Steve Piper, CISSP, is the founder and CEO of CyberEdge Group and Editor-in-Chief of Security Buzz.
getty
Deepfakes are accelerating the breakdown of trust in phone and video calls, two of the most relied‑upon channels in corporate workflows. Attackers combine speed and scale to exploit these communication channels faster than organizations can verify trust.
With U.S. fraud losses facilitated by generative AI projected to grow from $12.3 billion in 2023 to $40 billion by 2027 (32% CAGR), according to Deloitte Insights, this is no longer a niche security issue, but a material business and financial risk that demands rethinking defense when deception is inexpensive, scalable and continuous.
Organizations are exploring fraud detection technologies, including behavioral pattern analysis; device and contextual intelligence; and multilayered verification strategies that scrutinize content through visual, auditory and textual lenses. Many, however, are hampered by their own internal infrastructure. Traditional identity verification and security controls were designed for static signals, not adaptive deception.
Nowhere is this breakdown more visible than in financial services. According to the ACAMS "2026 Global AFC Threats" report, more than half of organizations cite outdated data and legacy IT systems as a high or very high risk to anti‑financial crime programs.
While deepfake detection tools are a marked improvement over legacy security systems, they are not adversary‑proof defenses. Models trained on clean data perform poorly against live, compressed, multichannel attacks. CSIRO-led research finds that detection effectiveness ranges from 39% to 69% when systems are deployed outside controlled laboratory environments.
Equally important, attackers move faster than defenses. Well-resourced threat actors have been known to test their deepfakes against detection tools before launching attacks. Once they learn how a detection system works, they modify their techniques to bypass it. By the time detection tools close the gap, attackers have already changed tactics, creating a race where defenders are always struggling to keep up.
The limitations of detection technology are only part of the problem. Human defenses fare no better under real‑world conditions. An iProov study found that just 0.1% of participants were able to reliably identify deepfake content, even in controlled conditions where they knew what to look for.
Yet, the challenge isn’t just detection; it’s organizational readiness. In the CyberEdge 2026 "Cyberthreat Defense Report," 37% of cybersecurity professionals expressed concern about deepfake impersonation. But even as awareness grows, many organizations remain ill‑prepared to defend against it.
At its core, deepfake risk is a failure of trust architecture: who is trusted, through which channels and under what conditions. With deepfake attacks only showing signs of increasing, organizations must accept that no automated or human detection system is foolproof, and that resilience requires shifting focus from spotting the fake to slowing and containing the abuse of trust.
Detection still plays a role, but only as one input, not the decision itself. As the earlier CSIRO findings suggest, real‑world detection performance varies widely. Organizations, therefore, should invest in detection technologies with realistic expectations of roughly 55% average accuracy and plan security around imperfect detection rather than perfect protection.
Deepfake‑proofing a company means redesigning the everyday workflows that attackers rely on, so that even a successful impersonation can’t achieve its goal.
In practice, this shift includes:
Attackers need only small snippets of audio and voice data to create believable deepfake media. Evaluate publicly available audio and video information on executives, employees and the organization that would enable attackers to create convincing deepfakes.
Attackers exploit everyday workflows—especially payments, hiring and IT requests—by creating urgency. Introduce friction where trust is implicit to break the attack. This includes:
• Neutralizing urgency with deliberate delay. Artificial urgency is one of the most reliable techniques in deepfake attacks. Implement time‑delayed approvals, such as a mandatory 30‑minute cooling‑off period for high‑risk or unusual requests, to remove the pressure attackers rely on.
• Separating authority from approval through escalation rules. Attackers succeed when a single individual can authorize sensitive actions under pressure. Requiring multi‑person approval based on the type and impact of the request limits what deception can achieve under pressure.
• Defining which channels are trusted for which requests. Deepfake attacks often exploit informal communication paths. Be explicit about where sensitive requests may originate and where they may not. Payments, access changes or credential resets should require secondary verification through a trusted channel, such as a callback using an internal directory number.
Deepfakes work best when people feel pressured to act quickly or lack a clear frame of reference for the threat. Awareness explains the threat; process absorbs the risk. Focus training on awareness and escalation—not on asking employees to judge authenticity in the moment.
Deepfakes expose a brittle assumption about how trust moves through modern organizations. When both technology and human judgment can be deceived at the point of execution, defense must shift upstream into design, process and governance. Resilient organizations will be those that pair advancing technology with workflows designed to remain safe even when detection is imperfect and trust is convincingly misused.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。