersecurity?

A deepfake attack uses AI-generated audio, video or images to impersonate a real person, typically to manipulate employees, bypass security controls or commit fraud. The content is fabricated but convincing enough to deceive people who have no reason to be suspicious.

How are deepfakes used in fraud?

Deepfakes are used across a range of fraud types including executive impersonation on video calls, voice cloning for telephone fraud, fabricated identity documents for KYC bypass, fake invoices and receipts for expense or insurance fraud and synthetic identities used in hiring scams.

Can deepfake detection software stop all attacks?

Detection technology is an effective and actively improving defence, though no single tool eliminates risk entirely. It analyses content for signs of AI manipulation and performs well on high-quality source material. Compressed video, screenshots and overlaid graphics create challenges, which is why detection works best as part of a layered security approach rather than a standalone control.

How can businesses protect themselves from deepfake scams?

The most effective approach combines process controls, staff awareness and technology. Pre-agreed verification codes for sensitive communications, dual authorisation on high-value transactions, updated awareness training and detection tooling all contribute. The underlying principle is that visual and audio confirmation alone should no longer be treated as sufficient proof of identity.

What is the biggest deepfake fraud case so far?

The most widely reported case involves Arup, the engineering firm, where a finance employee was deceived into transferring $25 million following a video call in which every participant, including the apparent CFO, was a deepfake.

Are deepfake identity documents a real threat?

Yes. AI-generated passports and identity documents have been used to pass KYC checks at financial institutions. Standard document verification processes that rely on visual inspection are increasingly vulnerable to synthetic media.

How do I know if I am talking to a real person on a video call?

You cannot rely on appearance or voice alone. Use a pre-agreed challenge question or code word for any communication involving sensitive decisions or financial instructions. If in doubt, end the call and reconnect via a verified number or channel before proceeding.