Deepfake fraud has moved from novelty to boardroom concern. What started as viral entertainment has become a tool for financial crime. In 2025, attackers are using AI-generated voices and videos to impersonate executives, trick employees, and bypass identity checks. The results? Nearly $900 million in losses and a growing crisis of trust.
This report explains how the threat is evolving, why financial services are in the crosshairs, and what leadership teams can do to defend against it.
What Makes Deepfakes So Dangerous
Deepfakes are more than fake videos. They are direct attacks on trust.
Phishing emails once gave themselves away with typos or odd links. Now, just 20 seconds of recorded speech is enough to build a convincing clone of a CEO’s voice. The result is harder to detect and much more damaging.
Key reasons this matters for banks and insurers:
- Bypass traditional defences: Antivirus and email filters cannot stop a trusted voice or familiar face.
- Exploit human trust: These attacks often carry no malware. They rely on urgency and authority.
- Cheap and scalable: Free or low-cost tools let attackers reuse cloned voices across multiple scams.
- Proven financial impact: In one Hong Kong case, criminals used a deepfake CFO video call to steal $25 million.
Deepfakes weaponise the most basic security measure: human recognition. As adoption accelerates, the gap between attacker capability and detection keeps widening.
The $900 Million Wake-Up Call
Deepfake fraud is not theoretical. It is already hitting financial services at scale.
According to Surfshark, losses linked to deepfake-enabled scams have reached almost $900 million since 2019. In the first half of 2025 alone, financial institutions lost $410 million — already more than the total for 2024.
Breakdown of 2025 cases so far:
- $401 million from celebrity impersonations in fake investment schemes.
- $217 million from executive impersonations.
- $139 million from bypassed biometric checks.
Incidents are now four times more common than in 2024. Beyond direct theft, these scams erode trust, force expensive investigations, and attract regulatory scrutiny.
This is not a niche problem. It is a systemic threat that touches payments, onboarding, customer service, and compliance.
The Deepfake Playbook
Deepfake fraud is structured, efficient, and manipulative. Attackers repeat the same steps across industries:
- Reconnaissance
Fraudsters scrape public media for voice or video clips. Just 15–30 seconds can be enough to build a clone.
- Building the Fake
AI models are trained on this data. Caller IDs are spoofed. Scripts are prepared to sound authentic.
- Pretext and Pressure
The request comes with urgency: a project deadline, a vendor payment, a regulatory filing. The goal is to push staff past standard checks.
- The Call or Meeting
The deepfake appears in a live call or voicemail. In the Arup case, an employee authorised 15 transfers worth HK$200 million (US$25.6 million) after a deepfake video of colleagues and the CFO convinced them it was legitimate.
- Beating the Checks
Deepfakes also target identity verification. Synthetic video and audio are injected into KYC systems, fooling weak liveness checks.
- Moving Funds
Once controls are bypassed, money is funnelled through mule accounts. Cases investigated in 2025 showed large sums transferred across multiple jurisdictions.
- Repeat at Scale
The same fake is reused on new victims. Low setup cost, high return. That is why deepfake incidents are multiplying across the sector.
Why Financial Services Are Prime Targets
Financial services are uniquely exposed. Attackers know this sector controls three things they want most: money, data, and trust.
Scale of the problem:
- $900 million in global losses since 2019, $410 million in H1 2025.
- 780% increase in deepfake incidents in the European financial sector, with the UK accounting for 13.5% of cases.
- 40% of identity-related fraud in banking now involves AI, primarily deepfakes.
Why banks are vulnerable:
- Digital-first services such as remote onboarding and real-time payments create multiple entry points.
- Biometric systems are being outpaced by synthetic audio and video.
- Fake press releases or cloned CEO clips can move share prices within hours.
Local context: Regulators in Greece and Southern Europe warn that both retail banks and shipping finance units are already being targeted with synthetic identities. Many of these attempts exploit cross-border transactions where oversight is weaker.
For executives, the bigger issue is trust. Clients who doubt digital services are hard to win back, and regulators increase costs when confidence erodes.
The Business Impact: Why Leaders Should Care
Deepfake fraud is not just an IT issue. It is a business challenge that cuts across revenue, compliance, and brand value.
Direct Financial Loss
In early 2024, a Hong Kong finance worker authorised $25 million in transfers after a video call with AI-generated “colleagues” and a CFO. Similar incidents now total nearly $900 million in global losses since 2019.
Regulatory and Legal Exposure
Under GDPR and PSD2, failures to prevent identity fraud can lead to fines and lawsuits. European regulators recorded a 780% surge in deepfake-related cases in one year, prompting active investigations.
Operational Disruption
Fraud investigations freeze accounts, delay settlements, and strain customer services. In trading or retail banking, even brief disruption causes measurable revenue loss.
Reputational Risk
A 2024 survey found 72% of consumers worry daily about being misled by a deepfake in a way that could cost them money or data. Once confidence erodes, recovery is slow and expensive.
Strategic Threat
If clients stop trusting voice or video authentication, adoption of digital-first banking slows. That hesitation undermines years of investment in automation and AI-driven services.
How Deepfakes Bypass Security
Deepfakes exploit trust at the point of contact. Attackers use them in three main ways:
- Impersonating Authority
The Arup case showed how realistic video calls of executives can authorise multimillion-dollar transfers. Seeing familiar faces lowers suspicion.
- Breaking Weak Identity Checks
Just 20–30 seconds of audio is enough to fool many biometric systems. Synthetic video is increasingly injected into KYC flows to pass liveness tests.
- Scaling Attacks Across Firms
Once a model is trained, the same fake voice or face is reused across multiple organisations. This factory approach keeps costs low and payouts high.
A Multi-Layered Defence
No single solution stops deepfakes. A layered strategy combining tech, people, and process is essential.
- Identity validation: Use liveness checks and behavioural biometrics to confirm real users.
- Adaptive detection: Deploy AI systems that evolve with new threats rather than relying on static models.
- Shared intelligence: Fraud signals shared across institutions make anomalies easier to spot.
- Staff training: Simulation drills and clear reporting channels help frontline staff act quickly.
- Media forensics: Emerging tools analyse media provenance to flag manipulated content.
Institutions that combine these defences create overlapping barriers. The goal is not perfection, but resilience.
The Regulatory Landscape
Governments and regulators are responding.
- EU: The Artificial Intelligence Act, enforceable from August 2025, classifies deepfakes as high-risk and requires transparency, monitoring, and risk controls.
- UK: The Financial Conduct Authority has issued alerts linking deepfake scams to fraud and emphasising the need for layered verification.
- US: FinCEN requires financial institutions to tag “FIN-2024-DEEPFAKEFRAUD” in Suspicious Activity Reports, signalling deepfakes as a priority risk.
Penalties are increasing. Under the EU AI Act, fines can reach €35 million or 7% of global turnover.
For executives, the message is clear: regulators expect proactive measures, not excuses after the fact.
Conclusion: Preparing for the Next Stage of Fraud
Deepfake fraud is already reshaping how criminals target financial services. The numbers are sobering: nearly $900 million lost globally since 2019, with incidents multiplying by 780% in Europe. Regulators are issuing warnings, and detection tools still lag behind attacker capability.
For leadership teams, the takeaway is straightforward. Deepfakes are not just a fraud tactic but a business risk. Protecting against them requires investment in controls, smarter verification, and trained people who know what to watch for.
Firms that act now can protect customers, reduce losses, and preserve trust. Those that delay risk being blindsided by the next wave of synthetic fraud.
If your organisation is looking to strengthen its defences, contact ThreatScene to discuss your security needs.
Book a consultation with our team today.
Curated with purpose, delivered with precision — The ThreatScene Team.
PS. Stay sharp, stay safe ✌️
Sources & References
- Surfshark: Deepfake fraud caused financial losses nearing $900 million (July 2025)
Surfshark - Business Insider: Engineering giant Arup hit by $25M deepfake scam (May 2024)
Business Insider - CFO Dive: Scammers siphon $25M from engineering firm Arup via AI deepfake ‘CFO’ (May 2024)
CFO Dive - Security Magazine: Deepfake-enabled fraud caused more than $200 million in losses in Q1 2025
Security Magazine - WeForum: Arup deepfake fraud story
World Economic Forum - Surfshark: Deepfake statistics in early 2025: how frequently are famous people targeted?
Surfshark - Reuters: Deepfake and cyber insurance risks
Reuters