
Deepfake CFO Fraud: When the Face on the Call Is an AI Fake
“Seeing is believing” has been a reliable rule for most of human history. Artificial intelligence has just broken it. In a growing category of business email compromise, the person urgently requesting a payment is not merely impersonated in an email; they appear, live, on a video call, with a convincing face and voice. And they are entirely fake.
The short version: attackers harvest public audio and video of an executive, use AI to clone their voice and likeness, then join a call as “the CFO” to order an urgent, confidential payment. A pressured employee authorises the transfer to the attacker. The defence is process, not perception: verify money movements out-of-band, because you can no longer trust your eyes and ears alone.
How deepfake fraud works

The raw material is often freely available: recorded earnings calls, conference talks, interviews and social videos give attackers plenty of an executive’s voice and face. Modern tools can clone a recognisable voice from only seconds of audio, and real-time video avatars are improving fast. Armed with these, the attacker stages a call that carries the full weight of executive authority and urgency, and asks for a confidential transfer that bypasses the usual process.
Why it is so effective
Deepfake fraud weaponises hierarchy and trust. When the chief financial officer appears on screen and says the deal is time-sensitive and hush-hush, junior staff are under real pressure to comply. In one widely reported case, an employee approved a multi-million transfer after a video meeting in which every other participant was an AI deepfake.
How to defend against a perfect fake
Verify money out-of-band
Mandate that any payment or change of bank details is confirmed through a separate, known channel, such as a call-back on a saved number, regardless of how convincing the request appears. A live deepfake cannot pass a call-back to the real person.
Require dual authorisation
No single employee should be able to move significant funds alone. Two-person approval breaks the pressure of a lone urgent instruction.
Use an agreed code word
A simple pre-shared verification phrase for sensitive financial requests is cheap, effective, and impossible for an outsider to fake.
Train for the new reality
Teach staff that video and voice are no longer proof of identity. Run realistic simulations that rehearse pressured payment requests, and give people an easy way to report a suspicious request without fear.
The bottom line
Deepfakes remove the reassurance of a familiar face and voice, so authority and urgency can no longer be trusted on their own. Out-of-band verification, dual authorisation and a shared code word make the process, not the employee’s eyes, the thing an attacker has to defeat, and that is a barrier a deepfake cannot cross.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
