Introduction
Deepfake technology, a subset of synthetic media, is revolutionising social engineering attacks. By leveraging AI-generated images, videos, and voice cloning, cybercriminals manipulate individuals into revealing sensitive information or taking harmful actions.
As cybersecurity professionals raise alarms, individuals and businesses must understand the scope of this threat and develop effective countermeasures. Dr. Matthew Canham, a cybersecurity researcher at the University of Central Florida, developed a Deepfake Social Engineering Framework to analyse these attacks.
What is Deepfake-Based Social Engineering?
Deepfake-based social engineering uses synthetic media to impersonate individuals, manipulate emotions, and deceive targets. Unlike phishing, deepfakes make fraud more convincing by mimicking voices, faces, and even mannerisms with unsettling accuracy.
The FBI has warned about the use of deepfakes in cybercrime, noting how they bypass traditional security controls and exploit human trust.
Why Are Deepfakes So Dangerous?
1. Exploiting Cognitive Biases
Humans are wired to believe what they see and hear. Under pressure, we tend to make snap decisions—something attackers exploit using urgent, realistic scenarios.
2. Bypassing Biometric Security
Biometric systems like voice and facial recognition are now vulnerable to deepfakes, especially if used as part of multi-factor authentication (MFA).
3. Real-Time Deception
Advanced tools allow for real-time voice and video deepfakes, enabling attackers to impersonate someone on live calls or video meetings—making the scam nearly undetectable.
Dr. Canham’s Deepfake Social Engineering Framework
This framework categorises deepfake-based attacks into five dimensions:
1. Medium of Attack
- Text-based: Emails or chatbot scams
- Audio-based: Voice cloning phone scams
- Image-based: Fake profiles on LinkedIn or Tinder
- Video-based: CEO video impersonation scams
- Multi-modal: Combination of the above
Internal Resource: Learn how voice phishing attacks work on CyberSnowden.
2. Control of the Attack
- Human-controlled: Manual fraud attempts
- AI-powered automation: Deepfake bots
- Hybrid: Automated lures, human execution
Real case: A UK firm lost €220,000 in a deepfake vishing scam that mimicked their CEO’s voice.
3. Familiarity of the Target
- Unfamiliar: Romance or investment scams
- Familiar: Fake CEO impersonations
- Close-person: Virtual kidnappings, family scams
⚠️ See our analysis of CEO impersonation attacks.
4. Level of Interactivity
- Pre-recorded: Fake video messages or AI-generated speeches
- Asynchronous: Delayed chats or fake email threads
- Real-time: Live Zoom or Teams impersonation
5. Target of the Attack
- Individuals: Phishing or ransom threats
- Authentication systems: Biometric deepfake bypass
- Mass manipulation: AI-powered disinformation
️ Check out our guide to defending biometric data.
Real-World Deepfake Cases
Deepfake Vishing (UK, 2019)
An employee was tricked into sending €220,000 after hearing what they believed was their CEO’s voice.
Trading Chaos (AP Hack, 2013)
Hackers tweeted false news from the Associated Press Twitter, crashing U.S. markets briefly.
Virtual Kidnapping Scams
Scammers now use voice cloning to pretend to be a kidnapped family member and demand ransom.
How to Defend Against Deepfake Social Engineering
✅ 1. Use Shared Secrets
Have a codeword for identity verification between close contacts or teams.
✅ 2. Require Multi-Person Authorization
Ensure dual approval for fund transfers, especially large ones.
✅ 3. Verify Through Multiple Channels
Never trust only one channel—validate voice requests with an email or SMS.
✅ 4. Train Employees
Conduct simulated attacks and awareness workshops to spot deepfakes.
✅ 5. Deploy Detection Tools
Use tools like:
Final Thoughts
Deepfakes are not just entertainment—they’re a new frontier in cybercrime. As the technology evolves, so must your defences.
Want to protect your business from emerging threats? Read our Cybersecurity Strategy Guide 2025 for practical tips.
