Business leaders can’t ignore the rise of deepfake attacks, says Tristan Shortland, pictured, Chief Technology Officer, Infinity Group.
Artificial intelligence has transformed the way organisations operate, accelerating decision making and automating work at a remarkable pace. But it has also created a new class of threats that feel personal, convincing and difficult to detect. Deepfake attacks once seemed like experimental technology but today they have transformed into a credible tool for fraud, allowing criminals to copy voices and faces with alarming accuracy and deploy them to exploit human judgement.
Deepfakes do not target firewalls or servers, instead they target people, trust and authority. Understanding this distinction is crucial, particularly for senior leaders, because the consequences can be severe: financial loss, operational disruption and reputational harm. These attacks have quickly moved from theoretical concern to board level priority.
What deepfake attacks really are
A deepfake attack uses AI generated or manipulated audio, video or imagery to impersonate a real person for malicious gain. The authenticity of these fakes is what makes them so dangerous. They replicate tone, pace, expressions and speech patterns well enough that most employees cannot identify them, especially when the message is framed as urgent or confidential. In the moment, instinct often overrides caution.
More dangerous than phishing
Unlike traditional phishing, deepfake attacks bypass the usual warning signs. Instead of a suspicious email, an employee may receive a phone call that sounds exactly like their CEO or a video message that looks entirely legitimate. Some attackers even join live calls using real time manipulation, responding naturally and increasing pressure until the target complies. Imperfect deepfakes can still succeed because urgency reduces scrutiny and authority reduces challenge.
Used against businesses
Deepfake-driven impersonation has already taken hold in several common attack patterns. The most widespread involves cloning a senior leader’s voice to instruct finance teams to make urgent payments or amend supplier details. Because the request sounds credible and time sensitive, employees often comply without hesitation.
Deepfakes are also being combined with Business Email Compromise attacks. A fraudulent email requesting a transfer may be followed by a voice note or call, apparently from a senior executive, confirming the instruction. This two-channel approach removes doubt and significantly increases success rates.
Attackers are also targeting multiple departments at once, blending deepfake content with stolen data or compromised accounts. The result is a highly convincing scenario that feels internally consistent, making it even harder for individual teams to question.
Executives are prime targets
Senior leaders are especially vulnerable for many reasons. Their public visibility provides ample training data, from interviews, keynotes and podcasts to internal messages which all feed AI tools with high-quality audio and video. Their authority discourages employees from challenging unusual requests. Additionally, hybrid working has normalised communication across channels like Teams, WhatsApp and voice notes, removing many cues that help detect something suspicious. Together, this creates ideal conditions for impersonation.
Controls falling short
Most security tools are not designed to counter deepfake-based social engineering. Email filtering cannot detect fraudulent voice calls. Multifactor authentication cannot stop an employee being persuaded to approve a payment. Policies that work in theory often collapse under perceived pressure from someone senior and traditional phishing training usually focuses on links and language errors, not sophisticated audio or video manipulation. Deepfakes exploit a gap that technical solutions alone cannot close.
How you can defend
Effective protection relies on three pillars: awareness, verification and preparation. Raising awareness is critical, employees need exposure to what AI-driven impersonation looks and sounds like so they can recognise the possibility. Leaders must also actively encourage a culture where verification is expected, even when the request appears to come from someone senior.
Verification measures must be built into every high-risk process. Payments, supplier changes and access requests should always require a second confirmation via a different communication channel. Consistency is essential, as urgency can never be allowed to override process.
Preparation is equally important; organisations should have clear response plans and escalation routes for moments when something doesn’t feel right. Practising these scenarios helps teams remain calm and decisive when trust is uncertain.
Leadership attention
Deepfake attacks mark a shift in how cyber risk operates. Instead of breaking into systems, now they rely on convincing an employee to open the door. These attacks are becoming easier to produce, harder to recognise and faster to deploy, which is why they now sit firmly in the realm of everyday business risk rather than hypothetical concern. Leaders must acknowledge that deepfakes are not just a technical challenge but a human, cultural and governance challenge. They expose gaps in communication habits, decision making under pressure and the assumptions we make about trust inside an organisation.
Addressing these gaps requires awareness within leadership, confidence across teams and practical measures that stand up to real world pressure. It means creating an environment encouraging verification, slowing down decision making and critical processes that cannot be overridden by urgency alone. Most importantly, it demands a shared understanding that protecting the organisation is a collective responsibility.
