The finance employee at Arup joined a video conference with colleagues. The CFO was there. Other senior staff were there. Everyone looked familiar, spoke naturally, responded in real time. Then the CFO asked him to authorise an urgent transfer. He had doubts — this wasn’t the normal procedure. But he could see everyone on screen. He completed the transfer. HK$200 million. Every person on that video call was an AI-generated deepfake.That happened in January 2024. It wasn’t a research demonstration — it was a real attack that cost a real company $25.6 million. And it’s the scenario that moved deepfake testing from “emerging threat to monitor” to “component of standard penetration testing scope.”Security assessments that don’t test an organisation’s resistance to synthetic media are missing an attack vector that sophisticated threat actors have already weaponised. Voice cloning, video deepfakes, and KYC bypass are no longer theoretical.
🎯 After This Article
How deepfakes are used in real attacks — voice cloning fraud, video impersonation, KYC bypass
The deepfake penetration testing methodology — what to test, how to test it, what authorisation you need
Liveness detection — how it works and the bypass techniques that defeat consumer-grade implementations
Voice clone vishing simulations — the executive impersonation test that finds the highest-risk gap
Defences that actually work — why procedural controls outperform technical detection for deepfake fraud
Real Deepfake Attacks — What Has Actually Happened
The defences I recommend almost always prioritise procedural controls over technical ones — the technical detection landscape is too immature to rely on. My deepfake penetration testing methodology follows the same structure I use for all social engineering engagements — scope, authorisation, technique, then documentation. Voice cloning is the attack I demonstrate most often in authorised social engineering red team operations. I track disclosed deepfake attack cases because the documented examples are more persuasive to sceptical executives than any theoretical scenario. The Arup incident is the most documented case, but it’s not isolated. Voice clone CEO fraud has been reported across multiple financial institutions since 2022, with attackers using 30–60 seconds of publicly available audio to generate convincing clones of CFOs and treasury officers. The attack pattern is consistent: a call to a finance employee from a number appearing to belong to a senior executive, an urgent wire transfer request citing a time-sensitive business reason, and a follow-up email chain to reinforce the authority of the request.
KYC deepfake fraud has become a measurable problem for financial institutions offering digital account opening. Synthetic face images and video, generated to match stolen identity documents, are submitted through video verification flows to open fraudulent accounts. Industry fraud prevention data from 2024 indicates that deepfake-assisted identity fraud attempts increased substantially year-over-year, with KYC bypass being the primary attack vector.
📸 Deepfake attack surface mapped by severity. Voice clone fraud and video KYC bypass are Critical because they’re demonstrated at scale in real attacks, require minimal technical barrier (≈30 seconds of audio, commercially available tools), and produce immediate high-value outcomes. Video conference impersonation is High rather than Critical due to the higher technical complexity of real-time deepfake generation — but real-world incidents prove it’s not theoretical.
Voice Cloning — The Vishing Escalation
Voice cloning has fundamentally changed the threat model for phone-based social engineering. Traditional vishing required an attacker with good improvisational skills and a convincing cover story. Modern voice clone vishing requires 30 seconds of the target executive’s audio and access to a commercial voice cloning API. The quality gap between a skilled human impersonator and a voice clone has essentially closed — and in some cases, the clone is more consistent and convincing than a human impersonator would be.
For penetration testing, voice clone vishing simulations test whether finance, HR, and IT staff can resist requests that come with the auditory authority of a senior executive’s actual voice. The test is more valuable than traditional social engineering calls precisely because it tests a control (voice recognition as a trust signal) that most organisations have never thought to evaluate. The majority of staff will not have been trained that “this sounds like the CEO” is no longer a reliable trust indicator.
Test clone quality: read known phrases from actual recordings → compare
# Step 3: Script the pretextual call
Scenario: urgent wire transfer, password reset approval, system access grant
Keep it short — 60-90 seconds is realistic for executive calls
# Step 4: Conduct and document
Record outcome: request completed / questioned / refused / escalated
Note: did target express doubt? apply verification procedure? contact back-channel?
This is your finding — bypass rate + response quality
🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Research Real Deepfake Attack Cases and Detection Tool Landscape
⏱️ 15 minutes · Browser only
The documented incident record for deepfake fraud is the strongest argument for including synthetic media testing in security assessments — and the detection tool landscape tells you what controls are available to recommend as remediation.
Step 1: Find the full Arup deepfake incident report
Search: “Arup deepfake $25 million video conference 2024”
What was the exact attack flow? How many deepfake participants were on the call?
How long did the fraud go undetected?
What procedural control would have prevented it?Step 2: Find other documented voice clone fraud cases
Search: “CEO voice clone fraud wire transfer 2023 2024 2025”
Find 2 additional documented cases beyond Arup.
What was the average loss? What was the common failure point?Step 3: Research liveness detection vendors
Search: “video KYC liveness detection bypass research 2024”
Which vendors publish bypass rates or independent audit results?
What bypass rates have researchers demonstrated against commercial systems?Step 4: Find deepfake detection tools
Search: “deepfake detection tool enterprise 2025”
List 3 commercial deepfake detection solutions with their claimed detection rates.
Are there free/open source alternatives (e.g. Microsoft VALL-E detection)?Step 5: Check legal landscape
Search: “deepfake criminalization law 2024 2025 UK US EU”
Which jurisdictions have specific deepfake fraud legislation?
What are the legal implications for penetration testers using voice clones?
✅ The Arup case details reveal the critical failure point: the employee was told to expect the call, reducing their suspicion threshold before it began — social engineering primed the target to accept the deepfake. This “pre-conditioning” pattern appears in multiple documented cases and is the primary social engineering layer that makes deepfake calls effective. Your detection tool research will likely show a significant gap between vendor claims and independent test results — most commercial liveness detection vendors publish their own detection rates rather than third-party audit data, which is worth noting in any recommendation. The legal landscape research (Step 5) is essential before any engagement — several UK, US state, and EU member state laws now specifically criminalise non-consensual deepfakes, and the penetration testing exemption requires documented written authorisation.
📸 Share your pre-conditioning pattern finding from Step 1 in #ai-security.
Liveness Detection and KYC Bypass
Liveness detection bypass is the technical challenge I find most interesting in deepfake research right now. Liveness detection sits between an attacker’s synthetic media and a successful KYC bypass. It’s designed to confirm that the person submitting a verification is present and live — not a photo, video replay, or synthetic generation. The technology spans passive liveness (detecting artefacts of non-live submission without requiring user action) and active liveness (requiring the user to perform actions — blink, turn head, repeat a phrase — that are harder to fake).
Research consistently demonstrates that consumer-grade and many enterprise liveness systems can be bypassed by purpose-built attacks. Video injection — replacing the camera feed at the OS or virtual camera driver level with a pre-recorded or AI-generated video — is the most scalable bypass technique. The liveness check receives what it believes is a live camera feed but is actually a rendered deepfake that responds to timing cues. The quality required to bypass modern liveness detection has increased, but the tools to generate that quality have advanced in parallel.
Deepfake Penetration Testing Methodology
A deepfake component in a penetration test covers two distinct test categories: technical bypass testing (can the synthetic media fool the automated detection systems?) and human susceptibility testing (can the synthetic media fool the people?). Both require separate test plans, separate authorisation scope, and separate reporting sections — because the remediation for technical bypass failures (upgrade the detection system) is different from the remediation for human susceptibility failures (training and procedural controls).
🧠 EXERCISE 2 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Design a Deepfake Attack Chain Against a Financial Services Target
⏱️ 15 minutes · No tools — adversarial planning only
Thinking through an attack chain from the attacker’s perspective makes the threat model concrete and reveals exactly which controls need to be in place — and in what order — to break the chain.
TARGET: A mid-size investment firm. Public-facing information:
– CFO name and photo available on LinkedIn
– CFO has given 3 conference talks (all on YouTube, ~45 min total)
– Finance team contact form on website lists 4 names and email addresses
– Company uses Zoom for video calls (visible from job postings)
– Wire transfers above £50K require CFO approval per public annual reportATTACKER’S GOAL: Fraudulent wire transfer of £200,000DESIGN TASK 1 — Voice Clone Attack
What audio would you use to train the voice clone?
How long would it take to prepare a usable clone?
What’s your pretextual script for the call?
Which finance team member do you target first and why?DESIGN TASK 2 — Pre-conditioning
What email or message do you send BEFORE the voice clone call
to prime the target to expect and accept it?
How do you make the pre-conditioning email look legitimate?DESIGN TASK 3 — Video Conference Escalation
If the target says “I need to see you on Zoom before I authorise this”:
What do you do? Is real-time video deepfake necessary, or is there a simpler bypass?
(Hint: think about technical reasons a video might not work)DESIGN TASK 4 — Breaking the Chain
Identify the single control that would break this chain most reliably.
Where in the sequence would it apply?
Why is “call back to verify” more reliable than deepfake detection software here?
✅ The pre-conditioning step (Task 2) is what separates a successful deepfake attack from a failed one — it reduces the target’s verification instinct before the synthetic call arrives. A well-crafted pre-conditioning email referencing a real deal, real counterparty name, or real internal project creates context that makes the urgent call feel expected. Task 3 reveals a key attacker option: claiming “bad connection, camera not working” is simpler than generating real-time deepfake video — and in a high-pressure scenario, a target who already trusts the voice may accept an audio-only call. The chain-breaking control (Task 4): a mandatory call-back policy to a pre-registered number defeats the attack regardless of how convincing the voice clone is — the attacker cannot receive a call to the real CFO’s registered mobile number.
📸 Write your Task 2 pre-conditioning email subject line and share in #ai-security.
Defences — Procedural Over Technical
Technical deepfake detection is improving but remains insufficient as a primary control. Detection models are trained on known deepfake generation methods and lag behind the latest generation tools. An organisation that relies solely on its KYC vendor’s liveness detection, without procedural backup controls, is betting that the vendor’s detection keeps pace with attack tool development — a bet that security history suggests is rarely safe.
Procedural controls are more durable: a mandatory call-back verification policy defeats voice clone fraud regardless of clone quality. Multi-person authorisation for large transfers defeats single-point impersonation. A verbal safe word known only to the actual executive defeats any impersonation that can’t access that secret. These controls work because they don’t try to detect whether the voice is synthetic — they verify through a channel the attacker can’t replicate.
🛠️ EXERCISE 3 — BROWSER ADVANCED (20 MIN · NO INSTALL)
Evaluate a KYC Provider’s Deepfake Resistance and Build Test Criteria
⏱️ 20 minutes · Browser only
Evaluating KYC vendor deepfake resistance from publicly available data is the pre-engagement research step for any assessment that includes video KYC bypass testing — and it produces specific test criteria you can use in a real engagement.
Step 1: Find major video KYC / identity verification providers
Search: “video KYC identity verification provider 2025”
List 3 commercial providers (e.g. Jumio, Onfido, Veriff, iProov).Step 2: For each provider — find their deepfake resistance claims
Check their website for: liveness detection technology, deepfake resistance claims,
independent audit certifications (iBeta PAD Level 1/2, ISO 30107).
Do they publish bypass rates? Do they reference independent testing?Step 3: Find independent bypass research
Search: “Onfido liveness bypass” OR “iProov deepfake bypass” OR “KYC liveness bypass research 2024”
Has any researcher published bypass demonstrations against commercial KYC providers?
What technique was used? What was the bypass rate?Step 4: Find iBeta PAD certification — what does it actually test?
Search: “iBeta PAD Level 2 certification liveness detection what is tested”
What attack types does PAD Level 2 certification cover?
Does it cover AI-generated deepfake video? Or only printed photo attacks?Step 5: Build 5 test criteria for a KYC deepfake assessment
Based on your research, define 5 specific test cases:
(e.g. “Test: submit synthetic face image matching stolen document — expected: reject”)
For each: test input, expected outcome, pass/fail definition.
✅ The iBeta PAD certification research (Step 4) reveals an important limitation: PAD (Presentation Attack Detection) Level 2 certification covers physical presentation attacks — masks, printed photos, video replays — but was not originally designed around AI-generated deepfake video injected at the virtual camera level. This means a provider can be PAD Level 2 certified and still be vulnerable to modern deepfake bypass techniques. Your 5 test criteria from Step 5 form the test plan for a real KYC assessment — the key distinction is between presentation attacks (physical objects held up to camera) and injection attacks (virtual camera replacing real camera feed). Most current liveness detection is stronger against presentation attacks than injection attacks, which is where your test criteria should focus.
📸 Share your 5 KYC test criteria in #ai-security. Tag #DeepfakePentest
📋 Key Commands & Payloads — AI Deepfake Penetration Testing 2026 — Synthetic M
# Prerequisites: written authorisation, approved target list, approved audio sources
✅ Article Complete — AI Deepfake Penetration Testing 2026
Real deepfake attack cases including Arup, voice clone vishing methodology, liveness detection bypass, and why procedural controls outperform technical detection for deepfake fraud. The assessment methodology — written authorisation, voice clone simulation, KYC bypass testing, human susceptibility evaluation — is directly deployable in real engagements. Next article covers AI code assistant backdoor injection: how malicious code recommendations from compromised or manipulated AI coding tools reach production.
🧠 Quick Check
An organisation deploys a video KYC system for new account opening with a liveness detection provider certified to iBeta PAD Level 2. A security researcher demonstrates that the liveness detection can be bypassed by using a virtual camera driver to inject a deepfake video feed, achieving account opening with a synthetic identity. The vendor argues their system is certified and the bypass uses an “unsupported attack type.” How should the organisation respond?
❓ Frequently Asked Questions
What is deepfake penetration testing?
A security assessment methodology using AI-generated synthetic media — voice clones, video deepfakes, synthetic identity documents — to test resistance to synthetic media-based attacks. Evaluates both technical controls (liveness detection, voice biometrics) and human controls (staff ability to identify and resist AI impersonation). Requires explicit written authorisation covering synthetic media use.
How are deepfakes used in real-world attacks?
Documented cases: voice cloning of executives to authorise fraudulent wire transfers (multiple $25M+ losses), video deepfake impersonation in Zoom calls (Arup — $25.6M), KYC bypass using synthetic faces for fraudulent account opening. The Arup 2024 incident is the highest-profile case: all video call participants including CFO were AI deepfakes.
What tools are used for voice cloning in penetration testing?
ElevenLabs and Resemble AI (commercial, high quality, short sample), Coqui TTS and RVC (open source). All require explicit authorisation. Commercial platforms prohibit impersonation without consent — verify terms and obtain written client authorisation before any voice cloning in an engagement.
What is liveness detection and how is it bypassed?
Technology distinguishing a live person from photo/video/synthetic media in biometric authentication. Bypass techniques: video injection (replacing camera feed with deepfake at OS level), 3D mask attacks, and adversarial perturbations. Consumer-grade liveness detection is defeated by purpose-built attacks; enterprise-grade offers better but not perfect resistance.
Is deepfake penetration testing legal?
Legal with explicit written authorisation covering synthetic media use specifically. Using someone’s likeness without consent may violate privacy laws, personality rights legislation, or deepfake criminalization statutes in multiple jurisdictions. Always obtain written authorisation specifying synthetic media use before any deepfake testing.
What are the best defences against deepfake attacks?
Most effective: call-back verification to pre-registered numbers (defeats voice clone fraud regardless of clone quality), multi-person authorisation for high-value transactions, verbal safe words for phone authorisation. Technical detection is improving but not reliable as a primary control — procedural controls are more durable.
AI-Powered Social Engineering 2026— the broader social engineering context that deepfake attacks operate within: AI-generated spear phishing, voice synthesis, and the human susceptibility factors that make synthetic media attacks effective.
AI Voice Cloning Authentication Bypass 2026 — dedicated coverage of voice cloning as an authentication bypass technique, including call centre voice biometric attacks and the technical voice clone quality thresholds that defeat different biometric systems.
AI Identity Forgery and KYC Bypass 2026 — deeper coverage of KYC bypass techniques including document forgery, synthetic identity creation, and the full fraudulent account opening attack chain.
Wired — The Arup Deepfake Fraud Investigation— Detailed reporting on the Arup $25.6M deepfake video conference fraud — the primary case study for understanding real-world multi-participant deepfake attack execution and the procedural failures that enabled it.
iProov — Deepfake Injection Attack Research— Technical research from a leading liveness detection vendor on virtual camera injection attacks — useful for understanding the specific attack vectors that bypass passive liveness detection and what defences address them.
ME
Mr Elite
Owner, SecurityElites.com
The conversation I keep having with security teams after presenting deepfake risk is some version of: “Surely people would notice?” And then I play them a voice clone sample of someone they know, and the question changes. The quality is not “pretty good.” It’s indistinguishable from the real voice to most listeners on a phone call. Once you’ve actually heard a convincing voice clone, your entire model of phone-based trust changes — and so does your view of what controls are adequate. The call-back verification policy is simple, cheap, and completely effective. The reason most organisations don’t have it isn’t cost or complexity — it’s that they haven’t updated their threat model to include synthetic voice as a realistic attack vector. That’s what this article and a well-run voice clone simulation are designed to change.
