Deepfakes and business impersonation: how modern scams trick companies and what to do about it

Business impersonation is not new. What has changed is how convincingly criminals can imitate trusted people, such as executives, finance teams, colleagues, and suppliers, across the same channels businesses rely on every day, including email, messaging apps, phone calls, and video meetings.

Business Impersonation

This is when someone pretends to be a real person or organisation your business trusts, for example your CEO, a colleague, your IT team, a supplier, or even a customer, to get you to do something you should not do (UK Finance, n.d.).

Mandate Fraud

Mandate fraud is a well-known business scam where a criminal tricks you into changing payment details, such as a supplier’s bank account, by pretending to be an organisation you pay regularly (City of London Police, n.d.).

Deepfakes and Cloned Voices

Deepfakes are AI-made or AI-edited video, images, or audio that can imitate a real person. The UK’s National Cyber Security Centre (NCSC) has warned that it is becoming harder to tell what is real online, because AI tools can create convincing text, voice and video with low effort and low cost (NCSC, 2025).

How Did Corporate Scams Evolve?

Step 1. Fake Email Scams

Early impersonation scams relied on basic tricks: a convincing email, a familiar name, and an urgent request. Phishing still works because it targets people, not just systems (NCSC, 2018).

Step 2. Targeted Scams Using Real Business Detail

Criminals started doing more homework: learning who approves payments, how invoices work, and which suppliers you use. UK Finance warns that scammers can target businesses for months, building a picture of the structure of a firm and who authorises payments (UK Finance, n.d.).

Step 3. Multi-Channel Pressure (Email Plus Phone Plus WhatsApp)

Today, scams often involve more than one channel. A message might start by email, then switch to a phone call or messaging app to increase urgency and reduce your chance of checking properly (UK Finance, 2025).

Step 4. Deepfakes and Voice Cloning

Deepfakes are not replacing older scams, they are upgrading them. Even if the video is not perfect, it can be convincing enough in a rushed moment. NCSC notes that AI-driven fake content can damage trust and enable more convincing spear-phishing style attacks (NCSC, 2025).

A widely reported case involved the UK engineering firm Arup, where an employee in Hong Kong was tricked into transferring HK$200 million (about £20 million) after joining a video call that appeared to include senior colleagues, but was AI-generated impersonation (The Guardian, 2024).

Why These Scams Work

These attacks usually succeed because of pressure and process gaps, not because people are careless.

Scammers typically use:

  • urgency: “This must happen today”
  • authority: “This is coming from the CEO / finance director”
  • secrecy: “Do not loop anyone else in”
  • routine: “It looks like a normal invoice or supplier update”

The NCSC explicitly warns against relying only on staff being able to spot phishing and recommends a layered approach that includes technical measures and good processes, with training being only one part of the defence (NCSC, 2018).

UK Finance also warns that busy periods, such as when invoices are being processed and accounts finalised, can be exploited by criminals (UK Finance, 2025).

How To Spot an Impersonation or Deepfake Attempt

You don’t need to become an expert in detecting deepfakes, in most cases the biggest warning signs are about the request.

Red flags that should trigger a check

  • The request is urgent and unusual
  • Someone asks you to change bank details or pay a new account
  • You are pushed to switch channels, such as moving from email to WhatsApp or a “quick call” to approve payment
  • You are discouraged from verifying: “I am in a meeting, just do it”

If it is money, bank details, passwords, payroll, or sensitive data, verification is not optional. It is part of doing the job safely (City of London Police, n.d.; NCSC, 2018).

What to do if You Receive a Suspicious Request

A useful guide to follow is Take Five’s Stop, Challenge, Protect (UK Finance, n.d.).

  • 1. Stop
    Pause before acting. Scammers rely on speed and pressure (UK Finance, n.d.).
  • 2. Challenge
    Ask: could this be fake? If the request involves payment or changing bank details, verify it independently using contact details you already have on file, not the details provided in the message.
  • 3. Protect
    If you think you have been scammed, contact your bank immediately.

For reporting in the UK: reporting changed on 4 December 2025, when City of London Police launched Report Fraud, replacing Action Fraud as the national reporting platform (UK Government, 2025).

Online reporting can be found at: UK’s Home for Reporting Cyber Crime & Fraud – Report Fraud or you can call 0300 123 2040.

What to do if You or Your Business is Being Impersonated

Being impersonated is both a security issue and a reputation issue. The goal is to protect others quickly and reduce repeat attempts.

Step 1: Warn staff and key contacts, clearly

Send a short internal alert that says:

  • what happened (in plain terms)
  • what staff must do now (for example, “no bank detail changes without a call-back”)
  • who to report suspicious requests to internally

UK Finance highlights that criminals may research your organisation over time, including information visible on your website (UK Finance, n.d.).

Step 2: Check whether any real accounts were compromised

Phishing often leads to inbox compromise and then impersonation from a real address. NCSC’s guidance covers phishing as a route to credential theft and financial harm, and stresses planning for incidents and responding quickly (NCSC, 2018).

Step 3: Reduce the chance of your domain being abused

You can make it harder for criminals to send emails that look like they come from your business. The UK government guidance explains how unprotected domains can be used for email spoofing and fraud, and recommends protections including DMARC (Government Digital Service and Central Digital and Data Office, 2021).

Also, the NCSC notes that setting up DMARC can stop phishers spoofing your domain (NCSC, 2018).

You do not need to implement this personally. A simple action is to ask your IT provider or security partner: “Are our domains protected against spoofing?”

What LVL1 Recommends

For everyone

  • If it involves money or sensitive info, slow down and verify.
  • If it feels urgent and unusual, treat it as high risk.
  • Use a known number from your directory, not a number in the message.

For finance teams

  • Never accept bank detail changes by email alone. Verify using contact details already on file (City of London Police, n.d.).
  • Use two-person approval for unusual or high-value payments.
  • Make “it is OK to double-check” part of the culture (UK Finance, n.d.).

For leadership teams

  • Make a clear rule: you will not be offended if staff verify requests.
  • Avoid approving payments through informal channels.

For IT and operations

  • Use layered defences, not just training, because some attacks will always get through (NCSC, 2018).
  • Make sure reporting suspicious messages is quick and easy.
  • Review how your organisation would respond if an inbox was compromised.

We at LVL1 can help support you with practical steps such as reviewing processes, improving verification routines, and strengthening protections that reduce impersonation risk.

If you think you need help in this regard, reach out at help@lvl1.co.uk or call us at 01603 517404.

References

City of London Police (n.d.) Mandate and cheque fraud. Available at: https://www.cityoflondon.police.uk/advice/advice-and-information/fa2/fraud/business-fraud/mandate-and-cheque-fraud/ (Accessed: 9 January 2026).

Cifas (2025) ‘AI fuels surge in identity fraud, as people sell their personal information’, Fraudscape six-month report (press release), 5 August. Available at: https://www.cifas.org.uk/newsroom/fraudscape-2025-6monthupdate (Accessed: 9 January 2026).

Government Digital Service and Central Digital and Data Office (2021) Protect domains that do not send email. GOV.UK (last updated 1 March 2021). Available at: https://www.gov.uk/guidance/protect-domains-that-dont-send-email (Accessed: 9 January 2026).

Milmo, D. (2024) ‘UK engineering firm Arup falls victim to £20m deepfake scam’, The Guardian, 17 May. Available at: https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video (Accessed: 9 January 2026).

National Cyber Security Centre (NCSC) (2018) Phishing attacks: defending your organisation (Version 2.0, reviewed 13 February 2024). Available at: https://www.ncsc.gov.uk/pdfs/guidance/phishing.pdf (Accessed: 9 January 2026).

National Cyber Security Centre (NCSC) (2025) Preserving integrity in the age of generative AI (blog post PDF), 29 January. Available at: https://www.ncsc.gov.uk/pdfs/blog-post/preserving-integrity-in-age-generative-ai.pdf (Accessed: 9 January 2026).

UK Finance (n.d.) CEO scam (Take Five to Stop Fraud). Available at: https://www.takefive-stopfraud.org.uk/protect-your-business/ceo-scam/ (Accessed: 9 January 2026).

UK Finance (2025) Protect your business from scams as the end of the tax year nears (Take Five news article), 4 March. Available at: https://www.takefive-stopfraud.org.uk/news/protect-your-business-from-scams-as-the-end-of-the-tax-year-nears/ (Accessed: 9 January 2026).

UK Government (2025) Report Fraud: New service from City of London Police (news story), 4 December. Available at: https://www.gov.uk/government/news/report-fraud-new-service-from-city-of-london-police (Accessed: 9 January 2026).

Leave a Reply

Your email address will not be published. Required fields are marked *