Between 2024 and 2025, several real-world cases emerged where Artificial Intelligence was leveraged to orchestrate large-scale financial fraud. In one international case, an employee authorized a $25 million transfer after a video call with what appeared to be an executive — in reality, a deepfake.
Deepfake Attack Tactics
The attack chain typically follows a predictable structure. In the initial phase, cybercriminals harvest multimedia content of executives (interviews, webinars, podcasts), which is then used to train voice- and face-cloning models.
Next, they construct a high-pressure narrative: confidential M&A operations, extraordinary audits, legal or sanctions-related urgencies, often accompanied by demands for strict confidentiality. To reinforce credibility, attackers may even organize group calls featuring fake “colleagues” or “legal advisors.”
Finally, the financial request is executed via transfers to mule accounts, followed by rapid international laundering.
Warning signs, although subtle, are detectable: urgent payment requests to never-before-used accounts, explicit pressure to bypass accounting, contact initiated through non-official channels, and — during video calls — micro-asynchronies between audio and lip movements, or unnatural lighting and facial rigidity.
Focus: Threat Intelligence
Threat Intelligence is the key enabler in defending against these attacks. The outside-in approach enables monitoring of clone domains and infrastructures, suspicious phone numbers, mule accounts, and even underground marketplaces offering voice/video impersonation-as-a-service.
At the same time, executive footprint management becomes a preventive control: reducing the online availability of reusable audio-video material, or applying watermarks and background noise to public content.
On the inside-out front, it is critical to integrate detection into enterprise processes: automatically routing out-of-process payment requests into SOC/Finance workflows, applying risk scoring to tickets (new IBAN, high amounts, unusual jurisdictions, urgent timelines), and archiving technical artifacts for future correlation and enrichment.
Concrete Countermeasures
Resilience cannot rely solely on detection tools. Strong, shared processes are essential:
-
Out-of-band verification through trusted internal contacts, never the numbers provided in the suspicious message.
-
Four-eyes principle, requiring dual approval for new beneficiaries or IBAN changes.
-
Verification codes for urgent C-level requests.
-
Awareness training with real cases, proven to be more effective than theory-only sessions.
From a technical perspective, organizations may deploy liveness challenges during calls (unexpected gestures, code reading, showing physical objects), along with anti-spoofing tools for voice and video analysis. These, however, must be seen as supplementary layers, not replacements for strong business processes.
Operational Playbook
The ideal workflow involves:
-
Immediate payment block in case of unusual IBAN or atypical urgency.
-
Out-of-band verification of the requester.
-
Collection of digital artifacts (meeting invites, email headers, call IDs, phone numbers).
-
Threat Intelligence enrichment on technical indicators.
-
Escalation to Finance/Legal and, if required, initiation of a bank recall.
Finally, lessons learned must be incorporated into the knowledge base and awareness programs.
Two Key Phrases
- When pressured on urgency: “Per policy, I must confirm through internal contact and second approval. I’ll proceed right away.”
- When asked to change an IBAN: “Payment details can only be modified through the standard process and verification. Without that, the transfer will not go through.”
Prevention over Cure
Deepfake phishing does not exploit technological vulnerabilities — it manipulates processes and people. The combination of targeted Threat Intelligence, simple but enforced policies, and operational discipline is currently the most effective way to significantly reduce financial fraud risk, even when the CEO’s “face” or “voice” appears on the other side of the screen.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
