Recover After a Deepfake CEO Authorised Payment (Business)
Steps a business should take immediately after an employee authorises a fraudulent payment following a deepfake video call or voice impersonation of a senior executive.
Last reviewed: 1 June 2026
First 10 minutes
- Call your bank's corporate fraud team immediately and request an urgent payment recall using the beneficiary account details
- Preserve all evidence of the call or message that authorised the payment — recordings, chat transcripts, emails
- Alert your IT security team: a deepfake attack may be accompanied by a phishing or network intrusion attempt
- Do not contact the scammer — preserve the communication channel for investigators
- Identify who authorised the payment and ensure they are supported — this is a fraud event, not a disciplinary one
First 24 hours
- File an urgent fraud report with your bank's dedicated corporate fraud line, providing full beneficiary details
- Report to Action Fraud (UK), the FBI IC3 (US), or your national cybercrime authority, requesting priority treatment given the business nature of the loss
- Notify your cyber insurance provider if you have coverage for business email compromise or social-engineering fraud
Contact your bank or payment provider
- Request an urgent recall via your bank's corporate fraud team — not the standard customer helpline
- Provide the full beneficiary IBAN, account name, and sort code or routing number to expedite the recall request
- Ask your bank to contact the recipient bank directly under the banking industry fraud reporting protocols
Evidence to preserve
- Save all recordings, screenshots, or logs of the call or message used to authorise the payment
- Document the exact sequence of events: who made contact, through what channel, what was said, who authorised payment
- Preserve email headers and metadata from any written instruction that accompanied or followed the call
Secure your accounts and devices
- Review and update payment authorisation controls — consider requiring dual authorisation for transfers above a threshold
- Implement a call-back verification procedure for all payment change requests and large transfers
- Brief all finance and accounts-payable staff on the deepfake CEO scam method and the new verification protocol
Report it
- Report to your national fraud/cybercrime service
- Report to the platform, bank, or provider involved
- Keep any reference numbers you're given
Deepfake CEO fraud — sometimes called 'CFO fraud' or 'business executive impersonation' — uses AI-generated audio or video to convincingly mimic a senior executive's voice or appearance. An employee in finance receives a call or message that appears to be from the CEO instructing an urgent confidential transfer. The urgency and authority framing are specifically designed to bypass normal payment controls.
Recovery depends almost entirely on speed. In many jurisdictions, banks have improved cooperation on rapid payment recall for APP fraud. Internal response should treat this as a security incident, not a personnel error. Updating payment authorisation procedures after an incident significantly reduces re-exposure.
Frequently asked questions
Is the employee who authorised the payment personally liable?
Generally, no — if the employee followed what appeared to be a legitimate instruction using reasonable verification steps. Review your cyber insurance policy and speak to legal counsel before making any employment-related decisions. Treat the individual with support, not blame.
How can we prevent this happening again?
Implement a mandatory call-back protocol for any payment instruction received via phone, video call, or email — call back using a number already on file, not one provided in the instruction. Require dual sign-off for transfers above a defined threshold, and train staff to treat urgency and secrecy as fraud warning signs.