Evidence suggests that sophisticated AI-driven fraud is now part of the mainstream.

A 2024 Medius poll of 1,533 US and UK finance professionals suggested that just over half (53%) of corporations have been targeted with financial scams using deepfake technology, with 43% falling victim to such attacks. Another report suggested that in 2023, deepfake incidents targeting the fintech sector increased by 700%.

According to Deloitte’s Center for Financial Services, total losses from financial fraud in 2023 amounted to $12.3 billion. By 2027, generative AI is predicted to enable losses to reach $40 billion.

The most popular deepfake techniques include the following:

• Deepfake voice scams. With just a few seconds of audio, scammers use AI tools to clone a person’s voice. They then make fake phone calls or submit voicemails impersonating key company insiders
• Deepfake video scams. Based on snippets from, for example, YouTube or corporate webinars, AI can generate fake video footage of a real person. The level of sophistication in this area has now reached a point where it is possible to clone a company executive’s face and voice to conduct entire real-time video conference calls
• Fake ID and social media scams. AI can generate realistic fake profile pictures for scam accounts. These profiles can then be used as broader corporate fraud attempts
• Fake AI-generated documents. AI can create counterfeit passports, IDs and other documents. These forgeries can help scammers bypass security checks in financial fraud and identity theft scams

A big part of the problem is that deepfake technology is available to pretty much anyone – if you know where to look. A booming dark web cottage industry sells scamming software of various levels of sophistication from $20 to thousands of dollars. You do not need advanced AI skills to mount an attack; you need cash.

Good practice includes the following:

Raise awareness 

Most cyber attack techniques rely on human vulnerability, carelessness, and/or a lack of awareness on the victim’s part. This applies to all types of social engineering, including deepfakes.

As we’ve seen, there’s nothing new about phishing, so you should have awareness training in place already (if not, this is an area that needs to be addressed). This should include training on the telltale signs of phishing to look out for, such as irregular email domains or attachments, display name mismatch, or an undue sense of urgency within requests.

Update your training to cover the threats raised by advanced AI. This should include the signs of deepfake attacks, such as unnatural facial movements and expressions, slight visual distortions and imperfect lip synching in video, and slightly robotic speech patterns and inconsistent tone in audio.

Have set procedures in place 

Scammers thrive on inconsistency. If payments are routinely made in an ad-hoc way within a company, it becomes much more challenging for employees to spot a fake email, call, or Zoom session from a genuine one.

Especially for financial transactions, ensure you have set consistent protocols. Examples of this may include:

• The requirement that every request needs to be accompanied by an invoice and submitted in a set format
• Multi-factor authentication, e.g. requiring at least two levels of authentication for payment approvals
• One-time passwords for high-value transactions
• Multi-person approval systems
• A strict call-back policy for unusual requests

Ensure that the rules apply to everyone 

Threat actors also prey on the fact that a kind of “Do you know who I am?” culture exists in many organisations. It’s easy to pull rank if you’re a senior exec. So, if you need a payment to be actioned, instead of following the relevant workflow, you telephone someone in accounts and tell them to make it happen.

This is precisely why highly personalised attacks involving senior stakeholders are so popular with fraudsters. If people at the top are routinely bypassing your safeguards, they start to lose effectiveness quickly!

To understand your business, your consultant will need to see items such as your business process maps, details of internal procedures, information on existing system priorities and vulnerabilities, and more general information linked to your future and growth strategies. Once the project is underway, they may need to move or process segments of your data across multiple locations or export it for analysis or testing. Obviously, you do not want this to fall into the wrong hands.
Look for consultancies that have been independently verified as having what it takes to keep your information safe. Probably the single most valuable trust indicator here is ISO 27001. If your consultant has an up-to-date ISO 27001 certification, it shows they have an effective ISMS (information security management system) in place. This means the following:

• The consultancy has identified the risks to which its information assets – and clients – are exposed.
• It has appropriate measures (i.e., controls) to protect those assets.
• It has a clear action plan in case of an information security breach.
• It adheres to clear accountability and auditability principles: i.e. you know exactly who the individuals responsible are for each step of the information security process.

It’s easy for a business to claim that they prioritise information security. The proof is in the action they take. If a consultancy takes its responsibilities seriously, you should expect to see the following types of safeguards in place:

• The consultancy has an information security policy in place
• Regular security audits and risk assessments are carried out
• They follow a recognised information security framework (e.g. ISO 27001). They have up-to-date accreditation to demonstrate this
• There are clear measures in place to protect client data, including encryption for data at rest and in transit, access controls, and secure storage
• Special care is taken with personally identifiable information (PII) and other categories of sensitive data. This includes GDPR compliance
• If they need to do system or application testing using PII, this is anonymized or pseudonymized beforehand
• Access to client systems and data is closely managed. This includes the application of the principle of least privilege (PoLP)
• Auditability is taken seriously: they can track and log consultant access to client environments
• Care is taken to revoke access after project completion
• Appropriate DevSecOps practices are followed for software implementations
• Incident response and disaster recovery plans are both in place and verifiable. This includes clear procedures for notifying clients in the event of an information security breach