Deepfake fraud in business – when a video call becomes a multi-million-dollar risk

In 2024, a finance employee at a company in Hong Kong transferred US$25.6 million to fraudsters. The payment was made after a video call with what appeared to be the CFO and several other senior executives. Only later did the company discover that every one of those executives had been an AI-generated deepfake. The employee was the only real person in the meeting and approved the transfer in good faith.

When Hong Kong police confirmed the incident, it attracted international attention. More importantly, it highlighted how real the threat of deepfake fraud has become.

According to the Entrust Cybersecurity Institute, attempted deepfake scams increased by more than 3,000% between 2023 and 2024. The financial consequences can be significant. A study conducted by Regula and Sapio Research found that 92% of affected organisations suffered losses, with the average loss amounting to approximately US$450,000 per incident.

The growing number of cases shows that deepfake fraud has become a relevant risk for many organisations. The challenge lies in preventing a convincing deception from turning into a costly incident. In many cases, the damage is not caused by deception alone, but by weaknesses in controls and verification procedures that allow the attack to succeed.

Cases like this often lead companies to focus on technical solutions first. These may include detection software or additional authentication steps. While such measures can reduce risk, they are not enough on their own if the organisational framework is weak. Deepfake attacks exploit human trust and existing process weaknesses.

In the widely cited Hong Kong case, the core issue was not merely that an employee was deceived by a deepfake. More importantly, the organisation lacked adequate safeguards to independently validate a transaction of that magnitude. The video call effectively became the sole basis for authorisation, with no mandatory callback procedure, no consistently enforced four-eyes review, and no multi-layer approval process.

This highlights the broader challenge: deepfake-enabled fraud is most effective when sophisticated deception exploits weaknesses in organisational controls. The primary vulnerability therefore lies not in the technology itself, but in the absence of clear, well-enforced verification procedures. As a result, preventing deepfake fraud is as much a governance and process issue as it is a technological one.

Despite the rapid rise in deepfake-enabled fraud, many organisations have yet to recognise it as a distinct risk category within their internal control and risk management framework.

This often manifests itself in several ways:

• Unclear accountability for managing deepfake-related risks
• A lack of structured risk assessments
• Weak or non-existent links between identified risks and corresponding controls
• Insufficiently documented awareness and training initiatives
• Limited evidence that existing safeguards are effective against deepfake-enabled attacks

These shortcomings are not surprising. Deepfake fraud has emerged as a significant threat in a relatively short period of time, while many governance and control frameworks were developed before such risks became a realistic concern. As a result, deepfake-related risks are frequently addressed only indirectly, if at all, and are often not systematically incorporated into risk registers, control activities, or operational processes.

Effective mitigation requires more than isolated security measures. Organisations are far better positioned to limit the impact of deepfake attacks when risks are formally identified, linked to appropriate controls, and embedded within existing governance and business processes.

Step 1: identify and assess deepfake risks

The starting point is to recognise deepfake fraud as a distinct operational risk within the organisation’s risk management framework. Once identified, the risk should be assessed in terms of both its likelihood and its potential impact. Relevant business processes, risk owners, and areas of responsibility should also be clearly documented. Functions with elevated exposure typically include finance, treasury, procurement, human resources, and IT support teams.

A key consideration at this stage is the level of specificity applied to the risk assessment. Rather than treating deepfake fraud as a broad AI-related risk, organisations should examine realistic attack scenarios and the harm they could cause. This allows for a more accurate assessment of financial and operational exposure and provides a solid foundation for designing effective control measures.

Step 2: map risks to controls

Once the risks have been identified, the next step is to determine which controls can reduce the likelihood and impact of a deepfake attack. The objective is to ensure that a successful deception attempt does not automatically lead to financial loss or other significant consequences.

Common governance controls include:

• Mandatory callback procedures for payment instructions
• Multi-stage approval workflows for transactions above defined thresholds
• Four-eyes reviews for critical decisions
• Independent verification of requests to change master data
• Documented approval procedures for sensitive transactions

Controls are most effective when they are embedded in everyday business processes and applied consistently. Even if an attacker succeeds in creating a convincing deepfake, well-designed controls can prevent the attack from progressing to actual harm.

Step 3: monitor controls and verify their effectiveness

Controls are only effective if they continue to work as intended over time. Regular reviews help organisations determine whether existing safeguards remain fit for purpose as threats evolve. Clear ownership, consistent monitoring, and documented evidence of control performance all contribute to this assessment. The same applies to training and awareness activities, which should be evaluated regularly to determine whether employees can recognise and respond to deepfake attacks more effectively.

With BIC Enterprise Risk and BIC Internal Control, organisations can manage risks, controls, and mitigation measures on an integrated GRC platform. This creates a clear link between identified risks and the controls designed to address them, while providing transparent and auditable documentation of all relevant safeguards.

Deepfake fraud is no longer solely an IT or cybersecurity concern. Whether an attack results in significant harm depends largely on the strength of an organisation’s governance, controls, and decision-making processes.

Technology plays an important role in prevention, but it is only one part of the solution. Effective protection requires a combination of well-designed processes, robust controls, and ongoing employee awareness. Together, these measures help companies detect fraudulent requests, prevent unauthorised actions, and reduce the impact of successful attacks.

Organisations that address deepfake risks proactively and integrate them into their existing risk and control frameworks will be better prepared for both current and future threats.

Reduce Your Deepfake Risk with BIC GRC