Deepfake CEO fraud is the fastest-growing financial crime category according to the FBI. In January 2024, engineering firm Arup lost $25.6 million after a finance employee was deceived by a video call where every participant, including the apparent CFO and several colleagues, was AI-generated. In January 2026, a Swiss businessman transferred several million Swiss francs after a series of calls with what he believed was a trusted business partner, later confirmed to be a voice clone. The FBI's 2025 Internet Crime Report logged 24,768 Business Email Compromise complaints totaling $3.05 billion in losses, with AI-assisted deepfake involvement in BEC growing from under 5% of incidents in 2023 to 40% of incidents by Q1 2026.
This playbook focuses on the specific attack pattern that causes the most enterprise financial loss: deepfake voice and video used to impersonate executives and authorize fraudulent wire transfers. It covers why detection technology fails as a primary control, what procedural defenses actually stop these attacks, how to train employees without creating operational friction, and what to do in the first 60 minutes after a suspected incident. For coverage of deepfake KYC bypass, injection attacks, and contact center fraud, see our deepfake fraud enterprise security guide.
Key Takeaways
- Arup lost $25.6M in a single incident driven by a fully synthetic video call (January 2024); a Swiss businessman lost millions to a voice-cloned business partner (January 2026)
- AI-assisted deepfake involvement in BEC attacks grew from under 5% in 2023 to 40% of incidents by Q1 2026, per FBI data
- Human detection accuracy for high-quality deepfakes is only 24.5%; automated detection tools drop 45-50% in accuracy from lab to real-world conditions
- The most reliable controls are procedural: out-of-band callbacks on pre-registered numbers, pre-agreed code words, and dual authorization for wire transfers above threshold
- Technical detection tools (Pindrop, Reality Defender) provide a useful signal layer but must be deployed alongside procedural controls, not instead of them
- Any AI security assessment that includes social engineering scope should test deepfake resistance, not just phishing email defenses
- NIST SP 800-63B-4 explicitly prohibits systems from relying solely on voice for authentication
The Current Threat: Why Deepfake CEO Fraud Has Escalated
The Arup attack in early 2024 was a turning point. An employee in the Hong Kong office received what appeared to be a video conference invitation from the UK CFO, discussing a confidential acquisition. Every face on the call was synthesized from publicly available video footage. The employee authorized 15 wire transfers across five accounts, totaling 200 million Hong Kong dollars ($25.6M USD), all in a single day. None of the funds have been recovered.
What makes this attack type particularly damaging is the combination of social trust signals. Voice and video carry far more authority than email. Humans are biologically conditioned to trust faces and voices. An attacker who can reproduce both in real time has effectively broken the primary authentication signal most employees rely on when receiving unusual requests from leadership.
The economic access to this capability has collapsed. Voice cloning APIs now require as little as 3 seconds of reference audio to produce a clone with 85% accuracy. Executive voices are often publicly available from earnings calls, investor presentations, conference keynotes, and media interviews. For a publicly traded company or any organization with video-recorded leadership, the raw material for a voice clone is not difficult to obtain.
By Q1 2026, deepfakes were involved in approximately 40% of all BEC incidents according to industry data. The FBI's 2025 Internet Crime Report separately logged more than 22,000 AI-related fraud complaints with $893 million in verified losses, a figure that almost certainly undercounts actual activity given significant underreporting.
Why Technical Detection Fails as a Primary Control
Security teams instinctively reach for detection technology when facing a new threat. For deepfake CEO fraud, that instinct is understandable but dangerous if detection becomes the primary line of defense.
The fundamental problem is generalization. Detection models are trained on specific deepfake synthesis pipelines. When attackers use synthesis tools the detector was not trained on, performance collapses. A CSIRO study found that leading commercial detection tools dropped below 50% accuracy, the same as random guessing, when tested against deepfakes produced by pipelines not represented in their training data. The DeepFake-Eval-2024 study found that AUC scores dropped by 50% for video models, 48% for audio models, and 45% for image models when evaluated against in-the-wild content versus curated academic benchmarks.
Human detection is similarly unreliable. Meta-analysis across 56 studies found humans detected deepfakes at approximately 55.54% overall, barely better than chance. For high-quality, professionally produced deepfakes, the detection rate drops to approximately 24.5%. Employees are not and cannot be trained to reliably identify deepfakes in real-time conversation.
Technical tools like Pindrop Pulse and Reality Defender provide genuine value as a detection layer. Pindrop Pulse can flag a synthetic voice participant within 2 seconds of speech in Zoom, Webex, and Microsoft Teams calls. Reality Defender offers a multimodal detection API across video, audio, image, and text. NIST's evaluation program provides independent benchmarking of detection platforms. These tools belong in your security stack, but they are a supplementary signal, not a gate. An attacker who knows you run detection tooling can calibrate their synthesis approach to avoid the specific artifacts those tools look for.
The implication is direct: any defense architecture that relies on detection-first thinking is incomplete. Procedural controls that do not depend on the accuracy of detection technology must be the foundation.
Procedural Defenses That Actually Work
Procedural defenses succeed where detection fails because they do not depend on recognizing a deepfake. They require a second, independent authentication step that a synthetic voice or video cannot provide.
Out-of-Band Verification Callbacks
Any unusual financial request received via phone or video call, regardless of how confident the employee feels about the caller's identity, must trigger an out-of-band callback. The callback must go to a number from the company's internal directory or a pre-registered contact list, never a number provided by the caller or present only in the call metadata.
The mechanics matter. Telling employees to "verify via a separate channel" is not sufficient. The policy must specify:
- Which transactions require out-of-band verification (all wire transfers above a defined threshold, all urgent requests that bypass standard approval workflows)
- Exactly which numbers to call (internal directory, not caller-provided)
- Who has authority to approve after verification (named individuals in a documented approval chain)
- What to do if the callback is not answered (no transfer is executed until verification completes)
Pre-Agreed Code Words
For organizations with high executive targeting risk, a code word or challenge phrase pre-agreed between executives and their finance or operations teams provides an additional authentication layer that a deepfake cannot replicate.
The code word is never communicated through the same channel used for sensitive requests. It is established in person or through a secure channel and refreshed on a set schedule. In a suspected deepfake call, the employee asks for the code word before proceeding. A genuine executive provides it; a voice clone cannot.
Code words are simple, low-friction, and effective against real-time synthesis attacks. They do not require technology, vendor contracts, or complex integration work.
Dual Authorization for Wire Transfers
No wire transfer above a defined threshold should be authorized by a single person based on a voice or video request alone. The dual authorization requirement means a second approving authority, contacted independently, must confirm before funds move.
Define the threshold explicitly. Many organizations use tiered controls: small transfers may require a single approver, medium transfers require manager sign-off, and large transfers require both a manager and a finance controller, each contacted via separate channels. Document the threshold values in your financial controls policy and verify that your financial systems enforce them technically, not just procedurally.
Communication Policy: When Voice and Video Are Not Enough
Establish explicit policy that voice or video calls alone are insufficient authorization for financial transactions. All transfer requests must be accompanied by a documented paper trail (email from a verified corporate email address, ticket in your financial system, or a signed transfer instruction form) in addition to any verbal confirmation.
This policy creates friction that is deliberate and appropriate. It directly conflicts with the urgency framing attackers use ("this is confidential, time-sensitive, cannot go through the usual channels"). That friction is a feature, not a bug.
Technical Detection Tools: What to Deploy and How
While procedural controls are primary, detection technology adds a useful layer for organizations with high call volume, active phishing exposure, or regulated environments.
Pindrop Pulse for Meetings integrates with Zoom, Webex, and Microsoft Teams to analyze audio streams in real time. It provides a risk signal within 2 seconds of voice activity, flagging participants whose audio has synthetic characteristics. For organizations that conduct regular executive calls with finance teams, this provides a passive monitoring layer that does not require employee action.
Pindrop Pulse for Calls targets contact center environments, analyzing inbound calls at scale for voice clone and synthetic voice characteristics. NIST's Multimedia Integrity (MIM) evaluation program has independently benchmarked Pindrop's detection performance, providing external validation of vendor claims.
Reality Defender provides a multimodal detection API covering audio, video, image, and text. For organizations that conduct regulated video identity verification or KYC workflows, integrating reality defender as a pre-processing step on incoming video calls provides coverage beyond audio-only detection.
C2PA Content Provenance is an emerging technical standard (Coalition for Content Provenance and Authenticity) that embeds cryptographic metadata in media indicating where and when it was created. Enterprise conferencing platforms are beginning to integrate C2PA attestation. Where available, C2PA provenance provides a tamper-evident signal that content was captured from a real camera rather than synthesized.
For evaluation guidance, NIST AI 100-4, published in November 2024, provides the U.S. federal framework for reducing risks from synthetic content, including technical guidance on detection, watermarking, and content authenticity. The NSA, FBI, and CISA joint publication on deepfake threats provides additional operational guidance for enterprise environments.
Employee Training: Building Skepticism Without Operational Paralysis
Training employees to resist deepfake CEO fraud is not primarily about teaching them to spot deepfakes. It is about conditioning healthy skepticism around urgent, unusual, out-of-channel requests, regardless of who appears to be making them.
Effective training programs cover:
The "Too Urgent" signal. Legitimate wire transfer requests almost never require bypassing normal approval processes. An executive who says "this is extremely time-sensitive, cannot go through normal channels, do not tell anyone" is describing a textbook social engineering script. Train employees that this language should trigger more scrutiny, not less.
Verification process as standard practice. Out-of-band callbacks should be normalized, not exceptional. If employees are trained to always call back for sensitive requests, they will not feel they are being impolite or accusatory when following procedure. Frame callbacks as standard compliance practice rather than suspicious behavior.
What deepfake audio sounds like. Modern voice clones are convincing, but imperfect. Common indicators include flat prosody (missing the natural rhythm of spontaneous speech), slight latency artifacts in conversational response timing, unexpected vocabulary mismatches, and failures to respond naturally to unexpected questions. Employees should know to ask an unusual follow-up question ("What did we discuss at the all-hands last week?") to probe for scripted-response limitations.
Simulated deepfake exercises. Tabletop exercises where employees receive a simulated voice-cloned request and must follow verification procedures build muscle memory before a real attack occurs. These exercises should be included in AI security red team scope, which we cover in the next section.
Deepfake Red Teaming: Testing Your Own Defenses
Any AI penetration testing engagement that includes social engineering scope should test deepfake resistance. Most phishing red team programs still focus exclusively on email. Voice and video attack vectors are consistently undertested, which means organizations often discover gaps in their procedural controls only after a real incident.
A deepfake social engineering red team exercise should test:
Results from these exercises directly inform training priorities, policy updates, and threshold decisions for dual authorization controls. Organizations that include this scope in their AI penetration testing program before experiencing a real incident avoid the far higher cost of discovering gaps through fraud loss.
For a full picture of AI-specific attack vectors your security team should be testing, see our AI penetration testing methodology guide.
Incident Response: The First 60 Minutes
When a suspected deepfake wire fraud is identified, time determines whether transferred funds can be recovered. Banks participating in SWIFT's global payments innovation (gpi) service can initiate a recall request, but speed is essential: most domestic and international wire recalls succeed only when initiated within hours of the original transfer.
Minutes 0-10: Freeze the transfer. Contact your financial institution immediately. Provide the transfer details: amount, destination account, timestamp. Request a hold or recall. If the transfer is recent and destination accounts are still reachable within the banking system, a hold may be possible. Do not wait to gather more information before making this call; information-gathering happens in parallel.
Minutes 10-30: Preserve all artifacts. Before anything is deleted or overwritten, preserve every piece of evidence: call recordings if your conferencing platform retains them, emails, instant messages, screen recordings, voicemail, and call metadata. Initiate a legal hold on all communications related to the event. Do not allow any parties to delete relevant communications while investigation is underway.
Minutes 30-60: Notify and escalate. Alert your CISO, legal counsel, and senior leadership. Do not issue any public statement before legal counsel reviews it. File a complaint with FBI IC3 (ic3.gov), which coordinates with FinCEN and banking regulators on wire fraud recovery. If your organization is a regulated entity (financial services, healthcare, defense contractor), notify your regulator based on applicable breach disclosure timelines.
Engage a forensic team to determine the attack vector, which source audio or video was used to construct the deepfake, and whether the attacker had prior access to your systems. The attack pattern may reveal additional exposed employees or open investigation threads.
Connecting Deepfake Defense to Your AI Security Program
Deepfake CEO fraud is not a standalone threat. It is part of a broader pattern: AI capabilities are being used to attack the human layer of enterprise security because technical controls have matured faster than human authentication defenses. The same AI risk posture program that governs your LLM deployments, your AI vendor assessments, and your AI model inventory should explicitly include social engineering via synthetic media as a covered threat category.
Organizations that have completed an AI security assessment typically find that their AI governance policies cover internal AI deployments in detail while leaving the inbound threat surface, attacks that use AI against your people, either uncovered or addressed only by general security awareness programs that were never designed for this threat class.
Closing that gap requires updating your threat model, your vendor security questionnaires (does your conferencing vendor offer synthetic media detection?), your financial controls policy, and your red team scope. These are not large projects. Most of the procedural controls described in this guide can be implemented in a policy update and a training session. The technical detection integrations take longer but do not need to block the procedural controls from going live immediately.
The Arup incident was not the result of a technical control failure. It was the result of a finance employee applying normal human trust to a situation that looked and sounded genuine. The defense is making that situation require a second, independent authentication step that no deepfake can provide.
Conclusion
Deepfake CEO fraud and voice cloning attacks will not stop getting more convincing. Detection technology provides a useful signal layer, but its accuracy in real-world conditions is insufficient to rely on alone. The controls that stop these attacks are procedural: mandatory out-of-band callbacks on pre-registered numbers, pre-agreed code words for sensitive requests, and dual authorization requirements for wire transfers above defined thresholds.
These controls are not technologically complex. They require policy, training, and enforcement. Organizations that implement them before experiencing an incident spend far less than the average BEC loss of $123,000 per event (FBI IC3 2025), and far less than the $25.6 million Arup spent learning the same lesson.
To assess your organization's current exposure to deepfake social engineering and AI-assisted fraud, run a free Securetom scan or contact us to scope an AI security assessment that includes deepfake red team testing.
Additional resources: NSA, FBI, and CISA joint publication on deepfake threats | NIST AI 100-4: Reducing Risks Posed by Synthetic Content | FBI IC3 Internet Crime Report 2025
AI Security Audit Checklist
A 30-point checklist covering LLM vulnerabilities, model supply chain risks, data pipeline security, and compliance gaps. Used by our team during actual client engagements.
We will send it to your inbox. No spam.
BeyondScale Team
AI Security Team, BeyondScale Technologies
Security researcher and engineer at BeyondScale Technologies, an ISO 27001 certified AI cybersecurity firm.
Want to know your AI security posture? Run a free Securetom scan in 60 seconds.
Start Free Scan
