Deepfake Video Calls: How Scammers Impersonate CEOs and CFOs to Authorize Transfers

Summary: Deepfake video call scams use AI-generated faces and voices to impersonate senior executives on live calls, pressuring staff to bypass controls and approve urgent payments. This guide explains how the scam works, early warning signs, prevention controls, and a rapid incident response plan you can apply today.

What Is a Deepfake Video Call Scam?

Attackers use AI models to synthesize a convincing video and voice of a known executive. They arrange a video call—often on short notice—claiming a confidential deal, acquisition, or crisis. During the call, the fake executive instructs finance, treasury, or operations staff to move funds or share sensitive documents. Because the request appears to come from a familiar leader in real time, employees feel social pressure to comply and skip verification steps.

Why These Scams Work

• Authority bias: Requests appear to come from the CEO, CFO, or General Counsel.
• Urgency and secrecy: Phrases like “regulatory deadline,” “board embargo,” or “don’t involve anyone else” discourage normal checks.
• Context hijacking: Attackers cite real projects from LinkedIn, press releases, or internal chatter leaked via email compromises.
• Real-time pressure: Live video removes the delay employees might use to verify.
• Seamless setup: Calls happen over familiar platforms (Zoom, Teams, Meet) or new tools sent in a calendar invite that bypass IT.

Common Attack Chain

1. Reconnaissance: Scrape executive photos, panels, past talks, quarterly calls, and voice clips to train the model. Steal org charts from LinkedIn or leaked inboxes.
2. Initial compromise: Phish an assistant or finance inbox to learn workflows, vendors, and approval limits. Use inbox rules to hide replies.
3. Staging the meeting: Send a calendar invite with a new meeting link, often outside corporate SSO. Label it “strictly confidential”.
4. Live impersonation: The deepfake joins with video and voice. Attacker keeps the camera small or blurry “due to travel Wi-Fi”.
5. Payment push: Instructs to create a new vendor, adjust an existing invoice, or wire to an overseas account “to close today”.
6. Isolation: Asks the employee not to loop in others, citing NDAs or “board embargo”.
7. Extraction: Once funds move, they hop through crypto off-ramps or mules. If documents are the goal, they exfiltrate bids, M&A materials, or customer data.

Red Flags to Spot Early

• New meeting links that bypass your normal SSO or waiting room controls.
• Camera or mic quality excuses: “Bad hotel Wi-Fi,” “airport lounge,” or “camera glitch” to hide lip-sync imperfections.
• Strange timing: Calls scheduled outside business hours or when the real executive is traveling.
• Process-breaking requests: Asking to skip second approvers, vendor verification, or bank callbacks.
• Payment to new beneficiaries with no purchase order, or a “temporary” account change.
• Urgent NDAs that block you from consulting peers or managers.
• Language mismatches: Tone, cadence, or slang that the real exec wouldn’t use.
• Odd background/lighting that doesn’t match known office or travel locations.

Prevention: Practical Controls That Work

1) Enforce out-of-band verification for money movement. Any new payee, bank change, or rush wire requires a callback on a verified phone number (from HR/finance directory) or a fresh message inside your official chat with the executive. Never trust the number or link provided in the request.

2) Require two humans for release. Set approval thresholds (e.g., >$5k or any new beneficiary) that require dual control from finance + a second department (legal/ops). No single person can create and release a payment.

3) Lock meeting platforms. Only accept video meetings on corporate-approved platforms with SSO enforced, lobby enabled, and recording allowed. Block new domains and unknown conferencing apps by default.

4) Publish an executive verification profile. Maintain an internal page with each exec’s known travel dates, usual meeting tools, and escalation paths. Train staff that any deviation requires a pause and verification.

5) Pre-authorize vendors. Use a vendor master file with verified banking coordinates. Changes require a cooldown period plus callback to an existing number on file—not the one supplied in the request.

6) Watermark executive video calls. For sensitive meetings, enable dynamic watermarks or a rotating code phrase known only to participants. Teach execs to use a shared authentication phrase when requesting urgent action.

7) Harden inboxes. Enable MFA, disable mail forwarding rules, and alert on creation of new inbox rules that move or delete messages from finance/leadership.

8) Train with live drills. Run quarterly “urgent payment” tabletop exercises. Reward employees for pausing and verifying, even if it slows a deal by an hour.

How to Verify a Suspicious Request (60-Second Playbook)

1. Pause the call. Say you must follow finance policy for verification.
2. Call back on a trusted number from your directory (not the invite). Or send a fresh message inside your existing secure chat with the exec.
3. Cross-check context: Ask about a recent internal detail the attacker wouldn’t know (e.g., last board date, code name from an unrelated project).
4. Refuse new banking details without vendor verification and cooldown.
5. Record and report the call to security; preserve logs and the invite.

If You Already Sent Money: Rapid Response

1. Call the bank immediately. Initiate a recall/freeze and request a hold on onward transfers. Provide timestamps, account numbers, and amounts.
2. Notify internal security and legal. Treat as a business email compromise + social engineering incident.
3. Preserve evidence. Save meeting links, calendar invites, chat transcripts, and call recordings. Do not delete the inbox.
4. Trace the flow. If funds moved to crypto, collect TX hashes and contact the exchange’s fraud desk. File police/IC3 reports quickly to aid freezes.
5. Reset trust. Rotate any credentials shared, audit inbox rules, and re-verify vendor records touched during the incident.

Building a Resilient Culture

• Normalize verification. Leadership must state—often—that they welcome callbacks and delays for security.
• Celebrate “pause” moments. Highlight employees who halted suspicious payments.
• Document playbooks. Keep a one-page “wire transfer verification” SOP pinned in finance channels.
• Update travel calendars. Share executive travel windows internally to reduce confusion.
• Limit public signals. Reduce oversharing of real-time locations or deal hints on social media.

Key Takeaways

• Assume any urgent payment request can be faked, even on live video.
• Use out-of-band callbacks and dual approval for every new payee or bank change.
• Train finance and assistants to pause, verify, and escalate without fear.
• Lock meeting tools, and treat unknown links as hostile until verified.
• Practice the 60-second playbook so your team can act under pressure.

Deepfake video call scams succeed when urgency overrides process. Build policies that make verification automatic, and give employees cover to slow down—especially when money is moving fast.