Picture this: one day, you walk into work and find three envelopes on your desk. Each envelope contains a negative outcome. You must select one. Here are your options:
- Your company loses $2 million in a payment fraud scheme.
- An unknown amount of sensitive data belonging to your employees and customers is sold anonymously on the dark web.
- Your customers see a deepfake video of the company CEO speaking negatively about them, causing customer attrition rates to skyrocket.
Trick question, you don’t get to choose. All of the options listed above are possible outcomes of deepfake fraud. While it’s unlikely that you’d come into work to find a game of envelope roulette on your desk, the odds of you coming in after a deepfake fraud attempt are only increasing.
Deepfake risks are endless and damaging. Fraudsters aren’t always after money; they may be trying to ruin your brand’s reputation or negatively impact those closest to your organization.
At Eftsure, we know that it can feel like an impossible challenge to understand all of the ways in which deepfake fraud can negatively impact your business, but when you know what to watch out for, you’re better able to protect company interests.
The rising tide of deepfakes
Deepfakes have been around since 2017, but back then, their reach stopped at half‑decent AI‑generated videos and audio recordings of prominent public figures like celebrities and politicians.
While artificial intelligence (AI) — and generative AI more specifically — were growing in sophistication, fake videos were easy to spot, often having tell‑tale signs that alerted viewers of the inauthenticity.
Since then, deepfake technology has improved so much that it’s nearly impossible for untrained eyes to spot them. As the technology evolved, the risks evolved, too.
Now, instead of inconveniencing celebrities and entertaining social media users, deepfake videos, audio recordings and even fabricated documents are wreaking havoc in business settings. In 2023 alone, the number of deepfake fraud attempts surged by 3000%.
Quantifying the impact: deepfake‑related losses are expected to reach $40 billion by 2027.
For business leaders — especially finance professionals — deepfake fraud should be top of mind at all times. Whether it’s sending a vendor payment, making a corporate investment decision or securing financial data, considering the risks associated with deepfake fraud is a never‑ending journey.
The human dimension: why good people get targeted
One of the reasons the risks can be so detrimental is because at the center of these schemes are well‑intentioned and unsuspecting people. Fraudsters will take advantage of a busy accounting team during month‑end close, prey on a new hire who is eager to make a good first impression and make even the most seasoned CFOs second‑guess themselves.
We call this the human dimension of deepfake fraud.
No matter what cybersecurity protections a business has in place, there is still a person behind every financial transaction. Payment approvals, vendor information updates and even instructions from company leadership are prime targets for deepfake scammers.
Case in point: vigilance stops a CEO voice deepfake
In one instance, an employee of a cybersecurity firm received an urgent voice message from the company’s CEO. Even though the message sounded like it was directly from the CEO, the employee noticed a couple of things:
- the message arrived via WhatsApp, which is not a normal business communication channel
- there was an unusual sense of urgency in the request
Instead of taking action, the employee ignored the messages and reported them to the internal cybersecurity team. Despite a well‑crafted attempt, the scam was unsuccessful only because of a vigilant employee.
This serves as an important reminder that, even though the human dimension is the root cause of many risks, it is often the first line of defense in preventing deepfake fraud.
Financial risks: the cost goes beyond the first loss
While scammers aren’t always aiming for financial gain, it’s a major goal in many cases. On average, deepfake fraud ends up costing businesses $500,000. No matter the size of the enterprise, a half‑million‑dollar hit is difficult to recover from.
But the costs don’t stop there. Even if the initial loss is only $200,000, recovering from a deepfake attack often requires additional investment, such as:
- training: more than 50% of business leaders say employees lack proper deepfake training; closing that gap takes time and budget
- cyber insurance: coverage is typically contingent on having proper controls in place, and claims can be denied if controls are missing
- liquidity recovery: a sudden cash hit affects reserves, spending and near‑term investments
Deepfake risks are extensive and often compounding; one issue makes it harder to solve the next. Unfortunately, the damages can go further and last longer than expected.
Real‑world example
A London‑based engineering firm was caught in an elaborate deepfake scam in which a finance employee was video‑called by the CFO and other leaders. The people on the screen looked and sounded real, but they were AI‑generated deepfakes instructing the employee to wire $25 million to external accounts.
In a situation like this one, losing $25 million is just the beginning. In this case, the firm was able to prevent operational disruptions or data breaches, allowing it to move forward more quickly.
Operational interruptions can snowball
Any time cash flow is interrupted, cash‑dependent operations can come to a halt. From payroll delays to warehouse bottlenecks, the operational impact can exceed the original financial hit.
Hypothetical scenario
The accounts team receives a request via email to adjust a vendor’s payment details. The email includes updated contracts and fabricated documents to prove authenticity, and the team obliges. For two months, payments are wired to a new account. The problem isn’t uncovered until the actual vendor inquires about two overdue payments.
- two payments of $50,000 are gone
- there is a supply issue for raw materials because the vendor won’t ship orders without payment
- the relationship with the vendor is strained
- finding another $100,000 on short notice proves challenging
- the CFO pushes back a strategic digital transformation project to cover the gap
This example shows how quickly deepfake risks can cascade across operations.
From legal exposure to reputational damage
Some leaders are convinced a deepfake attack won’t happen to their organization, but that mentality is dangerous and costly. If an attack succeeds and leadership failed to protect the organization from cyber threats, fines, legal penalties and regulatory action may follow.
Any time a breach exposes sensitive information, the business at the center is held accountable. Accountability may include:
- reporting the breach to the relevant regulatory body
- regulatory investigation
- legal action from affected individuals
- personal accountability for executives if internal controls are lacking
Lawsuits and investigations are tedious and damaging. In retail, for example, a survey found that 60% of customers will stop shopping with a retailer after a data breach. While statistics vary by industry, the bottom line is the same: people want to do business with companies that take data security seriously. A breach can erode trust among shareholders, customers and investors for years.
Why fighting back is hard
Deepfake risks are bringing a new era of cybersecurity considerations to boardrooms. As CFOs, CEOs and risk leaders work to protect their firms, they’ll need to get more creative than ever.
Humans are poor AI detectors
The average social media user has likely encountered AI‑generated content. But identifying it is difficult. In one study that tested 2,000 adults on their ability to spot AI‑generated images and videos, participants believed they would be correct 60% of the time on average, yet only 0.1% could accurately determine whether all items were real or fake.
Fraud‑as‑a‑service lowers the bar
Even as people get better at spotting AI‑generated content, the accessibility of deepfake generators and other tools is making it easier for scammers. Bad actors don’t need programming expertise to pull off these stunts; they can purchase content on the dark web or use tools readily available online.
Cybersecurity tools are lagging
AI has exploded in availability and usability over the last few years, and many security tools have struggled to keep pace. Anti‑virus software and firewalls are no longer sufficient; deepfake risks require a multi‑pronged approach that adapts people, processes and technology. Without a robust strategy, it’s only a matter of time before your business becomes a headline.
Focus on strategic, cross‑functional solutions
Deepfakes aren’t just another cybersecurity topic; they’re reshaping how leaders think about enterprise risk. Because the impact is far‑reaching — affecting financial health, operations and reputation — deepfake risks need to be taken seriously.
Defending against deepfake‑enabled fraud requires more than a capable IT team. A cross‑functional strategy that aligns people, processes and technology is the new norm, and finance leaders should drive the conversation.
It should be clear how detrimental it can be to leave the door open for deepfake scammers. With the risks in front of you, the next step is action.
In Eftsure’s comprehensive guide to deepfake‑enabled cyberfraud, we break down deepfake technology, help leaders understand the risks and provide actionable ways to mitigate them. Together, we can reduce fraud attempts and prevent lasting damage.
Download the guide to learn how to defend your business against deepfake‑enabled cybercrime.
