By Ben Jacob
Synthetic audio and video generation technologies, known as deepfakes, have reached a critical threshold. Once mostly limited to social media entertainment or occasional political manipulation, they are now fully integrated tools in cyberattack tactics.
This shift represents more than a technological evolution; it marks a transformation where human perception itself has become an attack surface. Recognizing a familiar voice or face is no longer a guarantee of authenticity.
In this context, businesses face a threat that relies less on raw technical skill and more on subtle manipulation of human behavior.
Fraud campaigns now exploit cloned voices and manipulated videos to simulate authentic communications, deceiving even the most vigilant employees. In February 2024, an employee at a Hong Kong multinational transferred €24 million after being duped by a deepfake.
The scam succeeded because everything appeared authentic: accent, rhythm, tone… The widespread availability of these tools, thanks to their low cost and accessibility, accelerates the industrialization of such attacks.
A technological threat turned human
Attack simulations conducted with international organizations show that deepfakes are no longer a futuristic hypothesis but an established reality.
A 2024 Anozr Way report projected deepfakes could increase from 500,000 in 2023 to 8 million in 2025.
Deepfakes exploit a rarely anticipated cybersecurity vulnerability: our instinctive trust in human interactions.
Cloned voices impersonate executives; videos generated from public content are embedded in credible scenarios to deceive experienced staff. Beyond technical sophistication, the industrialization of these practices is what should raise alarm.
Voice cloning now requires only a few seconds of publicly available audio, often available via public media such as YouTube or TikTok, allows artificial voices to be generated within minutes at low cost.
These voices are then used in automated campaigns, including mass phone calls conducted by conversational agents simulating convincing human interaction.
This paradigm shift moves the attack vector from IT systems to human behavior, exploiting trust, urgency, and voice recognition.
Identity: the new attack surface
Across recent breaches, including those impacting M&S and JLR, we are witnessing a clear shift in attacker behavior. Adversaries no longer “hack in”, they simply “log in”. They obtain valid credentials through phishing, vishing, and social engineering campaigns, then use them to operate under the radar of traditional defenses.
Deepfakes now extend this pattern by enabling the theft and imitation of identity itself. A cloned voice or AI-generated face can bypass skepticism, convincing employees they are interacting with a trusted colleague or executive.
Identity has become the primary currency of access. As organizations strengthen their technical controls, attackers increasingly exploit human trust as the easiest route inside. This convergence of social engineering and AI-driven impersonation means the next wave of attacks won’t just target vulnerabilities in IT systems, they’ll target people.
Awareness, doubt, and verification: the new pillars of cybersecurity
Most companies have focused cybersecurity efforts on protecting systems and data. However, with deepfakes, humans become the entry point. These attacks exploit a major gap in current cybersecurity: the lack of verification reflexes in voice and video communications. While most organizations run phishing awareness campaigns via email, awareness of deepfakes remains minimal.
Unlike phishing, now well understood, falsified calls or video conferences remain largely underestimated. The realism of deepfakes, especially under stress or urgency, obscures subtle cues that could raise alarms.
Detection depends on noticing small inconsistencies such as timing delays or slightly robotic speech, signs that are easy to miss during a busy day. Organizations need to establish verification practices that go beyond technical controls.
This includes contextual questions that only legitimate colleagues would know, answers that change regularly (e.g., “When did we last meet?”), or confirmation through secondary channels. “Trust but verify” has long been a motto in cybersecurity, but identity-based attacks such as deepfakes make it more relevant than ever.
“Robocalls,” already widely used to target individuals with daily AI-driven calls, can also be exploited by adversaries for illegitimate purposes. Here too, slight timing delays and intonation are key indicators to identify.
Therefore, team awareness can no longer be limited to email. It must include these new scenarios, train employees to recognize manipulations, and foster a culture of systematic verification. Trust must no longer be implicit, even when it seems natural.
The threat of deepfakes can no longer be seen as a technological curiosity or niche risk. It fundamentally challenges how companies manage trust, decision traceability, and communication security.
Organizations must integrate these concerns into governance: crisis simulations, verification protocols, redundant information channels, and continuous training. More than a technological response, this requires an organizational, cognitive, and cultural approach. Against a digital illusion that relies on familiarity, only active vigilance can prevent the next attack from coming… through the CEO’s voice.
***Ben Jacob is Tech Lead EMEA, Sophos Red Team at Sophos
