TL;DR: Live, real-time video deepfakes are now the highest-loss social-engineering attack pattern of 2026. Attackers join Zoom or Teams calls appearing to be a senior executive and instruct finance staff to wire funds. Deloitte projects generative-AI-enabled fraud will grow from $12B in 2023 to $40B by 2027. The average successful CEO/CFO fraud now exceeds $125,000 per incident. The defense is procedural, not technological: enforce multi-channel callback verification on every wire transfer, require dual-control approvals, and train finance teams to challenge urgency.
Key takeaway: A 3-second voice sample plus a $20/month deepfake video subscription is now sufficient to impersonate your CFO on a live video call. Detection tools cannot keep up. The only reliable defense is a policy that says "no wire goes out without callback verification to a known number," enforced for every employee, every time, no exceptions.
Has your finance team been briefed on real-time video deepfakes? Preferred Data Corporation runs deepfake-resistant payment-control reviews and finance-team training for North Carolina businesses. Call (336) 886-3282 or request a fraud risk assessment. Serving NC since 1987.
What is a real-time video deepfake CFO scam?
A real-time video deepfake (also called a live deepfake or synthetic-video impersonation) is a video stream that an attacker generates frame-by-frame to look and sound like a real executive, broadcast over a live Zoom, Microsoft Teams, Google Meet, or Webex call. Combined with voice cloning, the attacker can speak as the executive in real time, answer questions, and respond to facial cues from finance staff.
Until 2024, deepfake video required minutes of pre-rendered footage and was easy to spot in live calls. Throughout 2025 and into 2026, three things changed:
- Consumer-grade tooling: Live deepfake apps that run on a single GPU went from research demos to subscription services starting around $20 per month, per Solve IT Solutions reporting.
- Voice cloning quality: McAfee researchers confirmed that as little as 3 seconds of audio (often pulled from a podcast appearance, all-hands recording, or YouTube video) is enough to clone a voice convincingly enough to fool finance staff.
- Attack repeatability: The same playbook now scales across thousands of small businesses globally, with confirmed losses in the tens of millions per incident at the high end and routine $100K-$500K losses at small business scale.
In a typical attack, an employee in accounting receives a calendar invite or last-minute meeting request from "the CFO" or "the CEO." The attacker joins the call, displays a deepfake video stream and cloned voice, claims an urgent confidential acquisition or vendor payment, and instructs the employee to wire funds before end of day.
Why is 2026 different from earlier deepfake fraud?
Three converging trends define the 2026 threat:
Trend 1: Live video has overtaken voice-only attacks. Reporting cited by multiple MSPs and the Institute for Financial Integrity describes the most-reported and highest-loss scenario of 2026 as the real-time video deepfake CFO impersonation. Voice-only is now considered the entry-level version of the attack.
Trend 2: The economics favor attackers at every scale. Brightside AI research highlights a $50M voice-cloning theft, but the same toolchain that produces an eight-figure attack on a Fortune 500 also produces a $150K wire fraud against a 30-person Greensboro construction firm or a 60-person High Point furniture manufacturer.
Trend 3: Detection technology is losing. Detection vendors release new models monthly, but generation models improve faster. The U.S. Treasury, FBI, and SEC have all advised that businesses should not rely on detection tools as a primary defense; they should rely on procedural controls.
Deloitte projects generative-AI-enabled fraud losses in the United States will grow from $12 billion in 2023 to $40 billion by 2027, a 32% compound annual growth rate. Small businesses are the primary growth segment because they have wire transfer authority, fewer controls, and limited fraud awareness training.
How does a real-time video deepfake attack actually unfold?
Phase 1: Reconnaissance (1-7 days)
The attacker scrapes:
- LinkedIn profiles for executive names, titles, and reporting relationships
- Company website "About" pages
- Public earnings calls, podcast appearances, or Chamber of Commerce videos for voice samples
- Social media for personal references the attacker can drop into a conversation
- Public business records for vendor names and likely payment patterns
Phase 2: Initial pretext (1 day before the call)
The attacker often gains access to or spoofs the executive's email to send:
- A meeting invite labeled "Confidential M&A discussion"
- A short text or instant message asking the finance employee to "be available at 3pm"
- Sometimes a partial wire instruction sent in advance
Phase 3: The deepfake call (15-30 minutes)
On a live Zoom or Teams call:
- The deepfake video shows the "executive" with realistic facial movement and lip sync
- The cloned voice handles real-time conversation, often citing real names and recent business events to build trust
- The attacker creates urgency ("this needs to wire by 4pm or the deal is dead")
- The attacker asks for confidentiality ("don't loop in the controller, this is between us")
- The attacker provides wire instructions
Phase 4: The wire (within hours)
If the employee complies, the wire goes out, often to a US-based shell account that immediately forwards funds offshore via cryptocurrency or correspondent banks. By the time the real CFO is asked about it, the funds are typically unrecoverable.
Why are NC small businesses particularly vulnerable?
North Carolina's small business landscape concentrates risk:
- Manufacturing and construction firms routinely wire six and seven figures to vendors, especially for equipment purchases or construction draws. A "vendor change" or "revised wire instruction" pretext fits naturally.
- Family-owned businesses in High Point, Hickory, and the Triad often have a small finance team without segregation of duties.
- PE-backed companies in the Triangle and Charlotte face higher risk because acquisition-related wire activity is normal, providing perfect cover for "M&A confidential" pretexts.
- Healthcare practices and professional services firms have CFOs and partners who appear on local podcasts, conference panels, and YouTube videos, providing ample voice and video training data.
A typical NC small business finance team has between 1 and 5 people, with one person empowered to initiate wire transfers and another to approve them. That two-person control is exactly what the deepfake attack is designed to bypass: convince one of those two people that the other has already approved.
Can detection tools spot real-time deepfakes?
Tools exist (Reality Defender, Pindrop, Microsoft Video Authenticator, Intel FakeCatcher), but they have three limits in a small business context:
- Coverage: Few integrate natively with Zoom, Teams, or Google Meet
- False positives: Aggressive settings flag legitimate executives with low-bandwidth connections
- Speed of generation improvements: Generation models often outpace detection within weeks
The Treasury Department's FinCEN and the FBI have repeatedly advised that businesses should not rely on detection as a primary control. Procedure beats technology for this attack class.
What is the right procedural defense?
Defense capsule: Multi-channel callback verification on every wire transfer, dual approval with segregation of duties, mandatory cooling-off period for last-minute requests, suspicious-call escalation paths, and finance-team deepfake awareness training. Deploy these controls in 30 days and you eliminate 95%+ of deepfake fraud risk regardless of attack sophistication.
1. Multi-channel callback verification, no exceptions
For every wire transfer above a defined threshold (we recommend $5,000 for SMBs), the employee initiating the transfer must verify the request by calling the requesting executive on a known phone number from the company directory or HR system. Not a number provided in the meeting. Not a number the deepfake "voice" reads off. The directory number.
If the executive cannot be reached, the wire waits. Period.
2. Dual approval with segregation of duties
A single employee should never be able to both initiate and release a wire. Require two distinct individuals, with the approver also performing the callback verification independently of the initiator.
3. Mandatory cooling-off period
For any wire transfer request marked "urgent" or "confidential" that arrives outside normal business processes, require a minimum 1-hour delay before execution. The cooling-off window is itself a defense: most attackers will not stay on a call for an hour, and most legitimate executives understand the policy.
4. Confidentiality is a red flag, not a justification
Train finance teams that "do not tell anyone else" is itself a fraud indicator. Confidential M&A activity should always be approved through written process by counsel and the controller, not enforced through confidentiality demands on a single employee.
5. Finance-team deepfake awareness training
A 30-minute training session covering:
- How a real-time video deepfake actually looks and sounds
- The exact pretext patterns ("urgent confidential M&A," "vendor change," "tax payment")
- The mandatory verification procedure
- Examples of attacks that succeeded and failed
- Tabletop exercise with a fake call from "the CEO"
Preferred Data's security awareness training includes deepfake-specific modules for finance teams.
What does a deepfake-resistant wire transfer policy look like?
| Element | Vulnerable default | Deepfake-resistant policy |
|---|---|---|
| Approval threshold | $25,000+ requires approval | $5,000+ requires approval |
| Approver count | One executive | Two executives, segregated |
| Callback required | Sometimes | Always, on directory number |
| Verification number | Whatever the requester gives | HR system or directory only |
| Urgency override | Allowed | Triggers cooling-off period |
| Confidentiality requests | Honored without question | Treated as fraud indicator |
| Training cadence | Once at hire | Quarterly with simulations |
| Vendor wire change | Email approval | Written + callback to vendor |
| Last-minute requests | Processed same day | Held minimum 1 hour |
| Documentation | Optional | Mandatory written log |
Read more about Preferred Data's cybersecurity services.
How does this interact with email security?
Real-time video deepfake attacks frequently begin with email account compromise (EAC) or email spoofing. Strengthen the email layer alongside the procedural layer:
- DMARC, SPF, and DKIM with strict enforcement on inbound and outbound mail
- MFA on all email accounts (Microsoft 365, Google Workspace) with phishing-resistant factors where possible
- Inbox alerts for forwarding rule changes, mailbox delegations, and unusual sign-ins
- Email banner warnings for external senders and lookalike domains
- Attachment and link sandboxing through Microsoft Defender for Office 365 or equivalent
Microsoft has expanded Defender for Office 365 Plan 1 capabilities to Office 365 E3, Microsoft 365 E3, and added URL checks for Business Basic and Business Standard, making advanced email protection more accessible to small businesses.
What does Preferred Data Corporation do to address deepfake fraud?
Preferred Data has been protecting North Carolina small businesses from financial fraud for 37+ years. Our deepfake-fraud defense services include:
- Wire transfer policy review and gap analysis against 2026 deepfake attack patterns
- Finance team training with deepfake demonstrations and tabletop exercises
- Email security hardening (DMARC, MFA, Defender for Office 365 tuning)
- Phishing simulation programs including deepfake-themed campaigns
- Identity protection for executives whose voice and video are publicly available
- Incident response planning for suspected fraud attempts
- Coordination with banks and counsel on wire-fraud-specific recovery procedures
Learn more about our managed cybersecurity services.
How does this connect to other 2026 small business risks?
Real-time deepfakes amplify and combine with other 2026 attack patterns:
- Akira ransomware affiliates sometimes use deepfake-style social engineering to bypass MFA on initial access. See our Akira ransomware analysis.
- CISA AA26-113A covert networks can host the C2 infrastructure attackers use for the supporting email compromise. See our coverage of AA26-113A.
- State privacy laws trigger notification obligations when deepfake fraud results in disclosure of customer data, especially in the 20 states with comprehensive privacy laws.
- Tariff-driven margin pressure makes wire fraud losses doubly damaging because every dollar lost cannot be replaced by a price increase customers will accept.
Key takeaway: Real-time video deepfakes prove that authentication built on "I recognize their face and voice" is dead. Authentication for 2026 has to be procedural: callback verification, dual control, cooling-off periods. NC small businesses can deploy the entire control set in under 30 days for a fraction of the cost of a single successful attack.
About Preferred Data Corporation
Preferred Data Corporation provides managed IT, cybersecurity, cloud solutions, and security awareness training for small and mid-sized businesses across North Carolina. Headquartered in High Point, NC since 1987, we serve manufacturers, distributors, construction firms, healthcare practices, and professional services across the Piedmont Triad and Research Triangle. Our 20+ year average client retention and BBB A+ rating reflect 37+ years of helping NC businesses defend their finances against evolving threats.
Stop deepfake fraud before it starts:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
- Address: 1208 Eastchester Drive, Suite 131, High Point, NC 27265
Frequently Asked Questions
How can I tell if I am on a deepfake video call?
You probably cannot reliably tell in real time, and that is the point. Some 2025-era deepfakes had artifacts (poor lip sync, glitches when the head turned, lighting inconsistencies), but 2026 generation models have largely closed those gaps. Do not rely on detection. Rely on procedure: every wire request gets verified by callback to a directory number, every time.
My CFO would never use Zoom for a confidential M&A discussion. Does that protect us?
Only if every employee on the finance team knows that. Attackers exploit gaps between executive intent and employee awareness. Codify the rule: "No wire transfer is ever authorized exclusively on a video or voice call. Period." Train, document, and reinforce.
Should we use a deepfake detection tool on Zoom and Teams?
Detection tools can be a useful supplementary control, but they cannot be your primary defense because generation models improve faster than detection. The Treasury Department, FBI, and most insurers explicitly recommend procedural controls (callback verification, dual approval) over detection technology.
How much does a real-time deepfake attack typically cost?
The average successful CEO/CFO fraud is $125,000 or more per incident. High-profile incidents have exceeded $25 million in single transfers. Deloitte projects total US generative-AI fraud losses to reach $40 billion by 2027 from $12 billion in 2023.
Will cyber insurance cover a deepfake-driven wire fraud loss?
Some policies cover social engineering fraud, but coverage is often capped at $250K-$1M and requires evidence of specific procedural controls (callback verification, dual approval) at the time of the loss. Failing to maintain these controls can void coverage. Review your policy with your broker and managed IT partner.
Where do attackers get my CFO's voice for cloning?
Common sources include podcasts, all-hands meeting recordings posted internally and leaked, conference keynotes, Chamber of Commerce videos, YouTube interviews, sales kickoff videos, and even voicemail greetings. Three seconds of clear audio is enough. Reducing public audio exposure for executives helps but cannot eliminate the risk.
Related Resources
- Cybersecurity Services for NC Small Businesses
- Managed IT Services
- Akira Ransomware SonicWall Defense
- CISA China-Nexus Router Compromise Advisory
- Deepfake Fraud Targets NC Businesses
- Business Email Compromise Wire Fraud
- Security Awareness Training for Employees
- Multi-Factor Authentication Business Guide
- IT Services in Raleigh
- IT Services in Greensboro
- IT Services in Charlotte
References
- Institute for Financial Integrity. (2026). Deepfake Deep Dive. https://finintegrity.org/deepfake-deep-dive/
- Solve IT Solutions. (2026, February). The "Deepfake CEO" Scam: Why Voice Cloning Is the New BEC. https://solve-it-sol.com/2026/02/the-deepfake-ceo-scam-why-voice-cloning-is-the-new-business-email-compromise-bec/
- Brightside AI. (2026). Deepfake CEO Fraud: $50M Voice Cloning Threat to CFOs. https://www.brside.com/blog/deepfake-ceo-fraud-50m-voice-cloning-threat-cfos
- Compass MSP. (2026). AI-Generated Deepfakes Are Here: Why Your Business Governance Must Adapt. https://compassmsp.com/resources/ai-generated-deepfakes-are-here-to-stay
- Microsoft. (2025, December). Advancing Microsoft 365: New capabilities and pricing update. https://www.microsoft.com/en-us/microsoft-365/blog/2025/12/04/advancing-microsoft-365-new-capabilities-and-pricing-update/
- Verizon. (2026). 2026 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
- McAfee Labs. (2024-2026). Voice Cloning Threat Research. https://www.mcafee.com/blogs/
- Federal Bureau of Investigation. (2025-2026). Internet Crime Complaint Center (IC3) Annual Reports. https://www.ic3.gov/