Deepfake

The Technical Definition

A deepfake is synthetic audio, image, or video produced by a machine learning model to impersonate a real person. The underlying techniques include generative adversarial networks (GANs), diffusion models, and increasingly, real-time avatar systems built on multimodal foundation models. Modern deepfakes can produce live video of a person speaking on a video call — not just pre-rendered clips — using a few minutes of reference footage and audio. Voice clones now require less than thirty seconds of source audio to produce convincing speech in the target’s voice.

The technology is not theoretical. It is widely available, runs on consumer hardware, and is improving on a quarterly cadence.

What This Actually Means for Your Business

In February 2024, an employee at the Hong Kong office of the engineering firm Arup transferred approximately $25 million to fraudsters after joining a video call where multiple deepfaked colleagues — including the CFO — instructed the transfer. The employee had been initially suspicious of an email request. The video call was what convinced them. Every other person on the call was synthetic.

That case is the one CEOs cite, but it isn’t the only one. CEO voice clones authorizing wires, deepfaked board members approving deals, synthetic candidates passing initial video screens, fake recordings used in extortion attempts. The pattern is consistent: an attacker uses the audio or video of a senior person to social-engineer someone with the authority to move money or data.

For a small-cap or mid-cap company, the exposure is operational, not technical. You probably do not have a CISO who runs deepfake red-team exercises. You probably do have a CFO who can authorize wires by phone, an HR team that hires through video interviews, and an executive assistant who would not feel comfortable refusing a video call from the CEO. Those are the surfaces a deepfake attack hits.

Reality Check

What the vendor says: “Our deepfake detection platform identifies synthetic media with 98% accuracy.”

What that means in practice: That accuracy is on the vendor’s test set, against deepfake techniques that existed when the detector was trained. The defense is in a permanent arms race with the offense, and the offense is a foundation model improving every month. Detection is one signal. Verification protocols are the actual control.

What Operators Actually Do

The companies that have already absorbed this lesson — usually because they had a near-miss — change the wire and authorization process, not the detection stack. The pattern is straightforward: any out-of-band financial instruction, regardless of who appears to be giving it, gets verified through an independent channel before it executes. The CFO video-calls the controller and asks for a $5M wire? Fine. The controller hangs up, calls the CFO back on a known number, and confirms. If the CFO is unreachable on a known number, the wire does not move.

The same pattern applies to any high-trust workflow that depends on identity. New vendor banking details verified by callback to a known contact, never the contact provided in the request. Executive recordings of policy directives checked against meeting calendars and pre-existing communication patterns. Hiring video interviews supplemented by an in-person or pre-arranged-channel verification before offer.

The non-negotiable cultural change: the most junior person in the chain has to feel safe refusing a request from the most senior person until the callback completes. If your culture punishes that, your verification protocol does not actually exist. It is decorative.

For board and executive communications, some companies are starting to issue private verification phrases — a passphrase known only to the executive team, used to confirm identity on any urgent call. It feels theatrical until the day it stops a fraud.

The Questions to Ask

1. What’s the verification protocol for an out-of-band request to move money or data, and have we tested it? Tested means a tabletop exercise where someone pretended to be the CEO. If you have never run that exercise, you do not know whether your protocol survives contact with reality.

2. Who in our organization is empowered to refuse a senior executive on the basis of “this needs to be verified first”? If the answer is “no one wants to,” you have a controls gap that no detection tool will fix.

3. What’s our incident response if a deepfake of one of our executives appears publicly? Customers see a fake video of your CEO endorsing a product or making a controversial statement. Who responds, on what timeline, through what channel? The first time this happens is the wrong time to figure that out.