Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Deepfakes rewrite the cybersecurity playbook

Fakes aren’t just for April Fool’s anymore. They’re coming to a boardroom near you, with the potential to destabilize your businesses.

A chief executive officer (CEO) calls the head of finance and asks for a large deposit into a supplier’s account.

A senior executive shows up on a company video call and leads a discussion around product pipeline and IP.

A customer verifies her identity via facial recognition and makes a large securities trade.

What do these scenarios have in common? They’re examples of modern-day deepfake scams. The principal players—CEO, senior executive, and customer—were not real. They were created using generative artificial intelligence (AI) and deployed using techniques like voice-based phishing (vishing) and Zoombombing.

Simply put, deepfakes are sophisticated forgeries (video, audio, imagery, and voice) generated through cutting-edge AI techniques like Generative Adversarial Networks (GANs) that manipulate existing visual and auditory content, crafting seemingly genuine yet entirely fabricated material. Beyond the obvious concerns in social media and entertainment, deepfakes have become a pressing issue for businesses globally, as we detail in our new report, “Fake content is becoming a real problem.”

Business leaders are taking note.

A recent KPMG survey of 300 executives revealed that a staggering 92 percent of them are significantly worried about the risks posed by deepfakes. And a survey of cybersecurity professionals found that two-thirds of companies had experienced a deepfake-related incident over the previous year.

Despite the awareness, though, most companies have been slow to act. One survey found that only 29 percent of organizations have taken specific actions to protect themselves, and 46 percent are still formulating their plans.

Meantime, the risks aren’t small or isolated. In 2021, the FBI predicted that “malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12 to 18 months.” Indeed, the consequences could be vast, with financial, reputational, and geopolitical impacts.

The time is now to double-down on security and address deepfake risks head on. How can you protect yourself and your business? Here’s what leaders need to know.

The rise and risk of deepfakes

The wide-ranging promise of generative Al (GenAI) is genuinely exciting. However, the technology underlying these advances is now also available to those who would use it for mischief—or worse. Three factors are colliding to heighten the risks:

Factor #1: Rapid advances in GenAI

Open-source code, online tutorials, and inexpensive AI—not to mention emerging deepfake-creation services on the dark web—have combined to make it possible for anyone with a computer to get into the deepfake business. As a result, criminals are making a great leap forward in their ability to commit fraud, extort money, damage reputations, and disrupt national security.
 
GANs are already capable of creating media that is virtually undetectable to cybersecurity experts. In fact, 100,000 models have been developed to create or detect deepfakes, but only 3,000 can identify them properly. And as AI improves, deepfakes will get even better.

Factor #2: Rise of remote work

Work from home has heightened the risk to organizations. Home-based employees—who work in silos and are often disconnected from the heartbeat of the organization—are particularly vulnerable to deepfake attacks. According to one survey, the average impact of a data breach is $1 million higher when a remote working arrangement is involved.

The FBI warns that deepfakes are now being used by bad actors to apply for remote information technology (IT) and programming positions in an effort to gain access to personal, financial, or other proprietary information.

Factor #3: Human fallibility

Employees are well aware of email- and text-based phishing scams at this point, yet many are still buying gift cards when the CEO-bot texts them with a request. A recent study found that 54 percent of employees fell for a phishing scam in the previous year because the email looked legit; more than half said they followed through because the request came from a senior executive.

The lesson: Humans are unpredictable and fallible. As deepfakes become more sophisticated, the stakes are getting higher by the day. Annual training modules aren’t enough. Cybersecurity in the deepfakes age requires persistent personal engagement, behavior reinforcement, easy-to-use internal controls, and—to the extent possible—the elimination of human decision-making.

A new security posture for the deepfakes age

With deepfakes poised to destabilize organizations financially and operationally, and current authentication capabilities largely insufficient to deal with the steady advance of deepfake technology, enterprises will need to adopt new processes, tools, and strategies to better secure their systems, data, and infrastructure.

Think of it as a cloud-based zero-trust future, in which employees no longer need to be “on network” through persistent VPN connections. Access will become conditional, depending on the person and role. In this new reality, security professionals need to remain vigilant. Here are a few steps organizations can take to implement this new security posture.

1

Develop a robust cybersecurity culture: Encourage employees to create their own cybersecurity hygiene and function as human firewalls throughout all of their business activities—including work-from-home arrangements.

2

Replace implicit trust with continuous validation: Implement a zero-trust model, multifactor authentication, behavioral biometrics, single sign-on, password management, and privileged access management.

3

Improve organizational risk intelligence: Identify key risk indicators and quantify the financial impact of security risks and threats posed by manipulated content.

4

Adopt a secure-by-design approach: Mitigate the human variable by embedding security throughout product lifecycles—from design to delivery—to connect cybersecurity strategy to the entirety of the business.

5

Invest in prediction, detection, and response: Prioritize new technology that enables new and innovative approaches to cybersecurity problem-solving.

Today’s rapid pace of innovation often results in security being left behind in business transformation efforts: for example, 4 in 10 global IT leaders do not believe that their organization’s security measures have kept pace with their digital transformation initiatives.

Organizations have lagged in their ability to predict, detect, and respond to these threats in an automated manner. The key for security professionals is understanding—and keeping up with—the pace and speed at which cybercriminals use these tools.

A deep response

The smartest businesses don’t just manage cyber risk. They use it as a source of growth and competitive edge. Technology makes many things possible, but what’s possible isn’t always safe.

Your cybersecurity function must build resilience and trust as threats grow in volume and sophistication, and as new technology becomes essential for meeting the needs of your customers, employees, suppliers, and society.

To learn more about the threats posed by deepfakes, and how you can create a resilient and trusted digital-first enterprise in the face of these evolving threats, explore our additional insights below.

Explore more insights and opportunities:

Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Fake content is becoming a real problem

Widespread availability of sophisticated computing technology and AI enables virtually anyone to create highly realistic fake content.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

KPMG generative AI survey report: Cybersecurity

An exclusive KPMG survey examines four areas where this remarkable technology shows great promise.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Synthetic identity fraud

A $6 billion problem

Read more

Meet our team

Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio

Subscribe to receive the KPMG Opportunity (In)sight Newsletter

Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.

Subscribe

Thank you

Thank you for subscribing to the KPMG Opportunity (In)sight newsletter. Be on the lookout for Opportunity (In)sight, a monthly newsletter from KPMG providing unique and data-driven perspectives into the most pressing C-suite issues.

Subscribe to the KPMG Opportunity (In)sight Newsletter

Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline