- 9
- March
In 2026, AI-powered cyberattacks increased by 89% year-over-year, with the most dangerous form being Deepfake Social Engineering — hackers use AI to create fake voices and videos in real-time to trick employees into transferring money or revealing sensitive data. One real case caused $25 million in damages from a single fake video call.
What is Deepfake Social Engineering?
Deepfake Social Engineering is a type of social engineering attack that uses AI technology to create fake voices, faces, or videos of real people (such as the CEO, CFO, or head of finance) to deceive targets into following orders — whether approving money transfers, revealing passwords, or sharing confidential data.
What makes this attack form even more dangerous is that AI in 2026 can clone a voice from just 30 seconds of audio and generate real-time video that is indistinguishable from the real thing to the naked eye.
4 Types of Deepfake Attacks Found in 2026
| Attack Type | Method | Danger Level |
|---|---|---|
| Voice Cloning | Clones an executive's voice from a 30-second audio clip, then calls to order a money transfer | Very High |
| Video Deepfake | Creates realistic fake video calls to impersonate participants in Zoom/Teams meetings | Very High |
| Deepfake-as-a-Service (DaaS) | Sells ready-made deepfake tools on the dark web, accessible even to novice hackers | High |
| AI-Enhanced Phishing | AI writes personalized phishing emails that mimic the writing style of real individuals | High |
Real-World Cases That Have Already Occurred:
- A finance employee was deceived by a completely realistic deepfake video call — transferring $25 million despite following every standard verification procedure
- AI Social Engineering fraud caused combined damages exceeding $200 million in Q1/2025 alone
- Deepfake video attacks increased by 900% from 2024 to 2026
- Deepfake-as-a-Service (DaaS) is sold on the dark web, enabling even novice hackers to forge voices and videos
Traditional Phishing vs Deepfake Social Engineering Comparison
| Comparison | Traditional Phishing | Deepfake Social Engineering |
|---|---|---|
| Attack Channel | Email with links/attachments | Phone voice + video calls |
| Detectable? | Email filters can catch some | Nearly undetectable with current tools |
| Success Rate | 3-5% of targets | Over 60% because victims see the face/hear the voice of someone they know |
| Damage | Stolen passwords/data | Transfers ranging from millions to billions + corporate data |
| Cost to Hackers | Low (sending thousands of emails) | Low-Medium (DaaS starting at just a few thousand baht) |
Impact on ERP Systems
If a deepfake successfully tricks the finance team into approving transactions in the ERP system — the damage will be enormous:
- Approving fraudulent money transfers — directly through the ERP system, because the approver believes the order came from a real executive
- Stealing ERP system credentials — gaining access to all financial, HR, and inventory data
- Risk of PDPA violations — personal data leakage with fines up to 5 million baht
Read more: ERP System Security | Disaster Recovery | Multi-Factor Authentication | Fake IT Support Attack
How to Prevent Deepfake Social Engineering for Organizations
| ☐ | Callback Verification — Every money transfer order or critical approval must be confirmed by calling back on the number stored in the system; never use a number provided by the incoming call |
| ☐ | "Never Trust, Always Verify" Policy — Even when you see the face and hear the voice of an executive, always verify identity through another channel |
| ☐ | Establish Code Words — Use a secret code changed weekly for identity verification during phone/video instructions |
| ☐ | Train Employees on Deepfake Awareness — Teach them to recognize red flags such as mismatched lip-sync, abnormal lighting/shadows, and to ask the person to turn sideways (AI often struggles with this angle) |
| ☐ | Use Multi-Factor Authentication (MFA) — All critical systems must require two or more layers of identity verification |
| ☐ | Dual Authorization for Critical Financial Transactions — Require two or more approvers for transfers exceeding the set threshold |
| ☐ | Limit Executive Data in Public — Reduce audio/video clips of executives on social media, as hackers use them as training data |
In an era when AI can create realistic fake voices and faces — "seeing a face" and "hearing a voice" are no longer sufficient identity verification. You need processes and code words that AI does not know.
— Saeree ERP Development Team
References
- Whaller — Social Engineering 2.0: Deepfake, Phishing, AI
- EC-Council — AI-Powered Social Engineering Attacks in 2026
- TechTimes — Deepfake Fraud Scams and Synthetic Identity Fraud Surge
If your organization wants to strengthen ERP system security and establish processes to prevent deepfake attacks — you can schedule a demo or contact our advisory team for further discussion.
