Back to blog

Deepfake Fraud in 2026: The $3.7B Problem and How to Defend

How-To

How-To

Written by

Brightside Team

Published on

Deepfake fraud has finished its move from novelty to line item. A 2026 study from the security firm Surfshark, which draws on public incident records from the AI Incident Database, Resemble.AI, and the OECD, puts documented global losses from deepfake-enabled fraud at least $3.7 billion. Almost all of that damage is recent: about 89% of it was recorded in 2025 and the first half of 2026. And because researchers only count incidents with publicly reported financial losses, the real number is certainly higher. Congressional analysis suggests fewer than 5% of voice-clone victims ever report their losses, so the $3.7 billion figure is best read as the visible tip of a much larger problem.

The instinctive response to a threat built on fake faces and cloned voices is to get better at spotting the fakes, or to buy a tool that spots them for you. Both instincts are wrong, and this article explains why. Human beings identify high-quality deepfakes at rates close to a coin flip, and commercial detection tools lose a large share of their accuracy the moment they leave the lab. The organizations that hold the line share a different trait: they have redesigned their verification workflows so that a convincing impersonation still cannot move money or data. What follows is a look at where the losses come from, how the attacks work, what documented cases teach, and the layered defense that reduces risk when neither perception nor detection can be trusted.

Key Takeaways

  • Reported deepfake-fraud losses have reached at least $3.7 billion, and roughly 89% of that was recorded in 2025 and the first half of 2026. Because most victims never report, every published total is an undercount.

  • Social media is the single largest origin of losses at 47%, but the costliest tactics are fake investment endorsements using cloned celebrities and officials (about 52% of losses in the study's earlier phase) and corporate CEO or executive impersonation (about 25%).

  • Humans detect high-quality deepfakes barely better than chance, and detection tools can lose 45% to 50% of their accuracy between the lab and real-world use. Neither is a reliable primary control.

  • The durable defense is process redesign: out-of-band verification through pre-registered contacts, dual approval for high-value actions, rotating code words, and mandatory holds on unusual transfers. Done right, a successful impersonation still fails.

  • Training works when it builds an automatic verification reflex through realistic, multi-channel simulation, not when it asks employees to spot synthetic media by eye.

The $3.7 Billion Loss Picture, Decoded

The headline number is easy to quote and easy to misread. To use it well, you have to separate two different questions the Surfshark research answers: where the fraud originates, and how the money is actually taken. These are two lenses on the same problem, and they come from different phases of the same study, so it helps to keep them apart rather than blending them into a single list.

The most recent phase, which reports the $3.7 billion cumulative total across January 2020 to June 2026, breaks losses down by origin channel. Social media leads by a wide margin at 47%, or about $1.73 billion. Impersonation fraud, meaning cases where criminals use synthetic media to bypass identity checks or gain unauthorized access to accounts and services, is second at $911 million, or 25%. After that the numbers drop off: roughly $333 million tied to crypto ATM fraud in 2025, $100 million from fake job-candidate schemes, and a long tail spread across everyday communication channels, with phone calls at $71 million, video platforms at $62 million, messaging apps at $41 million, and email at $12 million. The lesson in that distribution is that deepfake fraud is not confined to the boardroom video call that makes headlines. It is leaking into routine channels that most awareness programs never rehearse.

An earlier phase of the same research, which reported a smaller $2.19 billion cumulative total over a slightly different window, classified losses by attack tactic rather than channel. There, the dominant category was fake investment endorsements, where deepfakes of celebrities or government officials promote fraudulent schemes. That single tactic accounted for about $1.13 billion, or 52% of losses in that phase. Corporate attacks, typically CEO or executive impersonation to authorize a transfer, made up about 25%. Identity-driven financial fraud such as fraudulent loans came in around 9%, romance scams 7%, and family-member impersonation 6%. Read the two lenses together and a coherent picture emerges: social media is the delivery surface, and impersonation for investment scams and executive fraud is what turns reach into losses.

Geography follows the money. In the tactic-and-country phase, the United States was the most-targeted nation at $712 million, with 43% of that in the corporate sector and a striking 17%, about $124 million, from family-impersonation scams. The US accounted for essentially all of the world's recorded family-impersonation losses, a pattern that is likely to spread. Malaysia followed at $502 million, almost entirely from investment scams, and Hong Kong at $229 million, which included the largest concentration of romance-deepfake losses anywhere. Indonesia stood out because roughly 99% of its losses came from deepfakes used to defeat bank security and secure fraudulent loans. In Europe, the United Kingdom led at $149 million, with the large majority of losses coming from celebrity investment scams.

The trend line matters as much as the totals. Recorded losses were modest through the early years, around $83 million across 2020 to 2023, then $335 million in 2024, before jumping to roughly $2.5 billion in 2025 and $764 million in the first half of 2026. That acceleration is what matters most, and it lines up with other 2026 data points: FBI IC3 recorded more than 22,000 AI-related fraud complaints and $893 million in audited AI-fraud losses in 2025, Gartner found that 62% of organizations had already experienced a deepfake incident, and Sumsub reported deepfake attempts rising 94% year over year. Deloitte projects US losses from AI-enabled fraud reaching $40 billion a year by 2027. The individual sources disagree at the margins and use different definitions, which is exactly why no single number should be treated as gospel. But they point the same direction, and Surfshark's estimate should be read as a reasonable, conservative floor rather than a precise measurement.

Why Deepfakes Became Cheap, Fast, and Convincing

The reason the curve bent upward in 2025 is economic, not technical. Building a convincing clone used to require specialist skill, significant compute, and hours of source material. None of that is true anymore. A usable voice clone can now be generated from as little as three to thirty seconds of public audio, and researchers have demonstrated clones with roughly 85% accuracy from short samples. A basic, individually run attack costs somewhere between $500 and $5,000, mostly using free or low-cost tools. The barrier that once kept this capability in the hands of nation-states has effectively collapsed.

Worse, the raw material is something organizations produce on purpose. Earnings calls, investor presentations, conference keynotes, podcast appearances, and social videos are all training data for a clone. The more visible an executive is, the easier they are to synthesize. That creates an uncomfortable tension between the marketing value of a public leader and the security cost of a large public voice and video footprint.

This is why the attempts keep multiplying even as some tactics fail. When the cost of a plausible impersonation approaches zero, attackers can afford to fail often. Sumsub's 94% year-over-year rise in deepfake attempts and the broader spread of face-swap and voice-cloning tools mean the volume landing on employees is climbing regardless of how many attempts get caught. Defenders are not facing a handful of sophisticated operators. They are facing a high-volume, low-cost, industrialized fraud economy where synthetic media is just another input.

How a Deepfake Fraud Attack Actually Unfolds

Corporate deepfake fraud runs as a structured campaign, and understanding its phases is what makes the defense obvious later.

It usually starts with profiling. Attackers map the target organization using LinkedIn, regulatory filings, press releases, and social media to work out who approves payments, which vendors are active, and what a financially plausible request would look like. In parallel, they harvest the audio and video they need for cloning from the public content the organization already publishes.

Clone assembly comes next. Using low-cost tools, the attacker builds a voice or video model that reproduces the target's speech patterns, accent, and emotional tone. No specialist skill is required, and the output is good enough to survive a live interaction.

The third phase is where the attack actually works, and it has nothing to do with technology. A target in finance, HR, or an executive-assistant role receives a call or a video meeting from what looks and sounds exactly like a senior leader. The attacker manufactures urgency, asks for confidentiality, and applies pressure rooted in authority. The goal is to get the action authorized before any verification instinct can engage. Urgency is the single most consistent red flag across cases, precisely because it is the mechanism that prevents the victim from stopping to check.

Then comes execution: the transfer is approved, the credentials are handed over, or the account is opened. In the most effective campaigns the channels are layered, so an email primes the target, a voice call reinforces it, and a video meeting closes it, with each channel lending false credibility to the next. By the time any single channel might have raised suspicion, three of them have already agreed with each other. The attacker succeeds by exploiting a reasonable assumption, that a face and a voice are proof of identity, rather than by outsmarting anyone.

What Real Deepfake Attacks Teach Us

The abstract kill chain becomes concrete in documented cases, and each one carries a specific lesson.

The most cited example remains the 2024 attack on the engineering firm Arup. A finance employee in the company's Hong Kong office joined a video conference in which the apparent chief financial officer and several colleagues discussed a confidential transaction. Every participant on that call was an AI-generated deepfake. The employee had initially suspected a phishing attempt, but the live video overcame that skepticism, and he authorized roughly $25 million across 15 transfers to fraudulent accounts. Arup's Chief Information Officer Rob Greig later described it plainly as an attack on psychology rather than on technology. The lesson is uncomfortable: a live video call, the thing most people treat as definitive proof, is now an attack vector.

The pattern is not new, only cheaper. Back in 2019, criminals cloned the voice of a German parent-company executive, including his accent and cadence, to convince the head of a UK energy firm to wire about $243,000. It was one of the first documented voice-clone frauds, and it established the template that today's tools have simply made accessible to everyone.

Not every story ends in loss, and the failures are instructive. In 2024, attackers targeted an employee at the password manager LastPass with deepfake audio of the company's chief executive delivered over WhatsApp. The attempt failed, and it failed for a reason worth copying: the employee grew suspicious specifically because a CEO reaching out over WhatsApp fell outside normal business communication, recognized the red flags, and reported it internally. Two things saved LastPass, and neither was deepfake detection. The first was a clear norm about which channels leadership actually uses. The second was a culture where reporting a suspicious contact was the expected move rather than an embarrassing one.

Deepfake fraud also reaches well beyond finance. In 2025, an unknown actor used an AI clone of US Secretary of State Marco Rubio's voice to contact foreign ministers and senior officials through the Signal messaging app, built from only about fifteen to twenty seconds of audio. The FBI issued a public warning. The takeaway for enterprises is that voice cloning is not limited to interactive wire-fraud calls. A one-directional voicemail can be weaponized just as easily, which widens the set of people who need to be prepared.

A different and increasingly important surface is identity verification itself. In a case that ran through the Amsterdam courts in 2025 and 2026, a man opened 47 fraudulent bank accounts by defeating a bank's selfie-versus-ID onboarding check with deepfake and face-swap imagery, a technique known as a biometric injection attack. He was convicted and sentenced to 30 months, six of them suspended, and ordered to pay roughly 13,000 euros in compensation. This case matters because it shows deepfake fraud attacking the enrollment gate, not the wire-transfer approval. Any process that treats a live selfie or a matching face as proof of a real, present human is now exposed to synthetic media injected directly into the verification stream.

For contrast, consider the 2024 attempt against the advertising group WPP, where a deepfake video meeting impersonating a senior leader tried and failed to push through a fraudulent request. Like LastPass, it was stopped by skepticism and process, not by a detector. Across the whole set of cases, the successes share one enabler: a workflow that let a single trusted-looking interaction authorize an irreversible action. That workflow is what the defense has to change.

Why Spotting Deepfakes and Detection Tools Both Fall Short

The natural defensive reflex is to train people to notice the tells, the unnatural blink, the slightly off lip-sync, the flat vocal tone. Plenty of guidance still recommends exactly this. The evidence says it does not work at the quality level attackers now field.

Studies put human accuracy at identifying high-quality deepfakes around 24.5%, which is worse than guessing. In a human-subject study of AI-generated media in social-engineering scenarios, 66% of participants failed to identify manipulated audio and 43% failed to identify deepfake video. Separately, surveys find that around 70% of people admit they cannot reliably tell whether a voice is real or cloned, even as most remain confident they could. None of this means employees are careless. Human perception is simply the wrong instrument for this job, and a defense built on it will fail.

Buying a detector does not solve the problem either, though it helps at the margins. Vendors report accuracy near 99.6% in controlled conditions, but independent analysis, including reporting from the Columbia Journalism Review, finds that real-world accuracy commonly drops 45% to 50% from those lab figures. Detection models also generalize poorly: a tool tuned on known generation techniques tends to stumble when confronted with media produced by a newer method, which is a structural weakness in an arms race where the generators keep improving. Treating a detection score as a verdict introduces a specific danger, which is false confidence. An organization that leans on a detector as its primary control can be lulled into approving exactly the transaction it should have questioned.

This is the gap that the preparedness numbers expose. Only about 7% of anti-fraud professionals say their organizations are more than moderately prepared to detect or prevent AI-fueled fraud, according to research from the ACFE and SAS. That number is not an argument for buying more detection. It is a signal that the whole strategy of trying to perceive the fake, whether with human eyes or machine classifiers, has reached its limit. The defense has to move somewhere perception is not the deciding factor.

The Defense That Actually Holds: Process First, Then People

If neither the human nor the detector can be trusted to catch the fake reliably, the winning move is to make catching the fake unnecessary. That means redesigning the workflow so that even a flawless impersonation cannot achieve its goal. Process controls come first because they deny the outcome, and they are the highest-impact investment an organization can make against this threat.

Several controls do most of the work. The most important is out-of-band verification: any sensitive request that arrives on one channel must be confirmed on a separate, pre-agreed channel using a contact number stored in your own directory, never a number supplied during the suspicious interaction. Pair that with dual approval, so no single person and no single channel can authorize a transfer above a defined threshold. Add rotating code words, established in person or over an already-trusted channel, for verbal requests that need fast authentication, since a code word defeats a voice clone in a way that listening for vocal tells never will. Impose a mandatory time delay on any transfer that falls outside normal operations, because urgency is the attacker's core tool and a required hold removes it. Require written, out-of-band confirmation before any change to banking or vendor payment details. And reduce the public audio and video footprint of high-exposure executives where the business can tolerate it, since every recording is training data.

Detection technology has a role in this stack, but as a supplementary signal rather than the decision-maker. In identity verification and onboarding, that role is more specific and more valuable: liveness checks with injection-attack protection are how you defend the enrollment gate that the Amsterdam case exploited. Traditional liveness tests that ask a user to blink are bypassed when an attacker injects a synthetic stream through a virtual camera, so modern systems move toward offsite forensic analysis of physiology and temporal consistency alongside metadata. Behavioral analytics that flag a request outside an executive's normal timing, phrasing, or channel can add another useful signal. None of these should be the last line. They should raise or lower confidence inside a process that already assumes voice and video can be faked.

People remain essential, but their job changes. The goal of training is not to turn employees into deepfake detectors, a skill the evidence says is unreliable. The goal is to make one behavior automatic: when a request is high-stakes or unusual, verify it through a trusted secondary channel before acting, without embarrassment and without exception. That reflex is built through repetition under realistic conditions, not through an annual slide deck that studies show is forgotten within weeks. Effective programs are role-specific, because finance teams, HR staff screening candidates, and executive assistants carry the most exposure and need targeted scenarios. They are continuous rather than once-a-year. They run realistic, multi-channel simulations that mirror how attacks actually arrive, including voice and combined voice-plus-email sequences, so the verification response becomes muscle memory. And they operate in a no-blame culture, because the quality of modern deepfakes is high enough that concealment, not failure, is the real risk. The most useful framing to hold onto is this: the process must provide the protection, not the individual employee. Training exists to make the process reflexive, and it is at its strongest when it explicitly complements the process controls above rather than substituting for them.

Why Brightside AI is the best AI-powered cybersecurity training platform for employees in 2026

If the durable defense is a verification reflex layered on top of sound process, the practical question is how to build that reflex across a workforce. This is the specific problem Brightside AI is designed to address. It is worth being precise about what that means, because deepfake defense attracts a lot of overstated claims. Brightside is a training and simulation platform. It is not a deepfake detector, it is not breach detection and response, and it is not an inbound email filter. It works on the human layer, which is exactly where the process-plus-reflex defense needs reinforcement.

On the awareness side, Brightside includes interactive, chat-based courses on deepfake identification, voice phishing, CEO fraud, and social engineering, delivered through a learning companion and structured into curricula that run continuously rather than as a single annual event. On the simulation side, its AI-powered vishing simulator runs realistic, adaptive phone calls, including the ability to clone an executive's voice from a short recording so teams rehearse against the same audio-deepfake technique attackers use. Its Hybrid Attack simulations pair a voice call with a trackable phishing email, which mirrors the multimodal, channel-layering pattern seen in real deepfake fraud far better than any single-channel test. Spear-phishing simulations are personalized to each employee using role and profile data drawn from HR-system integrations, so the practice scenarios feel plausible rather than generic. Simulations are aligned to the NIST Phish Scale for difficulty, run in a growing set of languages, and automatically trigger follow-up training when someone falls for an attempt.

The platform also closes the loop that the LastPass case showed to be decisive. Its Report Phishing add-on lets an employee report a suspicious message in one click, and it distinguishes real threats from training simulations so that genuine attacks reach the security team quickly while a reported simulation credits the employee. That is the verify-and-report reflex turned into a habit. For organizations whose executives are high-value targets, Brightside offers deepfake video scenarios as a managed, white-glove service run by its team, matching the targeted nature of real deepfake-video fraud rather than presenting it as a self-serve feature. Positioned this way, Brightside is not a replacement for out-of-band verification and dual approval. It is the piece that makes those controls reflexive, by giving employees repeated, realistic practice at recognizing pressure and reaching for a trusted second channel before they act.

Try our vishing simulator

Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.

Deepfake Fraud FAQs

What is deepfake fraud, and how is it different from regular phishing or BEC?

Deepfake fraud uses AI-generated synthetic media, cloned voices, fabricated video, or manipulated images, to impersonate a real person and trick a victim into sending money, handing over credentials, or granting access. Traditional phishing and business email compromise rely mostly on text and forged sender details. Deepfake fraud adds a far more convincing layer of proof by faking the sight and sound of a trusted individual, which is why it defeats the instinct that a familiar voice or face confirms identity. In practice the two blend: a text-based lure is increasingly reinforced by a cloned-voice call or a deepfake video meeting.

How much money has deepfake fraud cost, and is the $3.7 billion figure reliable?

Surfshark's 2026 research puts documented global losses at least $3.7 billion, built from public incident databases. It is a reasonable, conservative estimate rather than a precise measurement, because it only counts incidents with publicly reported financial losses, and analysis suggests fewer than 5% of voice-clone victims report at all. Other sources support the scale and trajectory from different angles, including FBI IC3's $893 million in audited AI-fraud losses in 2025 and Deloitte's projection of $40 billion in annual US AI-fraud losses by 2027. Treat any single figure as directional, and assume the true total is higher.

Can employees be trained to spot deepfakes?

Not reliably, and that should not be the goal. Studies show humans identify high-quality deepfakes only around a quarter of the time, roughly coin-flip performance. Training is still essential, but its purpose is to build an automatic habit of verifying unusual or high-stakes requests through a separate trusted channel, not to teach people to notice visual or audio artifacts that modern tools no longer produce. The reliable skill is the verification reflex, and it is built through realistic, repeated simulation.

What is the single most effective control against deepfake fraud?

Out-of-band verification for any sensitive request, using a contact method from your own records rather than one provided during the interaction. Combined with dual approval for high-value transfers and a mandatory hold on unusual transactions, it means a successful impersonation still cannot complete its objective. Process controls that deny the outcome outperform any attempt to detect the fake, whether by human judgment or software.

How do deepfakes bypass identity verification (KYC) and voice authentication?

Through injection attacks. Instead of holding a fake image up to a camera, attackers feed a synthetic video or audio stream directly into the verification pipeline using virtual cameras or manipulated device inputs, defeating simple liveness checks like blink tests and voice-match systems. The 2025 to 2026 Amsterdam case, where a man opened 47 bank accounts by beating a selfie-versus-ID check with face-swap imagery, is a clear example. Defending the enrollment gate requires liveness detection with injection-attack protection and offsite forensic analysis, not just a face or voice match.