TL;DR: Per Gartner's 2026 survey of 302 enterprise security leaders, 62% of organizations have already been hit by a deepfake attack - 41% by audio attacks and 35% by video attacks - and deepfakes now account for 11% of global fraudulent activity. Per the FBI's 2025 Internet Crime Report, Business Email Compromise (BEC) cost US businesses more than $3 billion. The fraud has evolved into "BEC 2.0" - voice clones, video deepfakes, AI-generated email in the executive's tone, and synthetic-identity onboarding. NC small businesses with thin accounts payable teams and concentrated approval authority are the highest-yield targets in the entire SMB economy.
Critical takeaway: The technical defense against deepfakes is weak; the procedural defense is strong. Out-of-band callback verification, dual approval on any vendor or banking change, and a written AP exception policy stop 90%+ of these losses regardless of how good the deepfake gets.
Ready to harden NC AP teams against BEC 2.0? Contact Preferred Data Corporation at (336) 886-3282. Serving NC small businesses since 1987.
What did the Gartner 2026 deepfake survey actually find?
Per Keepnet's analysis of the Gartner data, of 302 enterprise security leaders surveyed, the findings break down as follows:
| Finding | Number | Practical SMB read |
|---|---|---|
| Organizations hit by any deepfake attack | 62% | Already mainstream, not exotic |
| Audio deepfake incidents | 41% | Voice-cloning is now commodity |
| Video deepfake incidents | 35% | Video conferencing is now part of the attack surface |
| Share of global fraudulent activity that is deepfakes | 11% | Material share, growing fast |
| BEC losses to US businesses (FBI IC3 2025) | $3B+ | One of the costliest cybercrimes on record |
| AI-generated BEC emails (mid-2024 estimate) | ~40% | Share rising rapidly through 2026 |
The Gartner data was collected against enterprise security leaders, but the SMB exposure is higher, not lower. NC SMBs have:
- Smaller AP teams. One or two AP coordinators handling the entire vendor base, often reporting directly to a controller or owner. One bad approval is a wire-out.
- Concentrated approval authority. A CEO, controller, or office manager signs every wire. The single voice the attacker needs to clone is the single voice the attacker has plenty of audio of - on LinkedIn videos, podcast appearances, and company webinars.
- Limited deepfake training. Per the 33 phishing statistics report, 46% of SMBs encountered AI-generated phishing in the past 12 months. Most have not refreshed AP training to include voice and video.
Why has BEC evolved into "BEC 2.0"?
Because LLMs and voice/video synthesis collapsed the per-attack cost of high-quality impersonation. Per the Hoxhunt 2026 phishing trends report, LLM-generated phishing emails achieve a 54% click-through rate against just 12% for human-written phishing. The same multiplier applies to the BEC follow-through. Three drivers:
- Voice cloning from short samples. Per Keepnet, 3-10 seconds of audio is enough to produce a usable clone of an executive's voice for voicemail and short-form calls.
- Real-time video deepfakes. The widely reported $25M Hong Kong incident demonstrated that a multi-participant video conference can be entirely synthetic. SMB executives are easier targets, not harder.
- Reference to live business context. AI-generated BEC emails routinely reference active projects, current invoice numbers, vendor names, and upcoming payment runs - because the attacker has already harvested the inbox or a SaaS doc store.
The defensive mistake is to assume the AP team can spot the deepfake. The deepfakes are designed precisely to defeat human detection. The defense has to be procedural, not perceptual.
Quotable definition: "BEC 2.0" is the AI-enabled evolution of Business Email Compromise that uses voice cloning, video deepfakes, AI-generated email in the executive's tone, and synthetic-identity techniques to defeat human visual and auditory verification. Per Gartner's 2026 survey, 62% of organizations have already experienced an attack of this class.
What procedural controls actually stop BEC 2.0 losses?
Five controls, all procedural, all inexpensive. Together they stop more than 90% of BEC losses regardless of how convincing the impersonation is:
- Out-of-band callback verification. Any new vendor, new bank account, new wire instruction, or change to an existing one is verified by calling the vendor at a phone number from your file - never the number on the request. Per the FBI's guidance on BEC, this single control stops the majority of completed losses.
- Dual approval on every wire above a threshold. Two human signers, two channels of evidence, no exceptions. Threshold should fit the business but $5,000 is a reasonable SMB starting point.
- Written AP exception policy. Every exception (urgent request, after-hours, executive authorization by phone, "the CFO is in a meeting") is treated as a red flag and requires written follow-up before payment. Per Microsoft's BEC defense guidance, urgency is the most reliable indicator across BEC fraud.
- Vendor master file controls. Vendor banking details cannot be changed by email request alone. Verification must include a callback to a known contact and an authorized form on file.
- AP team training that includes voice and video deepfake examples. Quarterly, with realistic examples. Per Keepnet, training that includes deepfake samples is the only training that reliably moves AP detection performance.
Add identity-layer controls for completeness - DMARC at policy reject, phishing-resistant MFA on email and finance systems, conditional access by location and device. Together with the procedural controls above, the BEC 2.0 attack surface collapses.
How does this hit NC small businesses specifically?
Because NC's SMB economy is built on relationship-driven trades - manufacturing, construction, distribution, professional services - where invoice volumes are high, vendor lists are long, and the cost of friction is real. Three NC-specific scenarios we see:
- NC manufacturer with rotating vendor lists. Tier 2 manufacturers in the Piedmont Triad routinely onboard new tooling, packaging, and logistics vendors. Vendor master file changes are constant. Without callback discipline, attackers exploit the noise.
- NC construction with subcontractor payment runs. A general contractor in Charlotte or Raleigh paying 30+ subcontractors per draw is exactly the high-frequency, high-value pattern BEC 2.0 targets. The pretext writes itself.
- NC professional services with executive-controlled payments. Accounting and legal firms where the partner signs every check are single-point-of-failure setups. A cloned voice from a podcast is enough.
The NC-specific defense is not technical; it is operational. Procedure, training, and policy are the controls that hold under deepfake pressure.
How much does the layered defense cost?
For a 25-100 employee NC SMB, the procedural and tooling components are well inside a normal managed services budget:
| Control | Typical SMB cost | What it addresses |
|---|---|---|
| Written AP policy + dual approval workflow | One-time consulting day | Procedural floor |
| Out-of-band callback verification training | $0 (workflow change) | Procedural floor |
| Quarterly AP deepfake training | $20-$50 per user/year | Detection performance |
DMARC enforcement at reject | Bundled with email security | Defeats most impersonation |
| Phishing-resistant MFA on email + finance | Bundled with managed IT | Stops credential-driven BEC |
| Cyber insurance with BEC rider | Premium dependent | Backstop for residual loss |
Per the FBI IC3 2025 report, the average BEC loss is in six figures. The procedural cost of avoidance is two orders of magnitude below.
Where do you stand? Take our free cybersecurity assessment or call (336) 886-3282.
How is Preferred Data helping NC SMBs defend against BEC 2.0?
Preferred Data Corporation has been protecting NC small businesses since 1987. Our managed cybersecurity services deliver the technical layer - DMARC at reject, phishing-resistant MFA, managed email security, identity-layer detection, and AP-focused training that includes voice and video deepfake examples. Our managed IT services build the procedural layer - written AP policy, vendor master controls, dual approval workflows, and exception handling that makes urgency a red flag rather than a bypass.
For manufacturers, construction firms, and professional services firms across High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad, we bring 200-mile on-site response, BBB A+ accreditation, and an average client tenure of 20+ years.
Ready to harden NC AP teams against deepfake fraud? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a BEC 2.0 readiness review.
Frequently Asked Questions
What is BEC 2.0?
Per industry research summarized by Keepnet, BEC 2.0 is the AI-enabled evolution of Business Email Compromise that uses voice cloning, video deepfakes, AI-generated email in the executive's tone, and synthetic-identity techniques to defeat human verification. Per Gartner, 62% of organizations have already been hit.
What percentage of organizations have been hit by deepfake attacks?
Per Gartner's 2026 survey of 302 organizations cited by Keepnet, 62% have experienced at least one deepfake attack - 41% audio, 35% video. Deepfakes now account for 11% of global fraudulent activity.
How much do BEC losses cost US businesses?
Per the FBI IC3 2025 Internet Crime Report, BEC cost US businesses more than $3 billion in 2025. The average per-incident loss is in six figures, and SMBs are over-represented in the victim population.
Can my AP team spot a voice clone or deepfake video?
Probably not, and that is the point. Per Keepnet's data, modern voice clones can be produced from 3-10 seconds of audio, and video deepfakes are now real-time. The defense is procedural - callback verification, dual approval, exception handling - not perceptual.
What is the single highest-impact control to deploy this week?
Implement out-of-band callback verification for any new vendor, new bank account, or change to existing wire instructions. The callback uses a phone number from your file, never one on the request. Per the FBI's BEC guidance, this control alone stops the majority of completed losses.
Does cyber insurance cover BEC 2.0 losses?
Sometimes, with conditions. Per the 73% SMB cyber insurance failure pattern, insurers increasingly require documented AP procedures, dual approval, callback verification, and AP team training before paying BEC claims. Documentation is now a coverage condition, not just a best practice.
Does Preferred Data offer BEC 2.0 readiness services?
Yes. Our managed cybersecurity services bundle the technical layer - DMARC, MFA, managed email security, deepfake-aware training - with the procedural layer - written AP policy, dual approval workflows, vendor master controls. Call (336) 886-3282 for a BEC 2.0 readiness review.
Related Resources
- Managed Cybersecurity Services - DMARC, MFA, deepfake-aware training
- Managed IT Services - Procedural and policy layer
- Manufacturing Industry Solutions - Vendor master controls for NC manufacturers
- Construction Industry Solutions - Subcontractor payment fraud prevention
- Free Cybersecurity Assessment - BEC and AP posture review
- 73% of SMBs Fail Cyber Insurance Audits: NC Fix Plan - Insurance and AP documentation
- Voice Cloning CEO Fraud / Vishing Defense - Companion voice-cloning playbook
- AI Phishing Up 14x in 2026: SMB Defense - AI-generated phishing context
- Contact Preferred Data Corporation - BEC 2.0 readiness review