Evidence suggests that sophisticated AI-driven fraud is now part of the mainstream.

A 2024 Medius poll of 1,533 US and UK finance professionals suggested that just over half (53%) of corporations have been targeted with financial scams using deepfake technology, with 43% falling victim to such attacks. Another report suggested that in 2023, deepfake incidents targeting the fintech sector increased by 700%.

According to Deloitte’s Center for Financial Services, total losses from financial fraud in 2023 amounted to $12.3 billion. By 2027, generative AI is predicted to enable losses to reach $40 billion.

The most popular deepfake techniques include the following:

• Deepfake voice scams. With just a few seconds of audio, scammers use AI tools to clone a person’s voice. They then make fake phone calls or submit voicemails impersonating key company insiders
• Deepfake video scams. Based on snippets from, for example, YouTube or corporate webinars, AI can generate fake video footage of a real person. The level of sophistication in this area has now reached a point where it is possible to clone a company executive’s face and voice to conduct entire real-time video conference calls
• Fake ID and social media scams. AI can generate realistic fake profile pictures for scam accounts. These profiles can then be used as broader corporate fraud attempts
• Fake AI-generated documents. AI can create counterfeit passports, IDs and other documents. These forgeries can help scammers bypass security checks in financial fraud and identity theft scams

A big part of the problem is that deepfake technology is available to pretty much anyone – if you know where to look. A booming dark web cottage industry sells scamming software of various levels of sophistication from $20 to thousands of dollars. You do not need advanced AI skills to mount an attack; you need cash.

Good practice includes the following:

Raise awareness 

Most cyber attack techniques rely on human vulnerability, carelessness, and/or a lack of awareness on the victim’s part. This applies to all types of social engineering, including deepfakes.

As we’ve seen, there’s nothing new about phishing, so you should have awareness training in place already (if not, this is an area that needs to be addressed). This should include training on the telltale signs of phishing to look out for, such as irregular email domains or attachments, display name mismatch, or an undue sense of urgency within requests.

Update your training to cover the threats raised by advanced AI. This should include the signs of deepfake attacks, such as unnatural facial movements and expressions, slight visual distortions and imperfect lip synching in video, and slightly robotic speech patterns and inconsistent tone in audio.

Have set procedures in place 

Scammers thrive on inconsistency. If payments are routinely made in an ad-hoc way within a company, it becomes much more challenging for employees to spot a fake email, call, or Zoom session from a genuine one.

Especially for financial transactions, ensure you have set consistent protocols. Examples of this may include:

• The requirement that every request needs to be accompanied by an invoice and submitted in a set format
• Multi-factor authentication, e.g. requiring at least two levels of authentication for payment approvals
• One-time passwords for high-value transactions
• Multi-person approval systems
• A strict call-back policy for unusual requests

Ensure that the rules apply to everyone 

Threat actors also prey on the fact that a kind of “Do you know who I am?” culture exists in many organisations. It’s easy to pull rank if you’re a senior exec. So, if you need a payment to be actioned, instead of following the relevant workflow, you telephone someone in accounts and tell them to make it happen.

This is precisely why highly personalised attacks involving senior stakeholders are so popular with fraudsters. If people at the top are routinely bypassing your safeguards, they start to lose effectiveness quickly!