In a single morning in early 2024, a finance employee at Arup’s Hong Kong office wired $25 million across 15 transactions, acting on instructions from a video meeting in which every other participant was synthetic. Ferrari, WPP, and LastPass each disclosed credible near-miss attempts on senior executives that same year.
Identity-verification platforms now report AI-assisted fraud as a steady-state line item, not an emerging anomaly. This article explains how deepfake scams actually work, which four categories of attack matter, and why the leverage point in defense is workflow design rather than better detection, illustrated with documented cases and a layer-by-layer look at where current defenses succeed and fail.
Contents
- TL;DR
- Key Takeaways
- What a Deepfake Scam Actually Is
- How a Deepfake Scam Actually Works
- Anatomy of a Deepfake Scam: From Source Material to Executed Fraud
- The Categories Worth Distinguishing
- How Deepfake Fraud Enters the Adtech Supply Chain
- Where Deepfakes Actually Enter Performance Marketing
- One Loss, Two Saves: What Three 2024 Deepfake Cases Reveal
- Detection: What Actually Works, and What It Misses
- What Each Defense Layer Catches — and What It Routinely Misses
- Where Defenses Fail Honestly
- One Attack, Different Failure Surfaces
- The Sharper Frame
- Frequently asked questions
TL;DR
A deepfake scam uses AI-generated voice, video, or documents to impersonate someone, but the synthetic media is only one stage of a longer social-engineering chain, and the largest losses (Arup’s $25M, the 2024 Hong Kong CFO case) happened because of weak transfer-approval workflows, not because the fakes were undetectable.
Detection alone fails: per-asset detectors lag generative models, and camera-stream injection now bypasses most liveness checks. The defensible posture is layered detection plus procedural resilience – out-of-band confirmation, dual approval, cluster analysis of new accounts, so that no single signal is decisive.
Key Takeaways
- A deepfake scam uses AI-generated audio, video, or imagery to impersonate a real person, document, or organization. The synthetic asset is rarely the whole attack – it is one stage inside a social-engineering chain.
- Four categories matter, and they fail differently: executive impersonation (BEC 2.0), identity-document fraud, celebrity / brand impersonation, and synthetic creator / publisher fraud.
- The fastest-growing bypass technique in 2026 is not better generative output. It is camera-stream injection, which feeds a synthetic video feed into the OS camera interface, defeating liveness checks that examine only the face.
- The most expensive breaches succeed because of workflow design, not video quality. The Arup case (~$25M, Hong Kong office, 2024) turned on a procedure that allowed a large transfer to be authorized on the strength of a video call alone.
- A defensible posture is layered detection plus procedural resilience: assume any single signal can be wrong, and design approvals so that no single signal is decisive.
What a Deepfake Scam Actually Is
A deepfake scam is fraud that uses AI-generated audio, video, or imagery to impersonate a real person, a real document, or a real organization convincingly enough to extract money, access, or trust. Impersonation is not new; it has existed for as long as commerce has, but generative models have collapsed the cost of producing a believable fake from “skilled studio work” to “a laptop and a few minutes.”
That cost collapse is the part most coverage understates. Attackers can fake a face or a voice; that is settled. What matters now is where the fake enters the workflow, what decision it short-circuits, and which of the defenses sold as “deepfake detection” hold up once attackers know what those defenses are looking for.
How a Deepfake Scam Actually Works
Most deepfake fraud follows a recognizable shape, even when the surface details change. There is a target whose identity is worth stealing, a relationship the attacker wants to ride on top of, and a moment of decision that the fake is designed to push through faster than scrutiny can catch up.
The “deepfake” itself is rarely the whole attack. It is one component inside a social-engineering chain. The synthetic asset – a cloned voice on a phone call, a face-swapped video on a Zoom call, an AI-generated passport submitted to a verification flow – exists to make the next step feel routine. The scam succeeds when the receiving human treats a synthetic input as they would a genuine one.
Anatomy of a Deepfake Scam: From Source Material to Executed Fraud
The synthetic asset is just one link. Mapping the full chain shows where defenses can intervene long before a fake reaches its target.
Stage 1
Source Harvesting
Public videos, voice recordings, leaked KYC images, scraped social profiles.
Stage 2
Asset Generation
Voice clone, face-swap model, synthetic ID document, AI-written backstory.
Stage 3
Channel Selection
Pretext chosen: video call, voicemail, KYC upload, advertiser onboarding, payout request.
Stage 4
Pressure Moment
Urgency, authority, financial threshold, hard deadline.
Stage 5
Execution
Wire transfer, account approval, campaign launch, payout release.
Defense Opportunities
Where the chain can be broken before execution
Provenance signals, watermark scans, model fingerprinting at upload.
Out-of-band confirmation, callback protocols, second-channel checks.
Mandatory cool-down, dual-approval thresholds, urgency-trigger reviews.
The Categories Worth Distinguishing
“Deepfake scam” is used loosely in the press, which makes it harder to think clearly about defenses. In practice, four categories matter, and they fail to overlap as cleanly as headlines suggest.
| Category | What is faked | Typical channel | Primary target | Where defenses tend to break |
| Executive impersonation (BEC 2.0) | Voice or video of a real executive | Phone call, video conference | Finance staff, payment approvers | Trust in the visual channel; urgency overrides verification protocol |
| Identity-document fraud | Synthetic passport, ID card, selfie, liveness video | KYC / onboarding flows | Banks, exchanges, ad platforms, affiliate networks | Per-document checks pass; cluster signals across accounts are missed |
| Celebrity / brand impersonation | Face and voice of a public figure endorsing a product | Video ads, social posts, landing pages | Consumers; the impersonated brand’s reputation | Pre-publication review at scale; takedown latency |
| Synthetic creator / publisher fraud | A wholly fabricated person — face, voice, history — used to operate accounts | Affiliate programs, creator monetization, advertiser onboarding | Payout systems, attribution models | Single-account scrutiny finds nothing; the fraud is visible only at the network level |
Treating these as a single problem produces one-size-fits-all detection logic that catches none of them well. A liveness check tuned for KYC will not help a CFO on a Zoom call. A behavioral model trained on advertiser onboarding will not catch a cloned voice authorizing a wire.
How Deepfake Fraud Enters the Adtech Supply Chain
Adtech Supply Chain · Two Entry Points
Where Deepfakes Actually Enter Performance Marketing
Entry 01
Identity Verification at Onboarding
- AI-generated ID documents
- Injected video streams during KYC
- High-volume probes hunting the weakest flow
Single fakes rarely pass — volume finds the gap.
Entry 02
Synthetic Creative in Scam Campaigns
- Deepfaked celebrity endorsements
- Investment scams, fake giveaways, crypto rugs
- Reaches users via long intermediary chains
Attacker needs one variant through; defenders must catch all.
Defensive Center of Gravity
detect the fake clip → detect the actor and infrastructure behind a cluster of clips
For people working in performance marketing, the relevant entry points are narrower than the general news coverage suggests. The two that matter most: identity verification at onboarding, and synthetic creative used to drive scam campaigns.
Onboarding and KYC
AI-generated identity documents and injected video streams are now a routine part of attempted onboarding fraud. The patterns are documented in the Sumsub Identity Fraud Report 2025–2026 and in operational accounts like AdTech Holding’s analysis of how KYC systems are adapting to AI-generated fraud. The structural finding from that work bears repeating: the threat is not that any single deepfake passes – most do not, but that attackers run high-volume probes, looking for the weakest onboarding flow in a market where standards are uneven.
Synthetic creative
Deepfaked celebrity endorsements: politicians, finance personalities, and athletes have become a standard wrapper for investment scams, fake giveaways, and crypto-rug schemes.
These creatives reach users through a long chain of intermediaries, and responsibility for stopping them is genuinely shared: networks invest in pre-publication review, verification vendors flag known impersonations, and platforms maintain takedown pipelines.
The asymmetry favors the attacker who needs only one variant to slip through. The defensive center of gravity has shifted from “detect the fake clip” to “detect the actor and infrastructure behind a cluster of clips.”
One Loss, Two Saves: What Three 2024 Deepfake Cases Reveal
$25M
Arup · 2024
Case Study · Deepfake-Enabled BEC
How the Attack Actually Unfolded
01
Primed by an earlier email
02
Joined a call on a familiar tool
03
Recognized “CFO” and colleagues on screen
04
Acted within normal institutional rhythm
The Assumption
The deepfake quality fooled the employee.
What Actually Broke
The workflow assumed seeing + hearing = verification.
The Real Defense
Not better video forensics — a payment authorization protocol that doesn’t collapse when a video call says it should.
A pattern is more useful than a single anecdote. These three documented cases from 2024 show how the same underlying workflow vulnerability surfaces in different operational contexts – one expensive success and two near misses.
Arup, 2024 – The canonical BEC* 2.0 case
*BEC – Business Email Compromise
A finance employee at the engineering firm Arup’s Hong Kong office transferred roughly $25 million across 15 transactions after attending a video call with what appeared to be the company’s CFO and several colleagues. Every other face on the call was synthetic. The incident was reported initially by CNN in February 2024, and Arup was named as the victim by CNN in May 2024. It is now the canonical example of deepfake-enabled BEC.
What is instructive is the part most coverage glosses over: deepfake quality was not what made the attack work. The protocol around large transfers was.
The employee had been primed by an earlier email, attended a meeting using a familiar tool, recognized the people on screen, and acted within an institutional rhythm in which senior executives sometimes do urgent things on short notice.
The attack also showed maturity beyond one-on-one impersonation: a fully populated meeting with cross-talk and turn-taking defeats the social heuristic that says, “If several known people see the same thing, it is probably real.”
Ferrari, July 2024 – Voice clone defeated by a personal question
A Ferrari executive received WhatsApp messages and then a voice call appearing to come from CEO Benedetto Vigna, asking for help with a confidential acquisition that needed an urgent currency-hedging signature.
The voice clone reproduced Vigna’s southern-Italian accent. The exec noticed slight prosodic inconsistencies and asked a question only the real Vigna could answer: the title of a book Vigna had recently recommended to him.
The caller could not answer and ended the call. Reuters and Bloomberg reported the incident; MIT Sloan Management Review covered the security lessons in detail.
The Ferrari case is useful because the failure mode is unusual: the attack was procedurally credible (urgent, secret, plausible business context) but failed against a piece of shared-context knowledge. It is the simplest possible out-of-band check: a question whose answer is not online, and it worked.
LastPass, April 2024 – Voice clone of a CEO
In April 2024, LastPass publicly disclosed an attempted voice-clone impersonation of its CEO Karim Toubba, targeting an employee through WhatsApp audio.
The attack failed for an unglamorous reason: the message arrived through a non-standard channel, with off-hours timing and high-pressure framing, and the employee escalated to internal security rather than acting on it.
What the three cases tell you together
Same technology, three different outcomes. Arup lost $25M because the procedure treated a video call as authorization.
Ferrari and LastPass intercepted equally credible attempts because the procedure required something the attacker could not produce – a personal-context question, an out-of-channel escalation. The defense was never video forensics. It was a payment-and-action authorization protocol that does not collapse when a synthetic voice or face says it should.
Detection: What Actually Works, and What It Misses
No single detector is worth trusting on its own. What works in production is a layered stack, where each layer catches a different kind of failure that the others miss. This framing aligns with industry threat reports, including the Sumsub Identity Fraud Report and iProov’s annual threat intelligence, that no single signal withstands sustained pressure from a determined attacker.
Detection Stack · Layer-by-Layer
What Each Defense Layer Catches — and What It Routinely Misses
Every layer has a documented blind spot. Attackers probe each one and shift to whichever is weakest in a given environment.
Layer
Catches
Routinely Misses
Media Artifact Analysis
Frame inconsistencies, compression, GAN fingerprints
Low-effort generative fakes and known model signatures
Models tuned to evade the detector’s own training features
Liveness & Passive Biometrics
Micro-movements, blood-flow signals, texture
Static images, replay attacks, basic 2D spoofs
High-fidelity injected video streams that simulate liveness
Device & Session Telemetry
Fingerprints, IP, geo, camera metadata, injection
Reused infrastructure and emulator-based attempts
Rotated residential proxies and clean device pools per session
Behavioral Signals
Interaction speed, navigation, form-fill timing
Scripted bots and unnaturally uniform session flow
Human-in-the-loop operators driving the session manually
Network & Graph Analysis
Account clusters, shared docs, payout endpoints
Coordinated rings sharing devices, templates, or cash-out paths
The first attempt from a fresh, unconnected identity
The non-obvious point, and the one most vendor pages avoid: the fastest-growing class of deepfake bypass is not better generative output. It is camera-stream injection – feeding a fake video directly into the system instead of showing it to a camera.
iProov’s threat reports have tracked this shift in detail, documenting a sharp year-over-year rise in injection attacks against verification SDKs and naming them the dominant attack vector against face biometrics today.
Here is what changed. Until recently, the standard attack was to hold a screen or printed photo up to a webcam. Liveness detection: the layer that looks for micro-movements, blood-flow signals, and skin texture, catches them reliably now. So attackers stopped showing fake videos to the camera and started bypassing the camera entirely.
They feed a synthetic video stream directly into the operating system’s camera interface, where the verification SDK treats it as a real feed. From the application’s point of view, nothing looks wrong: the frames move naturally, the lighting is plausible, the face is coherent. The deception is happening one layer below, between the sensor and the software.
This is why the defensive center of gravity has moved from analyzing the face to interrogating the device. The useful questions are no longer “does this face look real?” but “is this video actually coming from physical hardware on this device, or is a virtual camera driver sitting in the path? Does the stream carry the metadata a real sensor would produce? Are the frame timings consistent with a real capture pipeline, or with a software loop?”
The terminology has shifted to match. The international standard for evaluating these defenses, ISO/IEC 30107, historically focused on presentation attack detection (PAD) – physical spoofing, such as masks or printed photos held up to a camera. The newer category has its own name: injection attack detection (IAD), and it is a fundamentally different evaluation problem.
Pixel-only detectors cannot address it. They were trained on the assumption that the input is at least a real recording of something: a printed photo, a replayed video, a mask. Injection attacks break that assumption.
The broader pattern is worth naming, because it is not unique to deepfakes. Every generation of biometric defense has been bypassed not by a better fake, but by attackers moving one layer down the stack:
- Pixel forensics got bypassed by liveness-aware generative models
- Liveness got bypassed by injection
- The injection will get bypassed by something that compromises device attestation, the layer that verifies the hardware itself is genuine
Gartner’s widely cited forecast that by 2026, a significant share of enterprises will stop trusting face biometrics on their own for identity verification is a direct consequence of this migration, not a standalone prediction. Each layer’s vendors keep selling defenses that still work against last year’s attacker.
That is the actual state of detection in 2026. It is not a solved problem, and it is not a single product. It is a stack with documented blind spots at every layer, where the operational question is whether all five layers are watching at once, and whether someone is paying attention when one of them goes quiet.
Where Defenses Fail Honestly
A trustworthy article on this topic has to name the failure cases, because every layered defense has them.
Per-asset detectors degrade quickly. Models trained to spot artifacts in last year’s generative outputs lose accuracy against this year’s outputs, and retraining cycles are slower than model release cycles on the attacker side. Operationally, this shows up as a quiet drift in detection rates that no one notices until a postmortem.
False positives are not cosmetic. Aggressive liveness or behavioral models block legitimate users, particularly those with older devices, low-bandwidth connections, atypical lighting, or document formats from countries with less standardized ID design. Industry data consistently shows that strict onboarding flows produce a significant drop-off among legitimate users, and the cost of that friction lands on revenue, not on attackers, who simply move on.
Cluster analysis cannot see an attack that hasn’t happened often enough yet.
New platforms, new verticals, and new geographies all suffer from a cold-start problem: the first cohort of fraudsters arrives before the network-graph signals exist to detect them. This is why operational teams pair machine-driven scoring with manual review during the early life of any new flow, and why automating that review away too quickly tends to produce the worst kind of breach: the one no one notices for months.
There is a related failure case that vendor decks rarely discuss. Detection works against the attacks the system was designed for – and passes cleanly on the ones it wasn’t.
From an Adex anti-fraud perspective, what we see across review queues is that novel deepfake attempts almost never look like the ones in last quarter’s training data. By the time a detection model reaches a reliable accuracy rate on a given attack category, that category has already moved on.
One Attack, Different Failure Surfaces
“Deepfakes will break online trust” sounds decisive until you ask: trust in what?
Payment authorization, identity verification, advertiser-platform relationships, and creative inventory each run on different mechanisms and fail in different ways. A breakthrough that collapses one does not automatically touch the others.
The defenses most buying teams worry about are the visible ones: the deepfaked celebrity endorsement that ran for six hours before takedown, the cloned-voice CEO scam that made the news.
The defenses doing the actual heavy lifting sit at layers they never see: payment-rail KYC at one end, network-graph analysis on advertiser accounts at the other. The bulk of what gets stopped is invisible by construction — synthetic-ID onboardings rejected at submission, clusters of fake creator accounts blocked before first payout.
None of it makes headlines because nothing happened.
The Sharper Frame
Deepfake scams are not a single problem. There are four distinct fraud patterns:
- Executive impersonation
- Identity-document fraud
- Celebrity impersonation
- Synthetic creator fraud — entering through different channels and defeating different controls.
Treating them as one threat produces detection logic that misses all of them.
Three points are worth carrying out of this article:
1. Detection alone does not work. Per-asset detectors lag generative models by a release cycle, liveness checks are bypassed by camera-stream injection, and graph analysis fails on cold-start cohorts. A layered stack is the minimum viable defense.
2. The procedure decides the loss. The Arup case lost $25M because a video call was treated as a transfer authorization. The LastPass attempt failed because the procedure required out-of-band verification. Same technology, different outcome.
3. The action items are concrete. For internal finance: out-of-band confirmation, dual approval above thresholds, a written policy that no urgent transfer is authorized via video alone. For onboarding and supply-chain partners: device-level signal collection, cluster analysis in the first 30 days, manual review during cold-start, retraining cadence with drift monitoring.
The practical question for any organization is not whether it has deepfake detection. It is which decisions in the current workflow could be pushed through by a convincing fake, and what controls would prevent that. Run that audit, fix the procedures it surfaces, and detection becomes a useful narrowing layer rather than the sole line of defense.
Frequently asked questions
Are deepfake scams illegal?
The synthetic asset itself is not always illegal, but using it to defraud, impersonate, or steal is almost always illegal under existing fraud, wire fraud, identity theft, and anti-impersonation statutes.
Many jurisdictions have added or are adding deepfake-specific provisions, particularly around non-consensual intimate imagery and election interference. The act of fraud is what is prosecuted; the deepfake is the tool.
How common are deepfake scams?
Reported volumes have risen sharply year over year across financial services, KYC platforms, and corporate-fraud channels. Public reports from identity-verification vendors and government cybercrime centers consistently show multi-fold increases in detected synthetic-identity attempts since 2022. Recent figures are in the Sumsub 2025 Identity Fraud Report and in the FBI IC3 annual reports.
How can I tell if a video or voice is a deepfake?
Modern deepfakes can be hard to detect from media alone. Useful tells when they appear: lip-sync drift, unnatural blinking or eye movement, audio with consistent emotional flatness, background and lighting that do not match the speaker’s claimed location, and prosody (rhythm and stress patterns) that feels mechanical. The more reliable defense is procedural: verify identity through a separate, pre-known channel before acting on requests for money or access.
What should I do if I have been targeted by a deepfake scam?
Stop any in-progress transaction. Notify your bank or payment provider immediately. Preserve the original message, call recording, or video. Report to your national cybercrime agency – in the United States, the FBI IC3 and the FTC; in the EU, your national CERT and the platform on which the contact occurred. If the impersonation involved a real person, notify them – they may be under broader attack.
How do deepfakes get past liveness checks?
The current dominant technique is camera-stream injection: software intercepts the OS-level camera interface and feeds a synthetic video to the verification SDK, so passive-liveness signals (texture, micro-motion) are read as real. Defenses have shifted to interrogating the device itself: checking whether the camera feed originates from real hardware, rather than relying solely on facial analysis.
Are deepfake scams a YMYL (“Your Money or Your Life”) concern for businesses?
Yes. The financial-loss exposure is direct, the identity-and-trust exposure is structural, and the consumer-harm exposure is real (investment-scam victims, especially older users, lose meaningful sums to deepfaked endorsements). For platforms, the regulatory exposure under emerging AI and consumer-protection rules is rising. Organizations should treat the topic with the same diligence they apply to any high-trust workflow.
Can deepfake detection be solved by AI?
Partially, but not durably on its own. Detection models lag generation models by a release cycle, and adversaries can train against publicly known detectors. The robust answer combines detection (multi-layered, regularly retrained, with drift monitoring) and procedure (out-of-band verification, dual approval, threshold controls). Either alone fails predictably.