The Growing Threat of Deepfake Attacks: A Call for Enhanced Security Measures
For years, cybercriminals have employed tactics that involve impersonating trusted contacts to extract sensitive information, funds, or credentials from unsuspecting victims. However, emerging technologies such as deepfake and voice cloning have transformed the landscape of social engineering attacks, rendering traditional security awareness training increasingly ineffective. Experts argue that organizations must evolve their strategies to counter this growing threat.
Traditional approaches to security awareness training focus heavily on pattern recognition. Employees are taught to scrutinize emails for suspicious elements and assess whether links appear legitimate. Yet, with the advent of highly convincing deepfake technology, the ability to determine the authentically of a message based on visual or auditory cues is rapidly diminishing. “Recognition-based training breaks down when an employee believes they’re talking to an executive with an urgent request,” says Diana Rothfuss, director of global strategy for risk, fraud, and compliance solutions at SAS, a data and AI software firm. Thus, there exists an urgent need for employees to go beyond simplistic assessments like "Does this look right?"
A significant portion of fraud professionals, approximately 77%, report a marked increase in deepfake attacks. This alarming statistic comes from the 2026 Anti-Fraud Technology Benchmarking Report, co-published by SAS and the Association of Certified Fraud Examiners (ACFE). The same report revealed that a mere 7% of respondents felt their organizations were more than moderately prepared to detect or prevent deepfakes. This lack of preparedness has prompted security experts to advocate for the adoption of proof-based systems, policies, and processes that validate identities and help mitigate the risks associated with deepfake attacks.
The Principle of Separating Authority from Authentication
The essence of a proof-based approach lies in the principle that no single interaction—be it voice, video, or text—should have the authority to approve sensitive actions independently. Rothfuss describes this method as separating authority from authentication, which, while straightforward, is often counterintuitive for employees accustomed to responding promptly to executive requests.
A striking example occurred in 2024 when cybercriminals utilized deepfake technology to siphon $25 million from Arup, a global engineering firm. A finance employee, believing he was participating in a video conference with senior executives, unwittingly transferred funds at the attackers’ behest. Though such intricate deepfake video attacks remain rare, the ease of audio cloning poses a clear threat, necessitating that financial and IT teams formalize their procedures for verifying wire transfers.
Ira Winkler, field CISO at cybersecurity firm Aisle, insists that proof-based verification policies should already be standard practice. “There should be operational procedures in place, such as requiring email confirmation of financial transfers even amidst visual instructions,” he states. It’s vital for all employees to be well-versed in these policies, emphasizing that exceptions cannot be made—even when verbal instructions come from senior executives over the phone or during video calls. This necessity isn’t limited to just deepfakes; it plays a critical role in safeguarding against various types of fraud.
Essential Authentication Controls
Experts recommend implementing authentication controls that do not rely on human recognition of faces or voices:
-
Out-of-Band, Two-Factor Verification: Sensitive requests such as fund transfers should require confirmation through two separate, pre-approved channels, like an internal app and a messaging platform. In this context, video calls and phone communications are inadequate.
-
“How I Will Contact You” Protocols: Executives and IT leaders should define specific channels for sensitive requests, with any request made outside those channels triggering a mandatory verification process through trusted methods.
-
Pre-Established Verification Phrases: These phrases, known only to authorized parties, serve as a secondary layer of identity confirmation during high-stakes communications.
- Designated Approvers: No single employee should have the authority to approve high-risk transactions. A designated approver must confirm actions before funds are transferred or access provided.
Challenges in Consistent Implementation
While designing such policies may be relatively straightforward, executing them consistently under the pressure of real-world situations poses significant challenges. Experts stress the importance of treating verification as a non-negotiable safety measure rather than a discretionary action. Rothfuss highlights that verification must never be considered optional, stressing the urgency of instituting proof-based controls that act as barriers against pressure-induced lapses.
Getting executives on record before incidents arise is crucial to encourage staff to push back against out-of-channel requests. For this reason, it’s vital for leadership to communicate that this behavior is expected and supported within the organization’s cybersecurity culture.
Continuous reinforcement is also essential. Employees who grasp the importance of verification are more likely to implement it. However, under duress, individuals often revert to ingrained habits. Thus, ongoing training and regular reinforcement become critical components of a robust defense strategy.
Cultivating a Culture of Verification
Ultimately, the successful implementation of these measures hinges on the organizational culture. Employees should feel confident that taking the time to verify requests is not only supported but expected. “Organizations need to normalize ‘see something, say something’ behavior while making the verification process as seamless as possible,” advises Mika Aalto, co-founder and CEO of Hoxhunt.
In summary, as cybercriminals become more sophisticated and employ deceptive technologies like deepfakes, organizations must adapt their security frameworks to resist these threats effectively. By embracing proof-based systems and instilling a culture of verification, companies can dramatically bolster their defenses against the rising tide of social engineering attacks.