3 July 2026
Deepfakes and the Trust Crisis
How deepfakes are fueling both fraud and disinformation, and what the EU AI Act's new transparency rules mean for organizations.
Deepfake technology has moved well past novelty. Synthetic voice and video are now convincing enough to defeat the informal verification checks most organizations still rely on, such as a familiar voice on the phone or a face on a video call, and attackers have taken notice. What started as a fraud tool is increasingly a disinformation tool as well, and both problems stem from the same root cause: it is no longer safe to assume that what you see or hear is authentic. This is part of the same shift toward AI-powered attacks reshaping the wider threat landscape.
Fraud: the immediate threat
On the fraud side, deepfake audio and video are being used to impersonate executives and authorize fraudulent payments, bypass identity verification, and manipulate employees into bypassing established controls. These attacks succeed precisely because they target trust in a medium, a voice or a face, that organizations have never had to formally verify before. Traditional controls like callback procedures and multi-person authorization remain effective, but only if staff are trained to expect that the person they are seeing or hearing may not be real.
Disinformation: the slower burn
The disinformation side is less discussed but equally serious: fabricated statements, videos, or endorsements attributed to executives or the organization itself, used to manipulate markets, damage reputations, or mislead customers and partners. Unlike fraud, which targets a single transaction, disinformation attacks the organization's credibility more broadly, and recovery from a viral fabricated video can take far longer than recovery from a single fraudulent transfer.
The new compliance dimension
Regulators are starting to respond. Under Article 50 of the EU AI Act, transparency obligations for AI-generated and synthetic media begin applying on 2 August 2026: providers must mark synthetic content in a machine-readable format, and anyone deploying a deepfake must clearly disclose that the content has been artificially generated or manipulated. For organizations, this adds a new compliance dimension on top of the security one, arriving alongside the broader accountability expectations already introduced by regimes like NIS2. It is no longer enough to detect and respond to deepfake-enabled attacks; organizations that generate or distribute AI-generated content also need processes to label it correctly and demonstrate compliance. Treating deepfake risk as a single problem spanning fraud prevention, reputational monitoring, and regulatory compliance is the only approach that addresses the full scope of the threat.
What organizations should do
Defending against synthetic media means treating any voice or face as unverified until proven otherwise. Practical starting points:
- Verify out of band. Confirm high-risk requests such as payments, credential changes, and access to sensitive data through a separate, pre-agreed channel, never within the call or message that made the request.
- Keep multi-person controls. Callback procedures and multi-person authorization still work, provided no single voice or video can override them.
- Train for the new normal. Make sure staff expect that a familiar face or voice may be synthetic, and know it is acceptable to pause and verify.
- Build a labeling process. If your organization produces AI-generated content, put a process in place now to mark and disclose it ahead of the August 2026 obligations.
Building these controls into day-to-day operations takes more than a policy document. Our Advisory & Consulting team helps organizations assess their deepfake exposure, design the verification and labeling processes the EU AI Act now expects, and turn them into practices staff actually follow.
How secure are you, really?
Let our experts help you build a resilient defense, tailored to your business needs.