Subscribe
Tech

How deepfakes are transforming corporate risk management

Enrique Dans|Published

.

Image: master1305/Adobe Stock

For years, deepfakes were treated as a political or social media oddity, a strange corner of the internet where celebrity faces (of women 99% of the time) were pasted onto fake videos (porn in 99% of the cases) and nobody quite knew what to do about it. But that framing is now dangerously outdated, because deepfakes have quietly evolved into something much more systemic: an operational risk for corporations, capable of corrupting supply chains, financial workflows, brand trust, and even executive decision-making. 

Recent headlines show that synthetic media is no longer a fringe experiment. It is a strategic threat, one that companies are not prepared for. 

When a deepfake can steal $25 million 

In February 2025, global engineering firm Arup fell victim to a sophisticated deepfake fraud. Attackers used AI-generated video and audio to impersonate senior leadership and convinced an employee to transfer $25 million in company funds. The World Economic Forum described it as a milestone event: the moment synthetic fraud graduated from experiment to enterprise-scale theft. 

For any executive who still thinks of deepfakes as a social media phenomenon, this should be a wake-up call. 

Arup had strong cybersecurity. What it didn’t have was identity resilience—the ability to verify that the human on the other side of the call was actually human. 

CEO fraud, but this time with perfect replicas 

In the past year, deepfake CEO-fraud attempts have surged, targeting CFOs, procurement teams, and M&A departments. A 2025 report noted that more than half of surveyed security professionals had encountered synthetically generated executive impersonation attempts. 

It’s easy to see why: 

  • Deepfake video is now real-time and high-resolution. 
  • Voice cloning requires only a few seconds of audio. 
  • Attackers can now spoof emotion, urgency, or stress, exactly the cues that override employee skepticism. 

One midsize tech firm reportedly lost $2.3 million after a convincingly faked audio call instructed finance to transfer funds for an “urgent acquisition.” 

Clearly, traditional anti-phishing training doesn’t prepare employees for a perfectly reconstructed version of their boss. 

Deepfakes are no longer about politics: They’re about business models 

When a deepfake impersonates a celebrity to promote a fraudulent investment scheme, that’s reputational damage. When a deepfake impersonates your spokesperson, CFO, product, or supply chain partner, that becomes a corporate disaster. 

We’ve entered a phase where synthetic media sits squarely inside the business risk landscape, according to Trend Micro’s 2025 industry report. Synthetic content now drives new waves of fraud, identity theft, and business compromise. 

This isn’t hypothetical. It’s operational.  

The new supply chain risk executives are not seeing 

Brands increasingly rely on complex ecosystems: logistics partners, suppliers, distributors, influencers, service providers, third-party integrators. Every one of those nodes depends on trust. 

Deepfakes turn trust into an attack surface. 

Imagine these scenarios: 

  • A fake video “from your CEO” announcing a shift in sourcing strategy sends suppliers into panic. 
  • A voice clone instructs your Asian manufacturing partner to halt delivery. 
  • A synthetic “leaked clip” of a defective product goes viral before your PR team wakes up. 
  • A deepfake of a key supplier falsely “confirms” cybersecurity weaknesses, causing downstream partners to sue. 

These are not science fiction. They are logical extensions of attack patterns that are already being deployed — and they expose a blind spot in corporate risk management: the integrity of identity itself. 

Why deepfakes hit brands harder than politics 

Political deepfakes spark outrage. Corporate deepfakes trigger something worse: 

  • Loss of customer trust 
  • Stock volatility  
  • Insider trading vulnerabilities 
  • Lawsuits from partners 
  • Regulatory scrutiny 

The Securities an Exchange Commision has already warned the financial sector that AI-generated impersonation is reshaping fraud strategies, calling for upgraded identity-verification standards. 

If regulators are paying attention, executives should too.  

Why the traditional cybersecurity playbook isn’t enough 

Firewalls won’t stop a deepfake. Multi-factor authentication won’t stop a deepfake. Encryption won’t stop a deepfake. 

Deepfakes weaponize something no cybersecurity team has historically been responsible for: trust in human appearance and voice. The weakest link is no longer a password. It’s a person’s belief that they’re speaking with someone they know. 

Identity, not infrastructure, is the new vulnerability.  

Why brands must treat deepfakes as supply chain risk 

Most companies still relegate deepfakes to the PR desk or “misinformation team.” That’s naive. 

Deepfakes threaten: 

  • Procurement workflows (fake POs, fake cancellations) 
  • Vendor relationships (fake disputes, fake compliance issues) 
  • Finance approvals (deepfake CFO instructions) 
  • Customer trust (fake product failures, fake CEO messages) 
  • Employee morale (synthetic HR directives, fake memos) 

This is not just about fraud. Deepfakes can disrupt the coordination mechanisms that make supply chains work. They can paralyze a system without ever touching a firewall.  

What business leaders must do (now) 

Here is the emerging best-practice playbook for executives: 

  1. Add deepfake risk to your enterprise risk management framework: If ransomware is a board-level issue, synthetic identity needs to be too. 
  2. Implement verification protocols that do not rely on voice or video: Use secondary digital signatures, secure channels, or pre-agreed workflows.  
  3. Audit your vendors, suppliers, and partners: Ask whether they have deepfake-resilience policies, because their vulnerabilities become yours. 
  4. Deploy detection systems, but don’t trust them blindly: Infosecurity Magazine notes that detection tools are improving but remain unreliable
  5. Train employees to distrust urgency: Most deepfake fraud leverages emotional acceleration: “This is critical, do it now.” Your strongest defense is giving employees permission to slow down. 
  6. Build an internal “identity resilience” policy: Define exactly how major decisions and financial approvals must be confirmed. No exceptions for “I saw them on video.” 

The uncomfortable truth is that AI has made seeing and hearing obsolete. With AI, we’ve crossed a psychological Rubicon: Your eyes and ears are no longer authentication mechanisms. 

Executives who fail to internalize this will face the same fate as companies that ignored phishing, ransomware, or cloud governance a decade ago—only faster, and with higher stakes. 

Deepfakes are not about what is true: They are about what is believable. And in business, believability is often all that matters.  

The new leadership challenge 

The companies that thrive in the AI era won’t be those with the biggest models or the flashiest copilots. They will be the ones that redesign trust, identity, and verification from the ground up. 

Because if deepfakes can corrupt your operations and supply chain, then defending against them is not an IT problem. It is a leadership problem. 

And if you don’t solve it now, someone else (perhaps an algorithm with your CEO’s face) might solve it for you. 

ABOUT THE AUTHOR

Enrique Dans has been teaching Innovation at IE Business School since 1990, hacking education as Senior Advisor for Digital Transformation at IE University, and now hacking it even more at Turing Dream. He writes every day on Medium. 

FAST COMPANY