Safer Internet Day 2026: Deepfakes Have Entered the Office

That video call from your CEO asking for an urgent payment? It might not be your CEO. Deepfakes have gone from novelty to business risk.

Safer Internet Day 2026 arrives in a world where you can no longer trust your eyes and ears.

The deepfake threat has matured. What was a curiosity three years ago is now a business risk. We've seen video calls where 'executives' request urgent payments. Voice clones that sound exactly like the boss. AI-generated messages that pass every instinct test.

Real Incidents

The video call that wasn't

A UK finance worker joined a video call with their CFO and several colleagues. Everyone looked and sounded normal. The CFO requested an urgent transfer of £200,000 to a new supplier. The worker complied.

Every person on that call was a deepfake.

The voice message

A CEO 'called' their accountant while supposedly on holiday. Left a voicemail asking for an urgent payment to be processed before close of business. Perfect voice match. Correct context. Plausible urgency.

Except the CEO had never made the call.

Why This Is Different

Traditional phishing relies on text. You can spot typos, wrong email addresses, unusual language. Your instincts can help.

Deepfakes bypass instinct. When you see a face you recognise, hear a voice you know, your brain trusts it. The normal warning signs don't fire.

Defending Against Deepfakes

1. Out-of-band verification

For any unusual request - especially involving money or access - verify through a different channel. If you get a Teams call, phone them back on their mobile. If you get a voice message, call the landline.

Never verify using contact details provided in the suspicious message itself.

2. Challenge questions

Agree on verification questions for high-risk requests. 'What did we discuss in last week's one-to-one?' Deepfakes can clone appearance and voice; they can't clone memories.

3. Process over authority

'The CEO said to do it' shouldn't override established procedures. Dual authorisation for payments. Callbacks on bank detail changes. Documentation requirements.

If your processes can be bypassed by seniority, they're not processes - they're suggestions.

4. Awareness without paranoia

Staff need to know this threat exists without becoming so suspicious they can't function. The message is: 'Verify unusual requests' not 'trust nobody.'

The Uncomfortable Truth

Deepfakes weaponise trust. The closer your team, the more vulnerable you are - because trust is higher.

The defence isn't less trust. It's structured verification. 'I trust you, and I'm still going to verify this through proper channels, because that's how we work now.'

This Safer Internet Day

1. Discuss the threat. Many staff don't know deepfakes can target them.
2. Review payment processes. Can a single person authorise large payments?
3. Establish verification protocols. Out-of-band confirmation for unusual requests.
4. Test your team. Not to catch them out - to train them.

Get help with security awareness training