Deepfakes in Cyber Security

How deepfakes are used in cyber attacks

Deepfakes amplify existing attack techniques by making social engineering more convincing:

• Business email compromise (BEC) with voice – attackers clone a CEO or CFO’s voice from publicly available recordings (earnings calls, conference talks, podcast appearances) and call finance teams with urgent transfer requests. The voice matches, the authority is familiar, and the request bypasses email-based verification
• Video impersonation – real-time deepfake video during a video call, impersonating a known executive or partner. Several confirmed cases involve fraudsters joining Teams or Zoom calls as a senior leader to authorise transactions
• Identity verification bypass – synthetic face images or video used to pass KYC (Know Your Customer) checks at financial institutions, creating fraudulent accounts with fabricated identities
• Spear phishing enhancement – deepfake audio or video attached to phishing emails, adding a layer of credibility that text alone cannot achieve

The common thread is trust exploitation. Deepfakes attack the human assumption that “if it looks and sounds like them, it is them.”

Defence strategies

No single control stops deepfakes. Effective defence combines technical controls, process changes, and awareness training:

• Multi-factor verification – never authenticate a high-risk action (fund transfer, credential reset, data access) on voice or video alone. Require a second channel: callback to a known number, approval via authenticated app, or in-person confirmation
• Zero trust principles – reject single-factor authentication entirely. No entity – voice, video, email, or device – is trusted based on one factor alone. [What is zero trust? →](/glossary/zero-trust/)
• Behavioural biometrics – analyse typing patterns, mouse movements, and interaction styles that are harder to replicate than face or voice
• Media authentication – digital watermarking and content provenance standards (C2PA) that verify whether media has been generated or altered by AI
• Awareness training – employees trained to recognise deepfake indicators: lip-sync mismatches, unusual speech cadence, unnatural eye movements, responses that don’t adapt to unexpected questions

Five steps to identify a deepfake

• When something feels off during a call or video interaction:

1. Check the request – does this action align with organisational policies and the person’s typical behaviour?
2. Listen for speech patterns – are they using their usual phrases, greetings, and naming conventions?
3. Watch for visual anomalies – lip sync issues, unnatural blinking, odd lighting, hair that doesn’t move naturally
4. Ask an unexpected question – a genuine person corrects errors and responds naturally; a deepfake script continues regardless
5. Verify through a known channel – if steps 1-4 leave any doubt, contact the person directly using a trusted phone number or in-person

Deepfakes as a defensive tool

Deepfakes are not only a threat. Security teams use synthetic media in controlled environments to test organisational resilience:

• Simulated vishing attacks using cloned executive voices to test employee response
• Spear phishing simulations with synthetic video attachments
• Crisis simulation exercises that include deepfake scenarios to train incident response teams

These exercises identify gaps in verification processes before real attackers exploit them.

Cyberfort and deepfakes

We help organisations prepare for and respond to deepfake-enabled attacks. Our crisis simulation exercises include deepfake scenarios – testing whether your team can distinguish a synthetic voice from the real thing when revenue is on the line. Our penetration testing includes social engineering assessments, and our cyber resilience audit evaluates whether your verification processes would withstand a deepfake attack. Discuss your deepfake readiness →

Related glossary terms

• [Zero Trust]() – the security architecture that rejects single-factor authentication, directly countering deepfake impersonation
• CREST Certification – accreditation for the penetration testing and social engineering assessments that test deepfake resilience
• Cyber Crisis Simulation – exercises that include deepfake attack scenarios
• MITRE ATT&CK – the adversary tactics framework that maps social engineering techniques including deepfake-enabled attacks

External references

• Wikipedia: Deepfake – background, technology, and notable incidents
• Wikidata: Q49473179 – canonical entity identifier
• NCSC: Deepfakes and cyber security – UK government assessment of deepfake risks
• C2PA: Content Provenance Standard – the industry standard for verifying media authenticity

Frequently asked questions