In the past year, executives have gone from curious about deepfakes to flat-out anxious about them. And for good reason. What once felt like a far-fetched problem is now a clear and present business risk.
In a recent Q&A I hosted with identity and access management expert Maya Ogranovitch Scott, we discussed what bad actors are already doing with this technology, and what companies can do to fight back.
Real-World Fraud, Not Fiction
One of the most eye-opening stories shared in our conversation was that of a corporate scam at a multinational firm in 2024. What sounds like the plot to a heist movie, is an all too true example of what today’s fraudsters are capable of.
“An employee at a finance organization made a $25 million transfer after a phone call with his CFO and several other key executives in his company,” explains Ogranovitch Scott. “But as it turned out, he had been the only human being on the call.”
That’s right. The employee thought he’d been instructed to make the transfer by his senior leaders. They were actually deepfakes. And this is not an isolated event. “We are seeing many, many bad actors try their hand at this or similar types of attacks,” laments Ogranovitch Scott.
The reality: if a single employee believes they’re hearing a CFO or CEO give an urgent instruction, that may be all it takes.
Everyday Entry Points
Deepfakes don’t always involve multimillion-dollar transfers. Often, they exploit small but critical touchpoints inside an organization. Like the IT help desk. Ogranovitch Scott describes another scary scenario, courtesy of deepfake audio:
“You’ll have somebody calling into the IT help desk going, ‘hey, I’m about to go into a board meeting with the customer and I can’t log in. I don’t have my MFA device. You need to reset my password right now.’”
And if the demand is met with pushback, Ogranovitch Scott says the deepfaked voice ups the ante, “‘Do you want me to tell your boss that this key customer account was cancelled because of your actions?’ And so, the password gets reset.”
A quick “yes” that creates massive downstream risk.
Ogranovitch Scott is also increasingly seeing vendors and supply chain partners being impersonated.
“We’re seeing it where a vendor won’t properly vet a delivery company that is going to pick up a load. And you have somebody show up for the load, and they disappear with the entire container.”
Deepfake Tools Are Cheap and Easy
There’s one detail from our talk that’s still making me shake my head: how little material is needed to create a convincing fake.
“It takes 5-15 seconds of audio to make a really believable audio deepfake. And you don’t even need video anymore to make a video deepfake; you need a photograph,” Ogranovitch Scott explains.
“Just a little bit of work in these tools that are incredibly user friendly and do not require a high level of technical knowledge, and you can create a very believable copy of anyone you like.”
Fight Back with Verified Trust
So, what can companies do? Ogranovitch Scott says a mindset shift toward verified trust is a must. “They really need to make sure that when they’re interacting with an individual, that individual is who they say they are.”
This means full identity proofing, verifiable credentials, or systems that will detect if a deepfake is being inserted.
What Leaders Should Do Now
- Invest in identity proofing tools that go beyond passwords and MFA.
- Train frontline staff (like IT help desks) to recognize pressure tactics and validate requests.
- Scrutinize vendors and third parties as carefully as internal employees.
- Build a culture of healthy skepticism where employees feel empowered to say “no” or “wait” before acting on an urgent request.
Deepfakes are not going away. Instead, they’ve become easier, cheaper, and more convincing. The good news is that with the right mix of process, technology, and culture, organizations can significantly reduce their risk.
Fraudsters only need to get lucky once. Leaders must make sure it’s never that easy.
