Synthetic audio and video generation technologies, widely known as deepfakes, have crossed a critical threshold. Long confined to social-media entertainment or targeted political manipulation, they are now emerging as full-fledged instruments within cyberattack playbooks.
This shift goes beyond the purely technical realm and marks a structural transformation. Human perception—whether it concerns a familiar voice or a recognized face—is becoming a new surface for attack.
In this context, enterprises confront a threat that leans less on raw technical prowess and more on subtle manipulation of human behavior. Fraud campaigns today exploit cloned voices and doctored videos to simulate genuine communications and to mislead even the most vigilant colleagues.
In February 2024, an employee at a Hong Kong–based multinational was duped by a deepfake and transferred 24 million euros. The scam succeeded because everything appeared authentic: the accent, the cadence, the tone… The ubiquity of these tools, made possible by affordable economics and accessible technology, accelerates the industrialization of these attacks.
A Technological Threat That Has Become Human
Simulation exercises conducted with international organizations show that the use of deepfakes is no longer a speculative scenario but a well-established reality. A 2024 report from Anoizr Way indicated that the number of deepfakes could rise from 500,000 in 2023 to 8 million by 2025.
Deepfakes exploit a vulnerability rarely anticipated by cybersecurity defenses: our instinctive trust in human interactions. Clone voices are used to personify leaders; videos drawn from public content are embedded into credible, scripted scenarios designed to deceive even seasoned employees. More than technical sophistication, it is the industrialization of these practices that should sound the alarm.
The ease of voice cloning, requiring only a few tens of seconds of recording often obtainable from public media such as YouTube or TikTok, enables the creation of artificial voices in minutes at a low cost. These voices are then deployed in automated campaigns, including mass telephonic outreach conducted by conversational agents that mimic convincing human interaction.
This paradigm shift relocates the entry point of attacks from the information system to human behavior, exploiting trust, urgency, and voice recognition.
Awareness, Doubt and Verification: The New Pillars of Cybersecurity
Most companies have focused their cybersecurity efforts on protecting systems and data. Yet in the face of deepfakes, the human becomes the entry point. These attacks exploit a fundamental weakness in current cybersecurity frameworks: the absence of reflexive verification in voice and video communications.
While most organizations have implemented phishing-awareness campaigns via email, awareness of deepfakes remains almost nonexistent. Unlike phishing, which is now well understood, falsified calls or video conferences are still largely underestimated. The realism of deepfakes—particularly in stressful or urgent contexts—blurs the subtle signals that could otherwise raise alarms.
Detection relies on subtle cues, such as a mismatch in responses or robotic intonation, but these signs are often overlooked under pressure. Establishing routine verification practices—through contextual questions known only to legitimate participants and whose answers can change over time (for example, “When was our last in-person meeting?”)—or via secondary confirmation channels becomes essential. Skepticism thus evolves into a strategic competence.
“Robocalls,” now widely used against private individuals who receive multiple AI-driven automated calls daily, can also be repurposed by adversaries for illicit ends. Here too, the small timing discrepancies in responses and intonation remain telltale indicators to identify.
Consequently, awareness training for teams cannot be limited to email security. It must incorporate these new scenarios, train staff to recognize manipulation, and foster a culture of systematic verification. Trust should no longer be assumed, even when it feels natural.
The threat posed by deepfakes cannot be dismissed as a curiosity or a niche risk. It compels a profound rethinking of how organizations manage trust, traceability of decisions, and the security of communications. It is essential to embed these concerns within governance frameworks: crisis simulations, verification protocols, redundancy of information channels, and ongoing training.
More than a technological fix, this requires an organizational, cognitive, and cultural response. Because in the face of a digital illusion that rests on familiarity, only active vigilance can prevent the next attack from passing… through the voice of the CEO.
