Business Email Compromise Prevention: How Deepfake Scams Target SMBs & What You Can Do

It starts with a simple request: an email from your CEO and a follow-up call that sounds exactly like them. The urgency seems real. But so is the risk.

Business email compromise (BEC) attacks are on the rise, with some studies showing at least half of all social engineering-based cyberattacks are caused by BEC. Generative AI is the main reason behind that rise, with deepfakes being a common technique. According to Gartner, 62% of organizations have suffered a deepfake attack of some sort, with Akif Khan, VP Analyst at Gartner, stating, “As adoption accelerates, attacks leveraging GenAI for phishing, deepfakes and social engineering have become mainstream.”

In many BEC scams, it is voice deepfakes phishing unwitting employees. During a talk at RSAC 2026, Ryan Anschutz, North America Leader with IBM – X-Force Incident Response listed ways deepfakes are being weaponized, which include:

• Voice impersonation of executives authorizing urgent payments or access to sensitive information
• Manipulated video/audio messages to influence organizational staff
• AI-generated voices escalating BEC/wire fraud

The phishing scams succeed, Anschutz added, because their social engineering tactics exploit authority, urgency, emotion and trust, while organizations can’t coordinate decisions fast enough to address an attack that is always shifting and hard to detect.

How Deepfakes BEC Attacks Work Step-by-Step

There have been a number of high-profile BEC attacks — for example, a $35 million heist against UAE Bank and a faux corporate acquisition involving Ferrari — that tend to happen in the same manner.

Step 1: Reconnaissance

The attack usually spoofs a company executive or other high-profile person. The threat actors will gather data from a wide-range of sources — from videos in webinars to LinkedIn profiles to quotes in press releases — to train large language models (LLMs) and create a deepfake.

Step 2: Target Identification

They then use company information to find their target email accounts, which are most often those employees who work directly with the financial transactions, including finance teams, those responsible for payroll and their executive assistants.

Step 3: Email Request with Deepfake Reinforcement

When the deepfake is ready, threat actors will send a spearphishing email that requests an action by the recipient, such as a payment, vendor change or sensitive data transfer. This is then followed up with the deepfake phone call or video meeting to provide authenticity to the request.

Step 4: Execution

If the user believes that the person on the call is legitimate, they will proceed with the transaction, setting off the processes used by threat actors to collect and disappear with the stolen funds.

Deepfake BEC attacks work because they rely on human trust and weaknesses. This type of attack rarely requires authentication and verification methods that are used in standard phishing emails. The requests don’t require secondary approvals, and there are no identity controls.  

How to Prevent Business Email Compromise (Before It Costs You)

Deepfake-driven business email compromise is a real threat, but it doesn’t have to result in a cyber incident. That Ferrari attack? It was thwarted because the targeted employee realized the CEO’s voice seemed odd. Most employees don’t have that level of awareness, so there are other steps that can be taken to prevent your company from becoming a victim of business email compromise attacks. In essence, you want to remove the opportunity for fraud altogether.

Here’s what that looks like in practice:

• Require secondary confirmations or callbacks to a pre-verified, secure number before any actions are taken in regard to bank accounts, wire transfers or sharing sensitive information.
• Harden identity and access systems. Financial accounts should be protected with MFA login credentials and limited access privileges. Executives should not be allowed to bypass identity authentication tools.
• Deploy layered email and identity security tools to detect fraudulent requests, from email account authentication to behavior analytics for anomalies and tools that flag AI audio and video.
• Educate employees to recognize urgency-based manipulation tactics.

The reality is most BEC attacks succeed because the process breaks down, not because attackers’ technology is perfect. The organizations that avoid becoming the next headline are those building systems that assume every request could be fraudulent.

If your business still relies on trust alone to approve financial or sensitive actions, it’s time to rethink that approach.

At Fairdinkum, we help SMBs put those safeguards in place, from identity security and email protection to financial controls that reduce risk without slowing your business down. Because in today’s environment, trust alone isn’t a control.