If a Singapore business wants to stop deepfake CEO fraud, the single most effective control is a verification rule: before releasing any high-value or unusual payment, confirm the request through a second, pre-agreed channel, such as calling the executive back on their known internal number. No realistic voice or video should ever override that step.
This guide explains how these AI-driven scams work, the warning signs to train your team on, and the simple payment-verification habit that defeats them.
What is deepfake CEO fraud?
Deepfake CEO fraud is a scam in which criminals use AI-generated voice or video to impersonate a senior leader and pressure an employee into making an urgent payment. It is the AI-powered evolution of business email compromise (BEC), the long-running scam where attackers pose as a boss or supplier to redirect funds.
What has changed is realism. Where a fraudster once relied on a spoofed email, they can now stage a convincing WhatsApp or video call that looks and sounds like your chairman or CEO. The instruction feels personal and legitimate, which is exactly what makes it dangerous.
The mechanics are familiar even when the technology is new. A staff member with authority to move money is contacted, told a confidential and time-sensitive deal is underway, and instructed to transfer funds, often to a new account. By the time anyone checks, the money is gone.
How big is the threat in Singapore?
The threat is real and local, not a distant headline. In April 2026, the Singapore Police Force, the Monetary Authority of Singapore (MAS) and the Cyber Security Agency of Singapore (CSA) issued a joint advisory on scams involving digital manipulation, warning that AI deepfakes are being used to impersonate executives and authorise fraudulent transfers.
The advisory followed concrete cases. In one widely reported incident, the chief executive of a Singapore-based firm received a call from someone posing as the chairman of the company’s overseas headquarters, was told to fund an acquisition, and the company transferred a sum reported in the tens of millions of US dollars before the deception was uncovered through a check with the real chairman.
The lesson is not that the technology is unbeatable. It is that the one thing that exposed the fraud, an independent check with the real person, is the control every business can put in place today.
How does a deepfake payment scam actually unfold?
These scams follow a recognisable pattern. Understanding the sequence helps your team spot it while there is still time to stop the payment.
- Target selection. Attackers identify who can move money: finance staff, accounts payable, or an executive assistant. They often research the organisation chart from public sources.
- The approach. First contact usually arrives through a messaging app, email or a video call that appears to come from a senior leader or a known counterparty.
- The story. The request is wrapped in a plausible, confidential scenario: an acquisition, an urgent supplier payment, a regulator deadline. Secrecy is built in so the employee does not check with colleagues.
- The pressure. Urgency removes the pause that would otherwise trigger a verification. The employee is made to feel that questioning the instruction is questioning the boss.
- The payment. Funds are sent, frequently to a new beneficiary or an overseas account, then quickly moved on.
Notice that only one of these stages involves the deepfake itself. The rest is classic social engineering. That is good news, because it means your defences do not depend on detecting perfect fakes.
What are the warning signs your staff should know?
Train your team to treat the combination of urgency, secrecy and a change to the normal payment routine as a stop signal, no matter how convincing the voice or face appears.
The behavioural red flags matter most because they hold even when the deepfake is flawless:
- Urgency: “This has to happen in the next hour.”
- Secrecy: “Do not discuss this with anyone, it is confidential.”
- A break from routine: a new bank account, an unfamiliar beneficiary, or an unusual overseas transfer.
- Authority pressure: discomfort about questioning a senior leader.
There are also technical tells on a live deepfake call, though you should never rely on these alone. CSA’s guidance notes possible lip-sync delays, unnaturally stiff facial expressions, audio distortion, and blurring around the mouth or eyes. The safe rule is simple: a request that fails the behavioural test should be verified even if the video looks perfect.
How should a Singapore business verify high-value payment requests?
Verify every high-value or unusual payment request through a second, pre-agreed channel before any funds move. If a request arrives by email, video or messaging app, confirm it by calling the requester on their known internal number, never a number or link supplied in the request itself.
This single habit, often called callback verification or out-of-band verification, is the control the SPF, MAS and CSA joint advisory points to. It works because the attacker controls the channel they contacted you on, but not your independent, pre-established one.
A practical control set looks like this:
- A callback rule. Any payment above a set threshold, or any change to beneficiary details, must be verified by phoning the requester on a number already held in your records.
- Dual authorisation. High-value transfers require two named approvers, so no single person can be socially engineered into releasing funds alone.
- A pre-agreed code word for the most sensitive instructions, known only to the people who genuinely need it.
- Limited authority. Keep the number of staff who can move money or change payment details small, and make sure each of them knows the verification rule is mandatory, even when the CEO appears to be asking.
Crucially, make verification a protected act. Staff must know they will be thanked, never punished, for pausing a payment to check, even if the request turns out to be genuine.
Why technology alone will not solve this
Email filters and fraud-detection systems are necessary, but they cannot catch a cloned face or voice on a phone call. The decision point in a deepfake scam is a human being choosing whether to pay, which is why the control that matters lives in your people and your process.
This is the same principle behind Singapore’s national cyber-hygiene certifications. CSA’s Cyber Essentials and Cyber Trust marks both expect organisations to manage people-related risk, not just deploy tools, because most incidents still begin with a person being deceived.
It also connects directly to the wider discipline of social-engineering defence. Deepfake CEO fraud is, at heart, a sophisticated phishing attack carried over voice and video. The habits that protect against phishing and employee training in Singapore, pausing under pressure and verifying before acting, are the same habits that defeat a deepfake.
How to build this into your team’s habits
A verification rule only works if people use it under pressure, and that takes practice, not a one-off memo. The aim is to make pausing-to-verify the automatic response, so that an urgent, secretive payment request triggers a callback before it triggers a transfer.
In our experience delivering corporate cybersecurity awareness training in Singapore, behaviour changes when staff rehearse the exact moment of decision, not when they sit through a slide deck. Walk finance and admin teams through a realistic deepfake scenario, let them practise the callback, and make the rule something they own rather than something imposed on them.
Three steps to start this week:
- Write the rule down. Define your payment-verification threshold, the callback requirement, and who must approve high-value transfers. Keep it to one page.
- Brief the people who pay. Make sure finance, accounts payable and executive assistants know the rule and know they are protected when they use it.
- Rehearse it. Run a short, realistic scenario so the habit is built before a real attack arrives.
For a broader look at how AI is reshaping both attack and defence, see our guide to the role of artificial intelligence in cybersecurity.
Where CFCI fits
The technology behind deepfakes will keep improving. The defence that holds, a workforce that pauses and verifies before paying, is something you can build now.
That is the gap our corporate programme is designed to close. Cyber Safety: Empowering Employees in Digital Defence is built for non-technical, non-managerial staff and rehearses exactly the kind of social-engineering and payment-fraud scenarios covered here. If you would like to prepare your finance and admin teams for AI-driven impersonation, explore our programmes for businesses or get in touch to discuss a tailored rollout.
For the official position, read the SPF, MAS and CSA guidance on combatting scams and CSA’s resources at csa.gov.sg.
Frequently Asked Questions
What is deepfake CEO fraud?
Deepfake CEO fraud is a scam where criminals use AI-generated voice or video to impersonate a senior executive, then pressure a finance or admin staff member into making an urgent payment or transfer. It is a high-tech version of business email compromise (BEC). The synthetic call or video makes a fake instruction feel authentic, which is why a verification habit, not technology alone, is the main defence.
How can a Singapore business verify a high-value payment request?
Verify every high-value or unusual payment request through a second, pre-agreed channel before releasing funds. If the instruction arrives by email, video call or messaging app, call the requester back on their known internal number, never a number supplied in the request. The Singapore Police Force, MAS and CSA joint advisory recommends exactly this kind of independent verification through an established internal channel.
What are the warning signs of a deepfake payment scam?
The strongest warning sign is a request that combines urgency, secrecy and a change to normal payment routine, such as a new beneficiary account or an overseas transfer. Deepfake calls can also show lip-sync delays, stiff facial expressions, or audio distortion. Treat any senior executive who demands speed and discretion over verification as a red flag, regardless of how convincing the voice or face appears.
Does cybersecurity awareness training help against deepfake fraud?
Yes. Deepfake CEO fraud targets people and process, not just systems, so the most effective control is training staff to pause, recognise the pressure tactics, and follow a verification rule before paying. Email filters cannot detect a cloned face or voice on a phone call. Awareness training that rehearses the callback habit turns a vulnerable employee into the organisation's strongest line of defence.
Who in a company is most at risk from deepfake CEO fraud?
Finance, accounts payable, executive assistants and anyone authorised to move money or change payment details are the primary targets. Attackers study who approves transfers and impersonate the person that staff member would not feel able to question. This is why authority to release funds should be paired with a non-negotiable verification step that applies even when the apparent requester is the CEO.