For most of the history of cybercrime, social engineering meant a convincing email or a plausible phone call. What's changed is the addition of AI-generated voice and video — tools that can replicate a person's voice from a few minutes of audio, or produce a video call where the face and speech of a trusted contact appear entirely real. Deepfake incidents increased by 880% in 2025. The technology is no longer experimental. It is being used against businesses right now.

This is not a distant threat that requires sophisticated, targeted attackers. Voice cloning tools are freely available. A brief clip from a CEO's LinkedIn video, a recorded webinar, or a company podcast is enough to generate convincing synthetic speech. For small businesses, where a single finance team member might process payments with minimal oversight, the consequences of a successful attack can be severe. This post explains what these attacks look like, where they are working, and what practical steps reduce your risk.

How Deepfake Attacks Work in Practice

The mechanics are less complex than most people assume. Attackers don't need to build their own AI tools — they use commercially available voice synthesis and video generation services, many of which are accessible for a few pounds a month. The attack chain typically works as follows: identify a target business, find publicly available audio or video of a senior executive (LinkedIn, YouTube, company website, podcast), generate synthetic speech, and use it to place a phone call or send a voice message to a member of staff with payment authority.

In 2024, a finance employee at a multinational firm was manipulated into transferring £20 million after a video call in which every participant — including the CFO — was a deepfake. The employee only realised the fraud after contacting head office directly. This case, widely reported, is now cited as the reference point for what the technology can achieve.

That example involved a large enterprise, but the same techniques are increasingly being used against small businesses, where financial controls are often less formal, staff are more likely to personally recognise and trust an executive's voice, and there is less infrastructure for verifying unusual requests.

Real-World Attack Scenarios

Scenario 1 — CEO Voice Call

A member of your finance team receives a phone call from what sounds like your CEO or MD — same voice, same speech patterns. The caller explains there's an urgent, confidential acquisition deal that requires an immediate bank transfer before close of business. Don't discuss it with anyone else. Just action it.

The call lasts under two minutes. The employee, not wanting to obstruct a senior leader, transfers the funds. The CEO knows nothing about it.

Scenario 2 — Supplier Video Call

You receive a WhatsApp video message from what appears to be your account manager at a key supplier. Their face is familiar from previous calls. They explain that their bank details have changed and ask you to update your records before the next payment run. They provide the new details in the message.

The account manager's face and voice were generated from video call recordings. The bank account belongs to the attacker.

Scenario 3 — IT Support Impersonation

A staff member receives a call from someone claiming to be from IT support, with a voice that sounds like a colleague they've spoken to before. There's an urgent security issue with their account — they need to provide their login credentials or install a remote access tool immediately.

The voice was cloned from internal recordings. The "colleague" does not exist in this form.

Why Traditional Verification Doesn't Work Anymore

The standard advice for social engineering attacks has always been: if something seems unusual, call back on a known number to verify. That advice remains correct — but it no longer provides complete protection, because attackers have adapted to it.

Callback verification assumes the caller's voice is a reliable signal. If the voice itself can be synthesised, a callback to a spoofed number from a caller using a cloned voice meets the "sounds right" test. Similarly, email follow-up from a convincing lookalike domain satisfies the "got it in writing" instinct.

Verification cannot rely on voice, video, or email alone. Any request involving money, credentials, or sensitive data needs an independent verification step — a separate channel, a pre-agreed code word, or a direct in-person confirmation where the risk warrants it.

This is not about training staff to be suspicious of everyone — it's about establishing simple, consistent procedures so that unusual requests have a clear process to follow, and staff are empowered to pause and verify without feeling they're obstructing a legitimate request.

Practical Defences for Small Businesses

Large enterprises can deploy AI-based deepfake detection tools and sophisticated identity verification infrastructure. Most of these are not practical or proportionate for small businesses. The good news is that the most effective defences are procedural, not technical — and they cost very little to implement.

The Intelligence Layer

Deepfake attacks don't arrive without warning. Attackers research targets before they act — they look for publicly available information about your business structure, your executives, your suppliers, and your financial processes. The more publicly accessible that information is, the easier the attack becomes to prepare.

Understanding what information about your business is visible online — what a threat actor can learn about you before they pick up the phone — is a meaningful part of managing this risk. Attackers who know your CEO's name, your finance manager's name, your key suppliers, and your recent business activity are better equipped to construct a convincing scenario. Awareness of your own exposure is the first step to reducing it.

Research from Sumsub found that deepfake fraud attempts increased 880% between 2023 and 2025, with financial services, professional services, and small-to-medium businesses representing the fastest-growing target categories. The attacks are not slowing down.

The Practical Takeaway

Deepfake technology has made the human element of security harder to rely on. A voice that sounds like your CEO probably is your CEO — except when it isn't, and there is now no reliable way to tell the difference by ear alone.

The response is not paranoia. It is procedure. Clear, simple, consistently applied processes for verifying unusual requests — independent of the channel the request arrives on — are the most effective defence available. A two-minute verification call to a known, pre-existing number, or a dual-authorisation requirement for payments, costs almost nothing and stops the vast majority of these attacks.

The businesses that will be caught out are the ones that trust the voice on the phone because it sounds right. The ones that won't be are the ones that have decided, in advance, that sounding right is not enough.


Know What Threats Are Targeting Your Sector

Faradome Dash monitors the live threat landscape for your industry — including active social engineering campaigns, newly registered lookalike domains, and intelligence relevant to your business.

Open Threat Dashboard → Talk to Us