Case Study: Deepfake Voicemail Drop and SMS Attack.

We’re sharing stats from one of our most recent engagements to show how effective Deepfake social engineering can be when executed against Financial Services companies.

56.25% of users clicked on a link as part of this engagement.

15.7% Divulged Credentials on a Phishing Landing Page.

Deepfake is a major threat, it’s not just a parlor trick.

We conducted an attack simulation against a North American Financial Services company targeting company owned Cell Phones. The company in question was concerned about Deepfakes and wanted to assess organizational and user susceptibility for Deepfakes.

Breacher.ai Red Team launched a sophisticated Cyber attack using Deepfake Audio of the company CEO. Our team conducted OSINT reconnaissance prior and was able to source ample materials online from video content to clone the CEO’s voice.

We used a technique that’s novel and new, called voicemail drops. Using a spoofed number, we sent a cloned Deepfake voice message personalized to each user. The phone call will call once from an unknown number and appear to hang up.. What it’s actually doing is ringing silently and connecting to the voicemail.

Deepfake audio message is dropped pretending to be the CEO and requesting the individual to perform an action. A subsequent attack is launched as a follow up via SMS with a phishing domain link and Microsoft look-a-like page. The SMS Message requests for employees to login.

The spoofed phone number is a local phone number in an area code same as the home office. The phone number is designed as a relay service and auto-responder. If a user decides to call back, it will go to a voicemail automatically which is a recording of the CEO using Deepfake. Any phone calls or text messages will auto-respond with a Phishing link to the login page.

Our simulations are all aligned with targeted awareness training. Each user that clicked received a short 25 second video explaining what Deepfake audio is and provided guidance on how to report to the security team next time.

As an outcome, the organization now has a clear understanding of how vulnerable they are to Deepfake Audio, and users have been educated, reducing future risk to the organization.

Additionally, the organization is helping prepare their users for future attacks and confirming escalation points for employees so they know how to respond in the future.

Employees are now exposed to a Deepfake attack and know what and how to respond in the future.

Deepfakes

There’s a lot of Fear, Uncertainty and Doubt (FUD) being spewed in the marketplace about Deepfakes. There’s a lot of noise proclaiming how bad it will be and warnings that you should prepare. Headlines proclaim how disastrous they’ll be, and advice to “prepare” is abundant, but actionable guidance is rare.

We’ll cut through the noise and cut it straight in this article.

By now, most people understand what a deepfake is: synthetic media altered with AI to create hyper-realistic audio, video, or images that depict someone saying or doing things they never did. While deepfakes represent a significant threat, they are manageable with the right strategies.

By now, you should know what a Deepfake often portrays: someone real saying or doing something they never did.

Deepfakes represent one of the most insidious threats of our time, but they are not insurmountable.


TL;DR: Deepfake Defense Essentials

The following guidance is applicable for most typical Organizations, but Security is unique to each Organization. There’s no one size fits all approach to Deepfakes. KYC is another approach, but is geared more towards onboarding customers like Credit Card companies etc..

Adopt a Risk-Based Approach: Assess your organization’s exposure to deepfakes and plan accordingly.

Harden Processes Against Social Engineering: Identify weak spots in workflows that could be exploited.

Test and Train Employees: Ensure users recognize deepfake threats and know how to respond. Test for Deepfake susceptibility and understand your risk.

Use Defense in Depth: Combine processes, user awareness, technology, and controls to mitigate risks.

Prepare for the Worst: Have an incident response plan ready to tackle deepfake-related crises. Not FUD. Make sure you have an incident response plan in place.

Summary: We do not believe Deepfake is a fully solvable problem, there’s no Silver Bullet. Preparation using a risk based approach is the best response.

Deepfake Threats to Expect in 2025

Based on current trends, these threats are likely to dominate the landscape:

  1. Deepfake Audio and Voice Phishing: Combined with SMS and social media to deceive targets.
  2. Deepfake Live Video in Virtual Meetings: Used to impersonate executives, partners or vendors. Also, employee impersonation for hiring fraud. Watch HR in the next year…
  3. Hybrid Phishing Attacks: Blending email, documents, images, and deepfakes into multi-layered schemes.

Double extortion types of scams or fraud is a growing concern as well for Deepfakes. This is data exfiltration being held hostage in combination with a Deepfake attack.

Due to the nature of Deepfakes, expect attacks to be highly targeted and concentrated. Spear-Phishing types of attacks.

What’s the approach we should focus on?

Use a Risk Based Approach.

  1. Risk Exposure: Map out your exposure and Risk to Deepfake first.
    The Risk will look different for each organizations.
  2. Measure Risk Impact: the Impact of a Deepfake Incident.
    In some cases, what you need to protect isn’t worth the effort to address it.
  3. Qualify and Quantify the Risk: Understand the likelihood and rank.
    About 43% of organizations have had some sort of Deepfake incident so far. That number is expected to grow exponentially this year.
  4. Risk Response: Map out your response for each threat.
    Some organizations will have adequate controls. They’re typically a combination of People, process and technology. However, the Human Factor is outsized for this threat.. It’s not systems that will be targeted but your Co-workers and Employees.
  5. Implement Your Response Plan: Put your response plan in action and prepare for the worst case scenario with an incident response plan. Consider doing a Table Top Exercise.

    No FUD, just shooting it straight. Always prepare for the worst case.

When addressing deepfake risks, prioritize processes, people, and technology in that order, recognizing that vulnerabilities vary by organization. Assess which departments, functions, and users are most exposed, such as Finance, Accounting, HR, or Helpdesk and evaluate the potential impact of deepfake breaches. For instance, a low-impact scenario might involve a minor financial loss, while a high-impact scenario could compromise critical trade secrets.

Quantify the risks and determine if mitigation efforts are justified by the potential losses; if not, just accept the risk. Develop a response plan that includes technological solutions and user awareness training to ensure preparedness and resilience. Test your processes, policies and procedures… They need to be Bulletproof.

One of the biggest challenges with Deepfakes is a person of authority overruling procedure. Employees may not challenge a C-Suite Deepfake before conducting a transaction.

A Risk-Based Approach to Protecting Organizations from Deepfakes

Deepfakes are not just a technological curiosity—they are a serious risk with potential for significant financial, reputational, and operational harm. To address this emerging threat, organizations should adopt a risk-based approach, systematically identifying vulnerabilities, assessing potential impacts, and prioritizing actions to mitigate the risk.


Step 1: Risk Assessment

A comprehensive risk assessment helps organizations understand their exposure to deepfake threats.

  1. Identify Assets at Risk:
    • People: Executives, public-facing employees, and those with access to sensitive systems.
    • Processes: Financial workflows, authentication protocols, and communication channels.
    • Reputation: The organization’s brand and public trust.
  2. Understand Threat Vectors:
    • Impersonation in video or audio calls.
    • Synthetic identity creation for fraud.
    • Disinformation campaigns targeting the brand or leadership.
  3. Assess Likelihood and Impact:
    • Likelihood: Evaluate the organization’s public visibility, access to data, and attractiveness as a target.
    • Impact: Quantify potential damages, including financial loss, reputational damage, and operational disruption.

Step 2: Develop Risk Mitigation Strategies

Based on the risk assessment, organizations should prioritize mitigation strategies to address critical vulnerabilities.

1. Strengthen Communication Protocols

  • Verification Mechanisms: Require independent verification for sensitive requests (e.g., callback protocols for financial approvals).
  • Keyword Systems: Establish unique, pre-determined codes for authenticating high-stakes conversations.

2. Enhance Employee Training

  • Conduct workshops to teach employees how to STOP deepfake indicators, such as scenarios that apply pressure.
  • Use the STOP framework (Slow Down, Trust Less, Origin Verification, Policy, Procedure and Process) as a practical guide for addressing potential deepfakes.
  • Avoid teaching people to “Spot” Deepfakes through visual or audio inconsistencies. Focus on context instead.

3. Deploy Technical Solutions

  • Integrate real-time deepfake detection tools into critical platforms (e.g., video conferencing, email filtering).
  • Use a brand protection service to reduce executive exposure from impersonations.

4. Secure Organizational Data

  • Implement data loss prevention (DLP) solutions to protect sensitive information.
  • Limit access to sensitive recordings or public appearances that could be exploited for deepfake generation.
  • Upload background music for C-Level videos that’s shared publicly.
  • Use 2FA Wherever Possible.
  • Check your policies, procedures and processes.

5. Incident Response Preparation

  • Develop a playbook for deepfake scenarios, outlining steps for detection, verification, and response.
  • Establish a crisis communication plan to counter disinformation and maintain trust if a deepfake attack targets the organization.

Step 3: Monitor and Adapt

Deepfake technology evolves rapidly, requiring organizations to stay vigilant and proactive.

  1. Regular Risk Reviews:
    • Periodically reassess risks as deepfake technology advances and organizational priorities shift.
  2. Simulate Scenarios:
    • Conduct deepfake attack simulations to test the organization’s preparedness and response mechanisms.
  3. Stay Informed:
    • Monitor developments in deepfake detection technologies and integrate updates as necessary.
    • Stay attuned to industry-specific threats and share insights through security networks.
  4. Collaborate and Advocate:
    • Partner with industry groups and regulatory bodies to address the broader deepfake challenge.
    • Advocate for policies that promote transparency and accountability in AI technologies.

Prioritization Matrix

To operationalize a risk-based approach, map potential deepfake scenarios using a Likelihood vs. Impact matrix:

Likelihood Impact Priority
High High Immediate Action
High Low Routine Monitoring
Low High Preparedness
Low Low Periodic Review

This structured evaluation ensures resources are focused where they are needed most.


Key Takeaways

Deepfakes are here to stay, and while they represent a complex challenge. By combining technology, training, and well-hardened processes, organizations can mitigate this growing threat.

Deepfakes are a sophisticated and evolving threat, but with the right strategies, organizations can turn vulnerability into resilience. By adopting a risk-based approach that integrates training, technology, and robust processes, businesses can effectively counter this challenge while strengthening their overall security posture.

B2B organizations are particularly vulnerable to deepfake attacks due to the reliance on trust, real-time communication, and high-stakes financial decisions. Protecting against these attacks requires a multi-faceted strategy that combines awareness training, technological defenses, and robust authentication processes. By anticipating these threats, businesses can fortify their operations and maintain resilience in an increasingly deceptive digital landscape.

By taking a risk-based approach, organizations can transform the challenge of deepfakes into an opportunity for strengthening their overall security posture. Combining vigilance, training, advanced technology, and adaptive processes for resilience against this sophisticated threat.

We help organizations assess Deepfake Risk and integrate deepfake protection into their broader risk management strategies. Contact us to learn more.

Reach out today to build a resilient defense.

In This Article

About the Author: Jason Thatcher

Jason Thatcher is the Founder of Breacher.ai and comes from a long career of working in the Cybersecurity Industry. His past accomplishments include winning Splunk Solution of the Year in 2022 for Security Operations.