Attackers are using deepfakes in social engineering attacks primarily through voice cloning for fraudulent requests (vishing), creating fake videos to impersonate executives (CEO fraud), and generating synthetic media to spread disinformation or blackmail individuals. This technology allows them to bypass human skepticism by making their fraudulent communications appear incredibly authentic.
What Are Deepfakes?
Deepfakes are synthetic media created using artificial intelligence. By training an AI model on a person’s video and audio, an attacker can generate a new, highly realistic video or audio clip of that person saying or doing things they never actually said or did. What once required Hollywood-level CGI can now be done with increasingly accessible software.
How Deepfakes Are Used in Attacks
CEO Fraud and Business Email Compromise (BEC)
This is one of the most common and financially damaging uses. An attacker can use just a few seconds of a CEO’s voice from a public interview or video to create a deepfake audio clone. They then use this cloned voice to call an employee in the finance department, creating a sense of urgency and instructing them to make an immediate wire transfer to a fraudulent account. Because the voice sounds exactly like their boss, the employee is much more likely to comply.
Vishing (Voice Phishing) on a Personal Level
The same voice cloning technology is used to target individuals. Scammers can clone the voice of a loved one (like a child or grandchild) and call a person, claiming to be in trouble and in desperate need of money. The emotional manipulation, combined with the convincing audio, makes this type of scam brutally effective.
Spreading Disinformation and Damaging Reputations
Deepfakes can be used to create fake videos of public figures, politicians, or business leaders saying or doing something damaging. This can be used to manipulate public opinion, influence stock prices, or simply destroy a person’s reputation. While less direct than financial fraud, this is a powerful form of social engineering.
Bypassing Biometric Verification
Some security systems use voice or face recognition for authentication. Attackers are exploring the use of deepfakes to fool these “liveness” checks, potentially allowing them to gain unauthorized access to sensitive accounts or systems.
How to Protect Yourself and Your Company
1. Verify Through a Different Channel
This is the golden rule. If you receive an urgent and unusual request via a phone call or voicemail—even if it sounds legitimate—hang up. Then, contact the person using a known, trusted phone number (not the one that called you) to verify the request.
2. Implement Multi-Person Approval Protocols
For financial transactions, especially large or unusual ones, require approval from at least two people. This “four-eyes principle” makes it much harder for a single employee to be tricked by a deepfake scam.
3. Train and Raise Awareness
Educate your employees and family members about the existence and capabilities of deepfake technology. Knowing that such scams are possible is the first step in being able to recognize and question them.