Deepfakes: The New Emergency Rewriting the Rules of Business

In January 2024, a finance employee at Arup, the British engineering multinational behind the Sydney Opera House, transferred $25.6 million after a video conference with the CFO and several colleagues—all of them generated by artificial intelligence. It wasn't just a cloned voice: it was the entire meeting, with multiple deepfake participants interacting in real time. More than two years later, the Arup case remains one of the defining examples of corporate deepfake fraud—not because it was an outlier, but because it showed how quickly impersonation could move from fake audio to entire synthetic meetings.

The 2026 Numbers: From Emergency to Criminal Infrastructure

The most current picture comes from Surfshark's April 2026 study, built on the AI Incident Database, Resemble AI, and OECD data: publicly documented losses tied to deepfake fraud have reached $2.19 billion between 2019 and March 2026. A necessary caveat: databases like these track publicly reported incidents, so they measure the visibility of the phenomenon, not its full extent—deepfake fraud is chronically underreported, and the real figure is almost certainly higher. The number that matters is the distribution over time: $1.65 billion in 2025 alone, against roughly $130 million across the previous five years combined. The first three months of 2026 have already added $96 million to the count.

The dominant category isn't CEO fraud—it's fake investment endorsements using deepfakes of celebrities and public officials: $1.13 billion, 52% of all documented losses. Europe is squarely in the crosshairs: the UK leads the continent with $149 million in losses, followed by Sweden ($63M) and Spain ($56M), with around 90% of those losses driven by celebrity-impersonation scams. In Italy, fake videos of the Prime Minister and the President promising guaranteed returns forced the financial markets regulator to black out a string of scam websites.

On the corporate front, a September 2025 Gartner survey found that 62% of organizations experienced a deepfake attack in the prior twelve months. Resemble AI verified 487 incidents in Q2 2025 and 2,031 in the following quarter—a fourfold jump in three months. Sumsub reports 180% year-over-year growth in "sophisticated" identity fraud, up from 10% to 28% of all identity fraud. And according to Group-IB, more than 10% of banks have already suffered losses above $1 million from synthetic-voice vishing, averaging $600,000 per incident.

The Deloitte Center for Financial Services projection remains the benchmark: $40 billion in US losses from generative-AI-enabled fraud by 2027, growing 32% annually.

From Cloned Audio to Phantom Hires

The history of corporate deepfakes begins in March 2019, when the CEO of a UK subsidiary of a German energy group received a phone call from his boss—or so he believed. The voice perfectly replicated the German accent, the cadence, the personal inflections. The result: €220,000 wired to Hungary in under an hour.

Since then, the attacks have grown bolder. In July 2024, a Ferrari executive received WhatsApp messages and then a phone call from "CEO Benedetto Vigna" discussing a confidential acquisition. The deepfake voice captured Vigna's southern Italian accent perfectly. What saved Ferrari? A personal question: the title of a book Vigna had recently recommended. The fraudster couldn't answer.

WPP, the advertising giant, faced a similar attempt in May 2024: a Microsoft Teams call in which CEO Mark Read appeared (via AI) alongside other executives, requesting the creation of a new corporate entity. Only an employee's vigilance stopped the fraud.

The most underrated trend is in hiring. According to Resume Genius, 17% of HR managers have already encountered deepfake candidates in video interviews—and Gartner predicts that by 2028, one in four candidates will be fake. The US Department of Justice revealed that more than 300 American companies unknowingly hired North Korean operatives using false identities and deepfake technology, funneling over $6.8 million in total. The FBI's Internet Crime Report documented $13 million in reported losses tied to audio and video deepfakes in remote job interviews. If you hire remote developers—which today means almost everyone, us included—this is not a theoretical problem.

Courts Are Losing Their Compass for Digital Truth

The legal system is confronting a genuinely new epistemological problem. In September 2025, in Mendones v. Cushman & Wakefield in California, Judge Victoria Kolakowski identified, for the first time, deepfake evidence submitted as authentic: video with robotic movements, repeated loops, unnatural facial expressions. Metadata analysis revealed the smoking gun: the video claimed to have been shot on an iPhone 6 but required features available only from the iPhone 15 onward. The case was dismissed with terminating sanctions.

But the problem cuts both ways. On one side, fake evidence entering courtrooms. On the other, what experts call the "liar's dividend": the ability to challenge authentic evidence by claiming it might be a deepfake. In the Tesla Autopilot litigation, back in 2023, Elon Musk's lawyers attempted to argue that 2016 video statements by the CEO could have been fabricated. Judge Evette Pennypacker called the argument "deeply troubling," ruling that one cannot say whatever one likes in public and then hide behind the possibility that it's a deepfake.

Research from the Brookings Institution has shown that politicians who falsely claim authentic evidence is deepfaked gain more public support than those who stay silent or apologise. A perverse incentive to deny authentic evidence is taking shape.

The American regulatory response remains fragmented: Louisiana passed the first state law (Act 250, August 2025) requiring attorneys to exercise "reasonable diligence" in verifying the authenticity of evidence, while the proposed federal Rule 901(c) for potentially AI-fabricated evidence faces years of procedure before adoption.

Regulators Have Stopped Watching

For two years, the deepfake threat outpaced lawmaking. That window is closing—on both sides of the Atlantic.

Europe: the May 7 agreement redraws the calendar. On May 7, 2026, the EU Council and Parliament reached political agreement on the Digital Omnibus on AI, the first package of amendments to the AI Act since its adoption. Three dates to mark:

• August 2, 2026 — the core Article 50 transparency duties remain on schedule: deployers must disclose when users are interacting with an AI system, and anyone publishing deepfake content must declare its artificial nature.
• December 2, 2026 — one specific obligation slips: the Article 50(2) duty for providers of generative systems to mark AI-generated content in machine-readable format ("watermarking") moves from August to December—a deferral of just four months. If you build or integrate generative systems, you have six months from today.
• December 2, 2027 / August 2, 2028 — the high-risk system obligations (Annex III and Annex I respectively) are deferred substantially, pending technical standards and operational national authorities.

The agreement also introduces an outright ban on "nudification" apps—systems designed to generate explicit content of identifiable people without consent. The AI Act's penalties remain deterrent-grade: up to €15 million or 3% of global annual turnover. And the scope is extraterritorial: if your content or systems reach EU users, the rules reach you—regardless of where your company is incorporated.

National laws are filling the gaps. Italy moved first among EU member states: Law 132/2025, in force since October 2025, added Article 612-quater to the Criminal Code, targeting the non-consensual dissemination of AI-generated or altered images, video, or voice that mislead as to their authenticity and cause unjust harm—punishable by one to five years in prison—plus a general aggravating circumstance for any crime committed using AI systems, with direct consequences for corporate liability models. Companies operating in Italy now need to update their compliance frameworks accordingly; expect other member states to follow the template.

In the United States, the TAKE IT DOWN Act (May 2025) became the first major federal law specifically targeting non-consensual intimate deepfake imagery, criminalising AI-generated "digital forgeries" and mandating platform takedowns within 48 hours; a rapidly growing number of states have adopted deepfake laws of their own, most of them enacted in 2024–2025. China has maintained one of the strictest frameworks since 2023, with mandatory labeling and consent requirements. The UK criminalises non-consensual sexually explicit deepfakes under the Online Safety Act.

The takeaway: compliance exposure is no longer hypothetical, and it doesn't respect borders.

The Defensive Toolbox Exists—Few Are Using It

The most alarming statistic isn't the growth in attacks, but the lag in defenses: the vast majority of companies still have no specific protocols for handling a deepfake attack. Yet the solutions exist.

On the technology front, a detection market has matured. Intel's FakeCatcher analyses facial blood flow—when the heart pumps blood, veins change color in ways current deepfakes struggle to replicate. Reality Defender offers a multi-modal platform for images, video, audio, and text. Pindrop integrates directly with Zoom, Teams, and Webex for real-time synthetic voice detection; Resemble AI focuses on audio across more than 30 languages. One caution applies to all of them: vendors report high accuracy in controlled or benchmarked conditions, but real-world performance varies with compression, content quality, language, and adversarial adaptation. No detector should be treated as a standalone control.

Which is why procedural defenses are often more reliable than technical detection:

• Callback protocols: before any transfer or change of banking details, call the recipient using independently verified numbers—never the ones provided in the suspicious communication
• Executive security codes: verbal passwords to confirm identity, including a "duress code" that signals coercion without alerting the attacker
• Video call challenges: ask participants to pass a hand in front of their face (it destabilizes deepfake filters), turn their head in profile, or answer unexpected personal questions—the "book question" that saved Ferrari
• Multiple approvals: no significant transaction on a single authorisation
• A "stop and verify" culture: artificial urgency is a pressure tactic, not a reason to accelerate

Content Authentication Is Becoming a Global Standard

The most promising structural response remains C2PA (Coalition for Content Provenance and Authenticity), the standard developed by Adobe, Microsoft, Intel, the BBC, the New York Times, Nikon, Canon, Sony, OpenAI, and Meta. It works like a "nutrition label" for digital content: cryptographically signed Content Credentials recording who created the content, when, how, and the full history of edits.

The approach has three layers: secure metadata embedded in the file, invisible digital watermarks that survive screenshots and re-uploads, and perceptual fingerprints that identify content even after modification. Leica and Nikon cameras already support the standard at device level, and Qualcomm Snapdragon chips embed Content Credentials directly in mobile hardware.

The limitation has always been voluntary adoption. But with the EU's watermarking mandate taking effect on December 2, 2026, what used to be an incentive is becoming a requirement.

What to Do Tomorrow Morning: A Three-Phase Action Plan

Immediate actions (this week): Implement callback protocols for all financial transactions. Establish security codes with key executives. Train finance and HR teams on the warning signs: lip-sync delays, unnatural facial movements, resistance to verification requests. Add reinforced identity verification to remote hiring interviews.

Medium term (3–6 months): Evaluate enterprise detection platforms against your specific use cases. Integrate liveness detection into digital onboarding and authentication. Build deepfake-specific incident response playbooks with a cross-functional team (CISO, Legal, PR, HR, C-suite). Map your exposure to the AI Act transparency obligations taking effect August 2, 2026—and to national criminal regimes like Italy's in any jurisdiction where you operate.

Long-term strategy: Make deepfake detection a foundational element of your security infrastructure, not an add-on. If you build or integrate generative systems, prepare for the December 2, 2026 watermarking deadline. Join industry coalitions (C2PA, Content Authenticity Initiative) to influence how the standards develop. Run regular security audits that test your deepfake response capabilities.

Conclusion: The Value of Verification in a World of Manufactured Doubt

Professor Maura Grossman of the University of Waterloo captured the new reality: instead of "trust but verify," the operating principle must become "don't trust—verify." The cultural shift required is profound. Urgency—historically an accelerator of business decisions—must become a warning sign. The convenience of digital communication must be balanced by intentional friction.

Deepfake generation technology evolves faster than detection technology, and 2025–2026 proved it with an escalation no other category of cybercrime has matched. But the answer isn't surrender: it's layered defenses combining technology, procedure, training—and now compliance, because lawmakers in Brussels, Washington, and Rome have stopped watching from the sidelines.

Organizations investing in this resilience today aren't just protecting their assets. They're preserving something more fundamental: the ability to distinguish true from false in an information ecosystem where that distinction is becoming ever more expensive to establish—and ever more valuable to own.

Sources

1. Surfshark Research — Global deepfake fraud reaches $2.19B (April 2026): https://surfshark.com/research/chart/deepfake-fraud-countries
2. Keepnet Labs — Deepfake Statistics 2026 (Gartner, Sumsub, Pindrop data): https://keepnetlabs.com/blog/deepfake-statistics-and-trends
3. Bright Defense — 150+ Deepfake Statistics (March 2026): https://www.brightdefense.com/resources/deepfake-statistics/
4. Programs.com — Deepfake Facts & Statistics (Resemble AI quarterly data): https://programs.com/resources/deepfake-stats/
5. Trend Micro — Deepfake CFO Video Calls Result in $25MM in Damages (Arup case): https://www.trendmicro.com/en_us/research/24/b/deepfake-video-calls.html
6. Council of the EU — Press release on the Digital Omnibus on AI agreement (May 7, 2026): https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
7. Gibson Dunn — EU AI Act Omnibus Agreement (deadline analysis): https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
8. Altalex — Art. 612-quater c.p. and criminal protection against deepfakes (Italy's Law 132/2025): https://www.altalex.com/documents/news/2026/01/09/art-612-quater-cp-tutela-penale-contro-deepfake-lacuna-normativa-tipizzazione-legislativa
9. FBI — Internet Crime Complaint Center (IC3), Internet Crime Report: https://www.ic3.gov/
10. C2PA — Coalition for Content Provenance and Authenticity: https://c2pa.org/

Fabio Lauria
CEO & Founder, ELECTE

Every week, we cut through the AI hype with data, analysis, and an independent point of view.