The Deepfake
Call.
Background & Inject 01: The Call
Your organization is a $180M tech company. The CEO is currently traveling in London and has been largely offline. Wire transfers above $50,000 require dual authorization: the CEO's verbal or written approval plus the CFO's execution. It is 4:15 PM EST on a Friday. London is 5 hours ahead (it is 9:15 PM there).
The CFO receives a Teams video call from the CEO's verified account. The video quality is sharp. The CEO's appearance, voice, and mannerisms are flawless with no perceptible lag. The CEO says: "I'm closing a deal with a major PE firm and I need a $2.3 million bridge wire sent to an escrow account tonight. The deal falls apart if we don't fund by London close of business, which is about 45 minutes from now." The wire details arrive in the Teams chat.
Decision Gates
- 01
The CFO sees the CEO on video. The voice matches. The account is verified. How confident would you be that this is real on a scale of 1 to 10?
- 02
The CEO has introduced extreme urgency ("45 minutes"), financial magnitude ($2.3M), and consequence. How does this combination affect the CFO's Prefrontal Cortex?
- 03
Authority Bias: How difficult is it to challenge a direct order from the person who can fire you, especially when you can physically see them giving it?
Inject 02: The Pressure
The CFO hesitates and asks to call the CEO's cell to confirm. The CEO responds with visible irritation: "My cell is dead. The hotel charger isn't working. I wouldn't be calling you at 4 PM on a Friday if this wasn't critical. I trust you to handle this." She pauses and adds: "If you need to, call [outside counsel's name], he's been working on this deal and can confirm."
Decision Gates
- 01
The dead cell phone is a plausible excuse that conveniently eliminates the primary verification channel. Does this satisfy your concern?
- 02
If you call the outside counsel, do you look up his number independently, or use the number the "CEO" provides? An attacker who compromised the account likely knows the counsel's name via OSINT.
- 03
The Emotional Exploit: "I trust you to handle this." This weaponized compliment reframes verification as a sign of incompetence. How do you resist this without damaging the relationship?
Inject 03: The Verification Challenge
The CFO asks for 10 minutes to run a standard check. She hangs up and tries to verify. Attempt 1: The CEO's cell goes straight to voicemail. Attempt 2: The outside counsel's office says he left at 3 PM, and his cell goes to voicemail. Attempt 3: An email to the CEO's personal address yields no reply. Five minutes pass. The Teams chat pings: "What's the status? We're losing the window."
Decision Gates
- 01
Three verification methods failed. The "CEO" is pushing harder. What does the CFO do?
- 02
Is there a pre-established out-of-band verification protocol (like a code word known only to the CEO and CFO) required for large transactions? If not, why not?
- 03
Which error is recoverable? If the CFO sends a fraudulent wire, $2.3M is gone. If the CFO refuses a legitimate wire, the CEO is angry but the money is safe.
Inject 04: The Resolution
Scenario A: Wire Sent
The real CEO calls Monday knowing nothing about a PE deal. Her Teams account was compromised via phishing weeks ago. The video was a real-time deepfake trained on public podcast and conference audio. The $2.3M is gone.
Scenario B: Line Held
The real CEO calls Monday morning confirming she was in meetings all Friday. The security team investigates, discovers the Teams compromise, and rotates credentials. The money is safe. The CEO thanks the CFO for her diligence.
Decision Gates
- 01
If the wire was sent, who is responsible? The CFO who followed orders? The CEO whose account was compromised? The organization that lacked a deepfake-resistant protocol?
- 02
The Fundamental Question: If you cannot trust video, voice, or account identity, what *can* you trust? (Answer: A pre-shared secret or an independent callback).
System-Level Fixes
- › Implement a code word protocol for all wire transfers above a defined threshold. The word must be spoken during authorization and cannot be transmitted digitally.
- › Require callback verification to a phone number independently retrieved from the internal directory, not provided by the requestor.
- › Establish a no-rush rule. Any wire transfer request framed with extreme urgency automatically triggers enhanced verification, not expedited processing.
- › Update the wire authorization policy to explicitly state: "Video or voice confirmation alone is not sufficient for transactions above [threshold]."
- › Run this exact TTX annually with the actual CFO and CEO participating to build the muscle memory of saying "I need 10 minutes to verify."
Root Cause Analysis (The 5 Whys)
Why was the wire sent? (Because the CEO appeared to authorize it on a verified account.)
Why did the verified account provide false assurance? (Because the account was compromised and no secondary verification was required.)
Why was no secondary verification required? (Because the policy defines "verbal approval" without specifying the verification method.)
Why is the policy ambiguous? (Because it was written before deepfake technology was commercially available.)
The financial control framework assumes that identity can be verified through sensory confirmation (seeing and hearing the person). This assumption is no longer valid.