Deepfake Attacks on Businesses: When You Can No Longer Trust What You See and Hear
In January 2024, a finance employee at a multinational in Hong Kong transferred $25 million to fraudsters. Not after a phishing email. Not after a suspicious phone call. But after a video conference with his CFO and three other colleagues — who all looked and sounded like the real people. They weren't. They were deepfakes.
This incident is no longer science fiction. It's the reality of cybercrime in 2026. And it poses a fundamental question to every organisation: when you can no longer trust what you see and hear, how do you protect yourself?
What exactly are deepfakes?
Deepfakes are artificially generated or manipulated video and audio fragments so realistic they're nearly indistinguishable from authentic material. The technology uses neural networks — specifically Generative Adversarial Networks (GANs) — to replicate faces, voices, and body movements.
What required hours of computing time and specialist expertise five years ago is now available as an off-the-shelf service. For less than a hundred euros, you can commission a convincing voice clone based on just a few minutes of audio. Real-time video deepfakes that work during live video calls are now commercially available.
The business threat is growing exponentially
According to research by Sumsub, deepfake-related fraud cases increased by 700% globally in 2023, and that trend shows no signs of slowing. The most common business attacks include:
CEO Fraud 2.0
Classic CEO fraud — where criminals impersonate an executive to authorise payments — becomes exponentially more dangerous with deepfake technology. While a suspicious email might trigger alarm bells, a video call with someone who looks and sounds like your director is an entirely different proposition.
Recruitment manipulation
There are documented cases of job applicants using deepfake video during online interviews to conceal their true identity. The goal: gaining access to sensitive systems and data from the inside.
Stock price manipulation
Fake videos of CEOs making false announcements can influence share prices before the fraud is discovered. In a world of algorithmic trading, seconds can make the difference.
Social engineering on steroids
Deepfake audio is being used to call help desks, request password resets, and gain access to accounts. The employee on the other end of the line hears a colleague's voice — why would they doubt it?
Why technical detection isn't enough
Deepfake detection tools exist, and they're getting better. But there's a fundamental problem: it's an arms race that the defender structurally loses. Every improvement in detection is used to train better deepfakes. Moreover:
- Real-time detection is limited: most tools work on recorded material, not during a live video call
- Quality varies: what works on amateur deepfakes fails against professional productions
- Implementation is complex: not every organisation has the infrastructure to integrate detection tools into their communication channels
This doesn't mean technical measures are pointless — far from it. But it does mean they can only be one layer of the defence.
The human factor: where the real vulnerability lies
The reason deepfake attacks are so effective isn't primarily the technology. It's human behaviour. Specifically, three psychological mechanisms:
1. Authority compliance
When a request comes from someone in a position of power — a CEO, CFO, or director — people tend to comply without thinking critically. This is the Milgram effect, and it's precisely what deepfake attackers exploit.
2. Time pressure and urgency
Deepfake attacks are almost always combined with urgency: "This needs to happen now," "There's no time to go through normal procedures." Under time pressure, critical thinking shuts down.
3. Visual confirmation bias
When we see and hear someone, we automatically trust that the interaction is real. Video adds a layer of credibility that text and even audio don't have. Our brains evolved to trust faces — and that's now being weaponised against us.
How behavioural analysis makes the difference
At Nexus-7, we believe effective protection against deepfake attacks starts with understanding human behaviour. Our Q-Method behavioural analysis maps how employees respond to precisely the psychological triggers deployed in deepfake attacks:
- Who is especially susceptible to authority pressure? These employees need additional verification protocols
- Who acts impulsively under time pressure? These employees benefit from structured escalation procedures
- Which departments have a culture of 'don't question'? Cultural change is needed there, not just training
This isn't standard awareness training with an annual multiple-choice test. It's a scientifically grounded analysis of behavioural patterns that determines where your organisation is vulnerable — and what specifically needs to change.
Practical measures for today
Beyond behavioural analysis, there are concrete steps every organisation can take right now:
Verification protocols
- Implement a "callback" policy for all financial transactions above a certain threshold: call back on a pre-established number
- Use code words or verification questions that can't be derived from public sources
- Never allow security procedures to be bypassed due to urgency — urgency itself is a red flag
Technical measures
- Implement multi-factor authentication for all critical actions, including internal ones
- Consider digital signatures for video meetings with sensitive content
- Monitor for unusual communication patterns (a CFO suddenly calling outside business hours, a director reaching out via an unknown platform)
Culture and awareness
- Make it acceptable — even encouraged — to verify requests from senior leadership
- Train employees specifically on the combination of authority + urgency as a warning signal
- Conduct regular simulations, including deepfake scenarios
The future is now
Deepfake technology becomes more accessible and convincing every month. The question isn't whether your organisation will encounter it, but when. Organisations that invest now in understanding their human vulnerabilities — not just their technical ones — will be significantly better positioned.
The defence against deepfakes is ultimately not a technical problem. It's a people problem. And people problems require people-centred solutions.
Want to know how vulnerable your organisation is to deepfake attacks and other forms of social engineering? Nexus-7 uses Q-Method behavioural analysis to map your human risk factors and help you take targeted action.
