How Deepfakes Affect Financial Security

AI PR Nightmares Part  3- Deep Fakes Will  Strike Deeper (start planning now): Cyber tools that clone voices and faces arent social media scroll novelties, they’re now mainstream weapons causing millions or billions in financial and reputational harm. If you haven’t scenario‑planned for them yet, you have some work to do right Video, audio, and documents so convincing they could collapse reputations and finances overnight. This isn’t distant Sci‑Fi or fear mongering: Over 40% of financial firms reported deep‑fake threat incidents in 2024 and it escalated 2,137% in just three years. 😱 ⚠️ Real-world fraud: The CFO deep‑fake heist: In early 2024, a British engineering firm (Arup) fell victim to a video‑call deepfake featuring their CFO. Scammers walked an employee through 15 urgent transactions, ultimately siphoning off over $25 million. This wasn’t social media fakery, it was a brazen boardroom attack, executed in real time, with Cold War KGB‑level human believability. 🎭 What synthetic mischief will look like tomorrow: 😱 Imagine a deep‑fake video appearing of a Fortune 500 CEO allegedly accepting a bribe, or footage showing them in inappropriate behavior. 😱 And then within minutes it’s gone viral on social and in the mainstream press, before the real person or company one can even issue a statement. The 2025 version of Twain’s “a lie can travel halfway around the world before the truth puts on its shoes”, except a 1000X faster. At that point, the reputational damage is done even if the clip is later revealed as AI‑generated. 🛡️ What companies must be doing now: Audience Action: Internal (Staff): - Run mandatory deepfake awareness training. - Tell teams: “Yes, you might get a video call from your boss, but if it’s not scheduled, don’t act, and verify via text, email or call. Investors & Regulators: - Include a standard disclaimer in all earnings and executive communications: - “Any video/audio statements are verified via [secure portal/email confirmation]. If you didn’t receive a confirmation, assume it’s fake.” Customers & Partners: - Publish your deep‑fake response plan publicly; kind of like a vulnerability disclosure for your reputation. - Say: “We will never announce layoffs or major program changes via a single email/video.” Media & Public: - Pre‑train spokespeople to respond rapidly: - “That video is fraudulent. We’re initiating forensic authentication and investigating now.” Digital Defense: - Invest in deep‑fake detection tools. Sign monitoring agreements with platforms and regulators. Track your senior execs’ likenesses online. 👇 Has your company run deep‑fake drills? Or do you have a near‑miss story to share? Let’s all collaborate on AI crisis readiness.

The Identity Theft Resource Center recently reported a 312% spike in victim notices, now reaching 1.7 billion for 2024. AI is transforming identity theft from something attackers did manually to full-scale industrialized operations. Look at what happened in Hong Kong: a clerk wired HK$200M to threat actors during a video call where every participant but one was an AI-generated deepfake. Only the victim was real. Here’s what you need to know 👇 1. Traditional authentication won’t stop these attacks. Get MFA on everything, prioritize high-value accounts. 2. Static identity checks aren't enough—switch to continuous validation. Ongoing monitoring of access patterns is essential after users log in. 3. Incident response plans have to address synthetic identity threats. Focus your response on critical assets. 4. Some organizations are using agentic AI to analyze identity settings in real time, catching out-of-place activity that basic rules miss. Passing a compliance audit doesn’t mean you’re protected against these attacks. The old “authenticate once” mindset needs to move to a model where verification is continuous and context-aware. If your organization is seeing similar threats, how are you adapting to push back against AI-driven identity attacks? #Cybersecurity #InfoSec #ThreatIntelligence

The adoption of Real Time Payments will feel slow then sudden, especially in B2B payments. $18.9 trillion is a conservative estimate for RTP volume. The ROI calculation of the criminals improved dramatically since the dawn of GenAI and RTP compounds this problem. GenAI reduces the cost of creating convincing phishing emails, scams, and deep fakes. The payoff for a B2B payment can be in the low six to mid seven figures for a single transaction. We’ve already seen a spike in stolen business credentials from data leaks and hacks that lead to: 👉 Sophisticated business email compromise. Believable emails from what appears to be a company’s tech support staff. 👉 Remote access attacks. The “tech support team” taking over a screen and sending a transaction to the wrong recipient while “fixing the employee’s computer” 👉 Targeted deep fakes. Where finance ops teams are now directly attacked with fakes of internal staff, CFOs and leadership. Our clients tell us they regularly see generated documents, and deep fake attacks during their onboarding process. The volume has exploded in the past 12 months. Gen AI + Faster Payments makes B2B payments a critical potential vulnerability that gets ignored because it was once a sleepy backwater and not as high risk. That’s why it's critical to 🐟 Watch for device and behavior usage before, during and after every single customer interaction. If you can monitor their device and behavior, you can detect deep fakes and prevent a transaction from happening if the risk appears high enough. 🐟 Implement real-time transaction monitoring. If you only review transactions for fraud during cut-off windows and on batch, you’ll be vulnerable to RTP fraud and AML schemes.

A recent case involving an imposter posing as Secretary of State Marco Rubio using AI-generated voice and Signal messaging targeted high-level officials. The implications for corporate America are profound. If executive voices can be convincingly replicated, any urgent request—whether for wire transfers, credentials, or strategic information—can be faked. Messaging apps, even encrypted ones, offer no protection if authentication relies solely on voice or display name. Every organization must revisit its verification protocols. Sensitive requests should always be confirmed through known, trusted channels—not just voice or text. Employees need to be trained to spot signs of AI-driven deception, and leadership should establish a clear process for escalating suspected impersonation attempts. This isn’t just about security—it’s about protecting your people, your reputation, and your business continuity. In today’s threat landscape, trust must be earned through rigor—not assumed based on what we hear. #DeepfakeThreat #DataIntegrity #ExecutiveProtection https://lnkd.in/gKJHUfkv

One phone call could have prevented a multinational firm from losing $25.6M. Here's the story – it involves an AI tool anybody with an internet connection and a few bucks can use⤵ An employee of the business got an email, supposedly from the organization's CFO, asking him to pay out $25.6M. They were initially suspicious that it was a phishing email… but sent the money after confirming on a Zoom call with the CFO and other colleagues he knew. The twist: Every other person on the Zoom was a Deepfake generated by scammers. It might sound like a crazy story. But it's one we're going to hear more – As long as cybersecurity practices lag behind publicly available AI. A premium subscription to Deepfakes Web costs $19/month. And the material scammers use to pull hoaxes like this is free – 62% of the world's population uses social media, which is full of: ✔️ Your voice ✔️ Your image ✔️ Videos of you But if that sounds apocalyptically scary, there's no need to panic – Two straightforward cybersecurity practices could have prevented this easily: 1. Monthly training Anyone who can control the movement of money in or out of accounts needs to be trained *monthly* on how to follow your security process. Don't just have them review the policy and sign off. Have them physically go through it in front of you. They need to be able to follow it in their sleep. 2. Identity Verification Integrate as many third-party forms of identity verification as you can stand – then double-check them before *and* during money transfers. A couple of ways to do this: → One-time passcode notifications Send an OTP code to the person asking for a money transfer and have them read it to you from their email or authenticator live on the call. → Push notifications Have a security administrator ask them to verify their identity via push notification. I can't guarantee that these 2 steps would've sunk this scam… But the scammers would have needed: - Access to the work phone of whoever they were impersonating (so the phone *and* its passcode) - The password to that person's authenticator or access to their email - At their fingertips the moment the push notification was sent In short: it's possible, but not probable. It's overwhelming to think we can't trust what's in front of our eyes anymore. But my hope is that stories like this will empower people to level up their cybersecurity game. The best practices that will keep us safe are the same as ever – Educated people and simple, secure processes. But the scams are getting more sophisticated. Make sure you're ready. P.S. Maybe you're wondering: "Is my company too small for me to worry about this stuff?" Answer: If more than one person is involved in receiving and sending funds to anyone for any reason at your company… it’s good to start implementing these security practices now.

Imagine this: You're on a multi-person video conference call, but everyone you see on your screen is fake! We're all familiar with #deepfake technology from the film industry, where it's often used to show younger versions of our favorite actors. While deepfakes and #AI aren't new concepts, the launch of ChatGPT has made AI accessible to the masses. This has sparked an arms race with nearly every corporation marketing some magical AI-related product or service. The article below describes how a multinational company based in Hong Kong learned firsthand how AI can be exploited. During a video conference call, an unsuspecting employee was tricked into transferring $25.5M after receiving instructions from what appeared to be the company's CFO. The employee, greeted by voices and appearances matching colleagues, completed 15 transactions to 5 local bank accounts. It wasn't until later, after speaking with the company's actual head, that the employee realized the call was entirely fake—all the participants, except for him.. While such elaborate schemes are rare, deepfakes present a significant risk to the financial industry. For example, AI has been used to impersonate relatives, such as grandchildren, requesting money from elderly grandparents. Would your elderly family members that struggle with our modern world know the difference? As the US approaches its first presidential election with readily available AI tools, my crystal ball says we will see a surge in AI-generated misinformation. Here are three recommendations on how to detect deepfakes or at least the signs to watch out for: 1/ Anomalies in Facial Expressions and Movements: Pay close attention to inconsistencies or unnatural movements in facial expressions and eye movements. 2/ Inconsistent Audio-Visual Synchronization: Deepfake videos may exhibit discrepancies between audio and video elements. Watch for instances where the lip movements don't sync accurately with spoken words. 3/ Check for Contextual Clues and Verification: Consider the likelihood and plausibility of the video's content within its broader context. Deepfakes are often used to spread misinformation or manipulate public opinion, so remain skeptical and consult reputable sources for confirmation when in doubt. #cybersecurity #ria https://lnkd.in/eQz5QUdZ

Last week, 2 major announcements seemed to rock the identity world: The first one: A finance worker was tricked into paying $26M after a video call with deepfake creations of his CFO an other management team members. The second one: An underground website claims to use neural networks to generate realistic photos of fake IDs for $15. That these happened should not be a surprise to anyone. In fact, as iProov revealed in a recent report, deepfake face swap attacks on ID verification systems were up 704% in 2023 and I am sure that the numbers in 2024 so far are only getting worse. Deepfakes, injection attacks, fake IDs, it is all happening. Someone asked me if identity industry is now worthless because of these developments and the answer is absolutely not. There is no reason to be alarmist. Thinking through these cases, it becomes obvious that the problem is with poor system design and authentication methodologies: - Storing personal data in central honeypots that are impossible to protect - Enabling the use of the data for creating synthetic identities and bypassing security controls - Using passwords, one time codes and knowledge questions for authentication - Not having proper controls for high risk, high value, privileged access transactions Layering capabilities like: - Decentralized biometrics can help an enterprise maintain a secure repository of identities that can be checked against every time someone registers an account. (For example, for duplicates, synthetic identities and blocked identities.) If you just check a document for validity and don't run a selfie comparison on the document, or check the selfie against an existing repository, you could be exposing yourself to downstream fraud. - Liveness detection and injection detection can eliminate the risk of presentation attacks and deepfakes at onboarding and at any point in the authentication journey. - Biometrics should be used to validate a transaction and 2 or more people should be required to approve a transaction above a certain amount and/or to a new payee. In fact, adding a new payee or changing account details can also require strong authentication. And by strong authentication, I mean biometrics, not one time codes, knowledge questions or other factors that can be phished out of you. It goes back to why we designed the Anonybit solution the way we did. (See my blog from July on the topic.) Essentially, if you agree that: - Personal data should not be stored in centralized honeypots - Biometrics augmented with liveness and injection detection should be the primary form of authentication - The same biometric that is collected in the onboarding process is what should be used across the user journey Then Anonybit will make sense to you. Let's talk. #digitalidentity #scams #deepfakes #generativeai #fraudprevention #identitymanagement #biometricsecurity #privacymatters #innovation #privacyenhancingtechnologies

There’s more to the $25 million deepfake story than what you see in the headlines. I pulled the original story to get the full scoop. Here are the steps the scammer took: 1. The scammers sent a phishing email to up to three finance employees in mid-January, saying a “secret transaction” had to be done. 2. One of the finance employees fell for the phishing email. This led to the scammers inviting the finance employee to a video conference. The video conference included what appeared to be the company CFO, other staff, and some unknown outsiders. This was the deep fake technology at work, mimicking employees' faces and voices. 3. On the group video conference, the scammers asked the finance employee to do a self-introduction but never interacted with them. This limited the likelihood of getting caught. Instead, the scammers just gave orders from a script and moved on to the next phase of the attack. 4. The scammers followed up with the victim via instant messaging, emails, and one-on-one video calls using deep fakes. 5. The finance employee then made 15 transfers totaling $25.6 million USD. As you can see, deep fakes were a key tool for the attacker, but persistence was critical here too. The scammers did not let up and did all that they could to apply pressure on the individual to transfer the funds. So, what do businesses do about mitigating this type of attack in the age of deep fakes? - Always report suspicious phishing emails to your security team. In this context, the other phished employees could have been an early warning that something weird was happening. - Trust your gut. The finance employee reported a “moment of doubt” but ultimately went forward with the transfer after the video call and persistence. If something doesn’t feel right, slow down and verify. - Lean into out-of-band authentication for verification. Use a known good method of contact with the individual to verify the legitimacy of a transaction. - Explore technology driven identify verification platforms for high dollar wire transfers. This can help reduce the chance of human error. And one of the best pieces of advice I saw was from Nate Lee yesterday, who called out building a culture where your employees are empowered to verify transaction requests. Nate said the following “The CEO/CFO and everyone with power to transfer money needs to be aligned on and communicate the above. You want to ensure the person doing the transfer doesn't feel that by asking for additional validation that they're pushing back against or acting in a way that signals they don't trust the leader.” Stay safe (and real) out there. ------------------------------ 📝 Interested in leveling up your security knowledge? Sign up for my weekly newsletter using the blog link at the top of this post.

“Sorry, Benedetto, but I need to identify you,” the executive said. He posed a question: What was the title of the book Vigna had just recommended to him a few days earlier. Recently, a Ferrari executive was nearly deceived by a convincing deepfake impersonating CEO Benedetto Vigna but listened to his gut and stopped to verify that he was speaking with the real Vigna. This incident highlights the escalating risk of AI-driven fraud, where sophisticated deepfake tools are used to mimic voices and manipulate employees. Perhaps more importantly, how awareness of these threats can save your organization from fraud. The executive received WhatsApp messages and a call from someone posing as Vigna, using a different number and profile picture. The imposter's voice was a near-perfect imitation, discussing a confidential deal and asking for assistance. Suspicious, the executive asked a verification question about a book Vigna recently recommended, causing the call to abruptly end. Key Takeaways: Verify Identity: Always confirm the identity of the person you're communicating with, especially if the request is unusual. Ask questions only the real person would know. (Teach this to your family as well, this applies to real world- not just business) Be Alert to Red Flags: Differences in phone numbers, profile pictures, and slight mechanical intonations in the voice can signal a deepfake. Continuous Training: Regularly train employees on the latest deepfake threats and how to spot them. Robust Security Protocols: Implement multi-factor authentication and strict verification processes for sensitive communications and transactions. As deepfake technology advances, it's crucial to stay vigilant and proactive. By fostering a culture of security awareness and implementing strong verification methods, we can protect our organizations from these sophisticated scams. Awareness matters. #cybersecurity #insiderthreat #Deepfake #AI #Fraudprevention #Employeetraining #Ferrari #Securityawareness #humanrisk