Tag: governance

  • Deepfake Payroll Fraud: The Quiet Theft Inside UK Teams

    Deepfake Payroll Fraud: The Quiet Theft Inside UK Teams

    If a “boss” phones or messages with an urgent bank detail change, treat it as a red alert. Here’s the playbook normal teams need but rarely enforce.

    What changed

    Criminals don’t need to ‘hack your bank.’ They imitate trust.

    Cheap synthetic voice and video (“deepfakes”) + scraped org info + an urgent story = you move money for them.

    It looks like leadership. It sounds like leadership. It isn’t.

    How the scam actually plays out (three real-life patterns)

    1. The 4:55 pm call: Finance receives a ‘quick favour’ from the CEO: ‘Change a supplier’s bank details for a payment run.’ Voice sounds right. Context sounds right. You act fast. Money’s gone.
    2. The travel trap: A WhatsApp voice note from the CFO: ‘At the airport…’ asks to bypass a control ‘just this once.’ You’re being helpful. They’re taking cash.
    3. The fake Teams invite: A short video call shows your “exec” under time pressure. You see a face, you hear a voice, you comply.

    Why normal controls fail

    • Familiar voice overrides scepticism.
    • Urgency collapses the process.
    • People want to be helpful to leaders.
    • Policies exist. They’re not enforced when it feels awkward.

    Your 15-minute defence drill (do this today)

    1. Break the channel: Never respond/act in the thread that made the request. Call back on a number from your corporate directory (not the number they gave you).
    2. Use a challenge phrase: Agree a simple ‘code question’ between Finance and Execs (e.g., “What’s the internal project name for [X]?”). If they fail it, you fail the payment.
    3. Two-person rule for bank changes: Any change to supplier/customer bank details requires two approvers who are not on the same team. No exceptions.
    4. Cooling-off period: Institute a minimum delay (e.g., 2 hours) for urgent bank changes. “Urgent” isn’t a control; it’s a vulnerability.
    5. Template lockdown: Payment templates cannot be edited by the same user who executes them. Separation of duties – always.
    6. Log the attempt: Keep an ‘incident note’:- date/time, request content, channel, who you verified with, and outcome. It protects you later.

    Exact scripts to use (copy/paste)

    • When you get the request:
      “I can’t move money or change bank details based on chat/call alone. I’ll call your main line now and loop in a second approver.”
    • When they insist on speed:
      “The control is for your protection as well as the company’s. If this is legitimate, it survives a 2-hour delay.”

    If money has already moved

    1. Call your bank’s fraud team immediately and request a recall/freeze.
    2. Notify your insurer and record keeper; preserve messages, call logs, and payment screenshots.
    3. Report to Action Fraud.
    4. Do not shame the person who complied. Fix the system that made compliance possible.

    For schools, charities and councils

    You are specifically targeted because you’re helpful, short-staffed, and process-light. Publish the two-person rule. Print the callback policy. Run a 10-minute simulation in the next team meeting.

    Manager checklist (today)

    • Publish the callback number and challenge phrase policy.
    • Add the two-person rule to your finance SOP (standard operating procedure).
    • Disable voice approvals entirely.
    • Schedule a quarterly “red team” drill – can we trick ourselves?

    Urgency is not a business case; it’s a social-engineering tactic.

    Want the one-page Human Defence Checklist (the five questions to ask when AI is used against you)? Get it free in our weekly brief.

    Subscribe to our Newsletter.

    Latest posts