Business Email Compromise has been the highest-dollar fraud category in the FBI's Internet Crime Report for years — consistently exceeding ransomware losses in total dollar terms. The attack is conceptually simple: impersonate someone trusted and convince someone with financial authority to move money.
What's changed is the technology available to impersonate. Voice cloning and video deepfakes have moved from cutting-edge AI research to criminal tools, and the combination with BEC tactics creates a threat that's significantly harder to recognize and resist.
How BEC Works
Traditional BEC relies on email spoofing or account compromise. An attacker who can send email appearing to come from the CEO or CFO instructs the finance team to initiate a wire transfer, change a vendor's banking details, or send W-2 data.
The tells are often visible: the email domain is slightly off, the writing style doesn't match, the request bypasses normal processes. Training employees to spot these tells has had some effectiveness.
What Deepfakes Change
Deepfake audio and video eliminate many of the tells that make BEC detectable.
Voice deepfakes. With a few minutes of audio from public appearances, earnings calls, or video content, criminal groups can clone an executive's voice convincingly enough to deceive people who interact with that person regularly. A finance team member receives a call from "the CFO" — the voice is familiar, the manner is right — asking to initiate an urgent wire transfer.
Video deepfakes. In documented 2024 cases, attackers conducted video calls featuring deepfake representations of executives and colleagues. A finance employee at a multinational was manipulated into wiring $25 million after a deepfake video conference that appeared to show the CFO and other colleagues.
The psychological barriers that protect against text-based fraud — "this seems unusual, let me verify" — are more easily bypassed when you appear to be looking at and talking to someone you know.
What Defenses Work
Out-of-band verification for financial transactions. This is the most effective single control. Any request for a wire transfer, payment change, or banking detail update must be verified through a completely separate channel — not by calling a number provided in the request, but by calling a number from your internal directory or address book that you've used before.
The policy should be absolute: no exceptions for urgency, no "the CEO said it's critical." If the request is legitimate, a 30-second call to a known number to verify is not a meaningful obstacle. If the request is fraud, the policy is what stops it.
Verbal code words for voice verification. For executive teams that communicate regularly about sensitive matters, a pre-agreed verbal authentication code (known only internally) can verify the caller's identity against deepfake imposters. Awkward to implement, but effective for highest-risk scenarios.
AI detection tools. Tools designed to detect deepfake audio and video exist and are improving. For high-stakes video calls involving sensitive decisions, deepfake detection can be a layer of defense. The technology is imperfect and continuing to develop on both sides.
Process enforcement. Policies requiring multiple approvers for large transactions, mandatory 24-hour delays on new vendor banking details, and automatic review triggers for unusual payment destinations create structural friction against fraud even when social engineering succeeds.
Training on deepfake reality. Most employees still don't understand what deepfakes are or that they're being used operationally. Briefing employees — especially finance teams and executives — on what deepfakes look like, that they're being used in fraud, and what the verification procedures are is foundational.
The Limits of Technology
Deepfakes are an arms race. Detection tools improve; deepfake quality improves. Organizations that depend solely on deepfake detection will lose that race.
The most durable defenses are process-based: verification procedures that work regardless of how convincing the impersonation is. An attacker who clones your CEO's voice can't call the CEO's actual cell phone to confirm the transaction — and a verification process that requires that confirmation stops the fraud regardless of audio quality.
Build the process. Train to it. Enforce it without exceptions, especially under time pressure — urgency is the social engineering tool that attacks the process.