Deepfake fraud is the use of AI-generated audio, video or images to impersonate a real person or fabricate a synthetic one, in order to deceive a victim into transferring money, disclosing credentials or approving an identity. Unlike traditional social engineering, deepfake fraud attacks the evidence of identity itself: the face on the video call, the voice on the phone, the selfie in a KYC check. For organisations, that means the visual and auditory cues employees have relied on for decades to confirm who they are dealing with can no longer be trusted at face value.
This is no longer a theoretical risk. In early 2024, a finance employee at the Hong Kong office of British engineering firm Arup joined a video call with what appeared to be the company chief financial officer and several colleagues. Every participant except the victim was a deepfake, assembled from publicly available footage. Over 15 transactions the employee transferred roughly US$25 million (around HK$200 million) to the fraudsters (Fortune, CNN, May 2024). We use this case throughout because it shows how convincingly the pieces now fit together.
What Is Deepfake Fraud?
Deepfake fraud combines generative media with a classic fraud objective. The generative layer produces a synthetic likeness — a cloned voice, a face-swapped video stream, a fabricated identity document or selfie. The fraud layer wraps that likeness in a plausible pretext: an urgent wire request from the CEO, a call from IT support, or a new-customer onboarding. Because the synthetic media targets the exact signals people and systems use to authenticate identity, it can defeat caller ID, voice familiarity, video presence and even automated biometric checks in a single motion. We explored the broader mechanics in our guide to how GenAI is being used in social engineering attacks; deepfake fraud is the highest-stakes variant of that trend.
How Deepfake Fraud Attacks Work
Most incidents fall into a handful of recurring patterns. Understanding the specific vectors is the first step to briefing the teams who will be targeted.
- Voice clone scams — a synthesized executive voice, buildable from as little as three seconds of public audio, calls to authorise an urgent payment or reset
- Live deepfake video calls — real-time face and voice synthesis puts a fake executive on a Teams or Zoom call, as in the US$25 million Arup case
- CEO and business email compromise hybrids — a spoofed email primes the target, then a voice or video deepfake closes the deal under manufactured urgency
- Synthetic identity fraud — an entirely fabricated persona, built from a LinkedIn profile and a couple of public clips, is used to open accounts or gain trusted access
- KYC and onboarding bypass — AI-generated faces, injected document images and real-time webcam face swaps defeat identity verification during account opening
- Deepfake extortion and impersonation — fabricated compromising media or fake executive statements used to coerce staff or manipulate markets
The economics matter. Fraudsters can now pass a KYC check with an AI-generated face that costs under US$20 and about 30 minutes to produce (Zyphe, 2025). Three technical vectors dominate KYC bypass: synthetic identity fraud, document injection that swaps the image inside the data stream before it reaches the verification system, and real-time face swaps streamed over a virtual webcam. Basic liveness checks that ask a user to blink, smile or turn their head no longer prove a human is present, because tools like DeepFaceLive can perform those actions on a synthetic face on demand.
Why Deepfake Fraud Is Rising So Fast
The volume growth is steep by any measure. Sumsub's Identity Fraud Report 2025-2026 recorded a 2,100% global increase in deepfake attacks, with a 94% year-over-year rise in deepfake attempts in the United Kingdom alone. Roughly one in five biometric fraud attempts observed by identity-verification vendors over the past year involved a deepfake. The FBI's 2025 Internet Crime Report logged more than 22,000 AI-related fraud complaints with losses exceeding US$893 million.
Deloitte projects that generative-AI-enabled fraud losses in the United States will climb from US$12.3 billion in 2023 to US$40 billion by 2027 — a compound annual growth rate of about 32% (Deloitte Center for Financial Services, via AI CERTs, 2024). North American deepfake-enabled fraud losses already exceeded US$200 million in the first quarter of 2025 alone.
Three forces drive the curve. First, generation quality crossed the threshold from obviously fake to plausible under time pressure. Second, the tooling commoditised: what once needed a specialist now runs from a consumer app or an open-source model. Third, the raw material is everywhere — earnings calls, conference talks, podcasts and social video give attackers all the training data they need to clone a specific executive. The result is a threat that scales like software while exploiting a very human weakness.
How to Detect Deepfake Fraud
No single detector is reliable on its own, and human perception is a poor last line of defence. Effective detection layers several complementary approaches so that a fake has to defeat all of them at once.
- Passive liveness and biometric analysis — validate the capture source and read signals like subtle blood-flow colour changes and 3D depth rather than prompted actions that a synthetic face can fake
- Multi-frame temporal analysis — examine many frames over time for inconsistencies in lighting, blinking cadence, lip-sync and edge artefacts that single-frame checks miss
- Real-time audio deepfake detection — models that score a live call second by second can flag cloned or synthetic speech while the conversation is still in progress
- Content provenance and C2PA — cryptographically signed manifests record what device captured a file and whether generative AI touched it; a broken or absent signature on media that should be authentic is a strong warning sign
- Injection and virtual-camera detection — spot document-image injection and virtual webcam feeds that indicate a manipulated capture pipeline during onboarding
- Behavioural and transaction analytics — flag requests that deviate from normal patterns, unusual payment destinations and out-of-hours activity independent of whether the media itself looks real
Provenance deserves a caveat. Missing C2PA credentials or watermarks do not prove that a file is fake, and their presence does not prove it is genuine, so provenance must be combined with watermark checks, reverse-image search, metadata forensics and human judgement. Detection technology is a tripwire, not a verdict. For security teams building this capability into the SOC, our piece on GenAI in security operations from a defender's perspective covers how to fold these signals into existing monitoring.
How Organisations Defend Against Deepfake Fraud
The good news is that the strongest controls are process controls, not products — and they work even when the deepfake is flawless. We recommend layering the following, in order of impact.
- Mandate out-of-band verification callbacks — for any request to move money, change payment details or grant access, verify through a separate trusted channel using a stored number, never a contact detail supplied in the request
- Adopt pre-agreed code words — arm executives and finance staff with confidential challenge phrases to confirm identity on calls, so a familiar voice alone is never sufficient authority
- Enforce dual authorisation and payment controls — require two independent approvers for high-value or unusual transfers, with hard limits and mandatory cooling-off checks for new payees
- Kill the urgency and secrecy loophole — treat any request that combines urgency with a demand to bypass normal approvals or keep the transaction secret as an automatic red flag requiring escalation
- Deploy layered technical detection — combine passive liveness, provenance checks and real-time audio detection so no single fake can defeat the whole stack
- Run deepfake-specific awareness training — generic security awareness does not prepare finance and executive-support staff for convincing voice and video fakes; drill the callback and code-word procedures until they are reflexive
That last point is where most programmes fall short. Deepfake defence is a behaviour, and behaviours have to be rehearsed. The same discipline that makes a phishing simulation programme work applies here: realistic, repeated exercises that build muscle memory rather than one-off briefings. Fold deepfake scenarios into the broader security awareness programme so the callback reflex is triggered automatically the moment an urgent, unusual request arrives — regardless of how real the face or voice appears.
The Arup employee had the technology working against him and no procedural backstop to catch the fake. Organisations that pair layered detection with non-negotiable verification callbacks, dual authorisation and rehearsed awareness convert deepfake fraud from a near-certain loss into a manageable risk. The attacks will keep getting better; the defences that matter most are the ones that do not depend on spotting the fake at all.