Deepfakes are synthetic media — realistic AI-generated video, voice, or images — that can convincingly impersonate any person. When combined with social engineering tactics, they have become one of the most potent and fast-evolving fraud vectors of 2026. For Singapore businesses and individuals, understanding how these attacks work — and building the right habits to counter them — is no longer optional.
What exactly is a deepfake?
A deepfake is created using machine learning models — often Generative Adversarial Networks (GANs) or diffusion models — that are trained on real footage or audio to generate new, synthetic media that mimics the original subject. Until recently, producing convincing deepfakes required specialist skill and expensive computing resources. That is no longer true. Commercially available tools, consumer hardware, and freely accessible training data have lowered the barrier dramatically.
The result is that a passably convincing voice clone of a CEO can now be generated from minutes of publicly available audio — an earnings call, a podcast interview, a company video. Video deepfakes are more resource-intensive but increasingly within reach of well-funded criminal groups.
How do deepfakes supercharge social engineering?
Social engineering is the art of manipulating people rather than systems. It exploits predictable human responses — trust in authority, fear of consequences, desire to be helpful, time pressure — to bypass technical controls entirely. Deepfakes give social engineering a significant upgrade by making the impersonation feel viscerally real.
Classic social engineering relied on a spoofed email address or a convincing script over the phone. Today’s attacks can use a cloned voice on a WhatsApp call or a real-time video that appears to show your company’s chairman asking you to authorise a transfer before the end of the day. The psychological effect is very different. A dubious email is easy to pause on; a call from someone who sounds and looks exactly like your boss is much harder to refuse.
The three highest-impact attack patterns
CEO fraud and business payment diversion. This is the most financially damaging variant. An employee with authority to move money — finance, accounts payable, or an executive assistant — receives a call or video message from an apparent senior leader, instructing them to make an urgent, confidential transfer. The deepfake provides the authentication the employee would otherwise demand. Confirmed losses in regional incidents have reached tens of millions of dollars.
Extortion and reputation attacks. Deepfakes can fabricate compromising footage of private individuals or public figures that never occurred. These are used for blackmail, reputational damage, or to coerce a target into complying with demands — paying money, handing over credentials, or staying silent about wrongdoing.
Disinformation and institutional erosion. Fabricated video of politicians, executives, or officials making statements they never made can move markets, destabilise public trust, or inflame conflict. Singapore, as a regional financial and media hub, is not immune to these influence operations.
Why Singapore organisations are particularly exposed
Singapore’s position as a regional headquarters hub means companies here often have legitimate, complex, cross-border financial flows — the exact environment social engineering attacks are designed to exploit. A regional CFO instructing a local finance team to move funds to a new account for an overseas acquisition is entirely plausible, which makes it the perfect cover story for a deepfake attack.
The threat is documented locally. The Singapore Police Force, CSA, and MAS have issued joint advisories warning businesses about AI-powered impersonation attacks. The CSA’s cybersecurity outlook reports consistently flag social engineering — now augmented by synthetic media — as a primary risk for Singapore enterprises. Individuals are equally at risk: voice-clone scams impersonating family members or government officials have been reported to the police’s anti-scam command.
The cat-and-mouse problem with detection technology
Technical deepfake detection tools exist. They look for tell-tale artefacts: unnatural blinking patterns, lip-sync errors, lighting inconsistencies, audio compression signatures. They are genuinely useful — as one layer in a defence-in-depth approach.
The problem is the pace of development. Detection tools trained on last year’s deepfakes are progressively less effective against this year’s. Models improve continuously, and attackers have strong incentives to test their outputs against publicly available detectors before deploying them. Organisations that rely solely on a technology tool to catch deepfakes are playing a game they will eventually lose.
The more durable controls are procedural and behavioural.
What practical defences actually work?
1. Establish a two-channel verification rule
Any request for an unusual or high-value action — a payment, a credential reset, access to sensitive data — must be verified through a second, pre-agreed channel. If the instruction arrived by video call, call back on the person’s known internal number. If it came by messaging app, verify by phone on the company directory number. This rule holds regardless of how convincing the original contact appeared. A real executive asking a legitimate question will not object to a ten-second callback.
This single habit defeats the majority of deepfake-enabled fraud.
2. Train people to recognise pressure tactics
The deepfake is rarely the whole attack — it is the opener. The attack’s real engine is the social engineering script: urgency, secrecy, authority, and fear. Training your team to recognise these pressure levers — and to treat them as a stop signal rather than a reason to comply faster — neutralises the attack even when the deepfake is convincing. Regular simulated exercises reinforce the habit.
3. Harden authentication and access controls
Multi-factor authentication (MFA) limits what an attacker can do even after a successful impersonation. For financial controls, implement dual-approval requirements for transfers above a threshold. Restrict the ability to change payment details (beneficiary accounts, bank details) through a separate, verified workflow that cannot be bypassed via a phone call or message alone.
4. Reduce your organisation’s public audio and video footprint where practical
Every minute of publicly available footage of a senior leader is potential training data for a voice or video clone. This does not mean going dark — thought leadership, media appearances, and public communications have genuine value. But it is worth auditing what is out there and being deliberate about new content, particularly high-resolution audio recordings.
5. Build a reporting culture
People who suspect a deepfake attack often stay silent because they feel uncertain or embarrassed about flagging something a colleague might dismiss. Create a clear, low-friction channel for reporting suspected social engineering attempts. Near-misses that get reported become the best training data for your whole organisation.
Regulation and the broader policy response
Singapore’s regulatory posture on AI-generated content is evolving quickly. The Protection from Online Falsehoods and Manipulation Act (POFMA) and the Online Safety Act both provide some coverage for malicious synthetic media, and CSA’s guidelines on technology risk management are increasingly specific about AI-related threats. Regionally, there is growing alignment around requirements for AI content provenance and disclosure.
For most organisations, the regulatory dimension is worth monitoring but should not be the primary motivation for action. The operational risk is sufficient.
The human layer is the decisive one
Every high-profile deepfake attack that has been stopped was stopped by a person who paused and checked — not by a detector algorithm. The technology threat is real and it will intensify. But the defences that consistently work are grounded in well-trained, appropriately sceptical people who have clear verification procedures and feel empowered to use them.
That is good news, because it means the investment organisations need to make is in people and process, not in an arms race with the latest detection software.
For a broader look at how AI is reshaping both the threat landscape and the defence toolkit, see our guide on the role of artificial intelligence in cybersecurity.
If this kind of threat-awareness training interests you — either for your team or as a foundation for a cybersecurity career — CFCI runs a free information session where you can ask questions and see what hands-on cybersecurity training looks like in practice. There is no obligation to enrol. Register for the next session here.
Frequently Asked Questions
What is a deepfake and how is it used in social engineering?
A deepfake is AI-generated synthetic media — video, audio, or images — that realistically impersonates a real person. In social engineering, attackers use deepfakes to impersonate executives, colleagues, or authority figures and manipulate targets into transferring funds, disclosing credentials, or taking harmful actions. The realism makes the pressure feel legitimate, which is why awareness and verification habits are the strongest defences.
How can I tell if a video or voice call is a deepfake?
Common technical tells include slight lip-sync delays, unnatural blinking, blurring at the edges of faces, and audio that sounds slightly compressed or robotic. However, technology alone is unreliable — the better defence is a process one: any request for an unusual action (payment, data access, credential change) should always be verified through a second, pre-agreed channel, regardless of how convincing the caller appears.
Are deepfake attacks happening in Singapore?
Yes. The Singapore Police Force, the Cyber Security Agency of Singapore (CSA), and the Monetary Authority of Singapore (MAS) have all issued advisories warning that AI-powered impersonation scams — including deepfake voice and video calls — are being used against Singapore businesses and individuals. Losses in confirmed regional cases have reached tens of millions of dollars.
What can organisations do to reduce deepfake social engineering risk?
The most effective controls are human and procedural: train staff to recognise social engineering pressure tactics, enforce a two-channel verification rule for high-value or unusual requests, implement multi-factor authentication, and run regular simulated phishing and impersonation exercises. Technical detection tools help but should be treated as a supplement, not a replacement, for strong verification habits.