Not long ago, deepfakes were dismissed as online curiosities — digitally altered celebrity videos circulating on platforms like Instagram and X. Today, they’ve become a serious corporate security threat. According to
recent surveys, 53% of businesses have reported encounters with deepfake incidents, signaling an urgent shift in how organizations must defend themselves.
From entertainment to exploitation
Deepfakes — AI-generated synthetic audio and video — are no longer confined to embarrassing internet memes. They are now powerful tools for cybercriminals seeking financial gain, corporate access, or reputational damage.
[Editor's Note: This is part SC Media's partnership to unpack OWASP's Top 10 for LLM Applications.] High-profile celebrities and political figures have already felt the sting. When pop star
Taylor Swift became the subject of a viral deepfake attack, headlines highlighted the growing ability of bad actors to tarnish reputations instantly. Increasingly, however, the technology is being weaponized against business leaders — and the costs are staggering.
Millions lost to synthetic voices
One of the most notorious cases involved a multinational company
swindled out of $25.6 million after fraudsters used deepfake video conferencing to impersonate executives and authorize wire transfers. In May 2024, scammers targeted the world’s largest advertising firm, WPP, by
impersonating CEO Mark Read through a fake WhatsApp account, cloned voice recordings, and doctored YouTube footage. Their goal: to trick employees into releasing funds. Although WPP thwarted the attempt, the incident underscored just how advanced and convincing these scams have become.
Even thwarted attacks reveal the sophistication of the threat. In April 2024, password manager
LastPass reported a foiled attempt to infiltrate its systems using cloned voice technology. The case showed that even security companies are not immune, and that enterprises of any size can become targets.
A trojan that steals faces
Beyond financial fraud, researchers warn of new dangers that push deepfake misuse further into biometric exploitation. In early 2024, cybersecurity firm
Group-IB exposed a novel iOS trojan, GoldPickaxe.iOS, developed by a Chinese-speaking group dubbed GoldFactory. The malware harvested facial recognition data, identity documents, and SMS codes to generate deepfakes capable of bypassing bank security systems. Victims in Vietnam and Thailand were targeted, but experts warn it’s only a matter of time before such attacks spread globally.
“This is a scary development, but it’s not surprising,” said Jason Soroko, senior vice president of product at Sectigo. “Deepfakes are very effective in social engineering. Your face, your fingerprints, and your voice are not secrets — and that makes them vulnerable.”
Remote work: A new attack surface
The rise of hybrid and remote work has only amplified the risk. Employees can no longer verify suspicious calls or meeting requests with a quick walk to the executive suite. A single video call, cloaked in deepfake trickery, can upend trust within digital workplaces. Experts caution that this erosion of confidence can paralyze decision-making and fracture team cohesion.
Fighting AI with AI
Cybersecurity professionals argue that traditional “spot the fake” training is insufficient. Research shows even trained observers cannot reliably detect manipulated media. Instead, companies are turning to AI-powered defenses such as biometric authentication, liveness detection, and layered identity verification.
These technologies, which analyze anomalies invisible to the human eye, can prevent fraudsters from onboarding with fake accounts or injecting prerecorded media into live camera streams. Risk-based authentication — evaluating device trustworthiness, PII consistency, and biometric signals in real time — is also becoming critical.
Still, experts caution against overreliance on biometrics alone. “Biometric authentication should rarely be used as a sole form of authentication,” said Soroko. “It’s a handy PIN replacement, but once your biometric data is stolen, it can’t be changed.”
Staying vigilant
While technology plays a central role, culture remains just as important. Training employees to question unusual requests, implementing strict approval workflows for high-value transactions, and updating response plans are all essential steps.
As Andy Ellis of YL Ventures put it, “Our financial systems are built on a lot of assumed — but not verified — trust. Deepfakes exploit those gaps. Until identity verification catches up, attackers will keep finding ways in.”
For now, businesses must prepare for a reality where seeing — and hearing — are no longer believing.
This article is part of SC Media’s 10-part editorial series on the OWASP Top 10 for LLM Applications 2025. Produced in partnership with the OWASP Generative AI Security Project, the series highlights actionable steps for secure, transparent GenAI application development.