TL;DR

AI-generated voice and video deepfakes have moved from novelty to primary attack vector — costing financial institutions an average of $600,000 per incident, with Deloitte projecting U.S. deepfake fraud losses to hit $40 billion by 2027. Business leaders must treat synthetic media fraud as an operational risk, not a hypothetical one, and adopt detection tools, verification protocols, and AI governance frameworks immediately.

The Deepfake Threat Is No Longer Emerging — It's Here

AI voice cloning now requires as little as three seconds of audio to produce a convincing replica of a CEO's voice. Deepfakes have become the second most frequent cybersecurity incident type experienced by businesses in the past 12 months, according to Regula's global survey, which found that 37% of organizations have already been hit by deepfake voice fraud and 29% by deepfake video fraud. The barrier to entry has collapsed: what once required a nation-state budget can now be assembled from free tools and a short YouTube clip.

The financial toll is staggering. Banks and financial firms lose an average of $603,000 per voice deepfake incident, with 23% of affected organizations losing over $1 million, according to Regula's research. In the U.S. alone, deepfake-related losses reached $1.1 billion by 2025, and 1 in 10 Americans has now experienced an AI voice-clone scam personally or within their household. These aren't future projections — they are reported losses from incidents that already occurred.

Real Business Losses: Cases That Made Headlines

The Arup Heist ($25.6 million). In February 2024, the Hong Kong office of Arup, a global design and engineering firm, fell victim to a deepfake video call. An employee joined what appeared to be a meeting with the company's CFO and other senior executives. Every face and voice on the call was AI-generated. Believing the instructions were legitimate, the employee authorized multiple wire transfers totaling $25.6 million to fraudster-controlled accounts. The money was moved before anyone realized the call never happened.

Hong Kong Cryptocurrency Scam ($18.5 million). In 2025, fraudsters cloned the voice of a financial manager at a Hong Kong-based firm to authorize a cryptocurrency transfer worth $18.5 million. The voice clone was used in phone calls to subordinates who had no reason to doubt the identity of their manager.

Swiss Businessman (Several Million Swiss Francs). In April 2026, a businessman in Schwyz, Switzerland, wired several million Swiss francs to an Asian account after a phone conversation with what he believed was his business partner. The voice had been cloned from publicly available recordings.

WPP Attempt (Thwarted). Not every attack succeeds. Scammers targeted WPP, the global communications firm, by creating a fake WhatsApp account and setting up a Microsoft Teams meeting using voice cloning and edited YouTube footage of a senior executive. The attempt failed because an employee noticed subtle inconsistencies and escalated before taking action. This is the model every organization should aim for.

The difference between a $25 million loss and a thwarted attack often comes down to a single employee who had the training and the permission to say "let me verify this another way."

How AI Is Reshaping the Entire Attack Landscape

Deepfake social engineering is the most visible threat, but AI is rewriting the attacker's playbook across multiple fronts simultaneously.

AI-powered phishing at scale. Generative AI eliminates the tells that once made phishing obvious — bad grammar, awkward phrasing, generic greetings. Attackers now produce hyper-personalized, emotionally intelligent messages crafted from scraped LinkedIn profiles and public corporate communications. A phishing email in 2026 reads like it was written by a colleague who knows your project deadlines.

Prompt injection and AI agent security. As enterprises deploy autonomous AI agents that can send emails, execute API calls, and interact with databases, a new class of vulnerability has emerged. Prompt injection — the AI equivalent of SQL injection — is now the #1 vulnerability in the OWASP LLM Top 10 (2025 edition). The danger is orders of magnitude higher for agentic systems because they can take real actions, not just generate text. In April 2026, Microsoft assigned CVE-2026-21520 (CVSS 7.5) to an indirect prompt injection in Copilot Studio, and a separate prompt injection chain simultaneously leaked secrets through Claude Code, Gemini CLI, and GitHub Copilot — rated CVSS 9.4 critical by Anthropic.

Memory poisoning. AI agents with persistent memory are vulnerable to "salami slicing" attacks, where an adversary subtly manipulates the agent's understanding over days or weeks through seemingly innocuous interactions. By the time the agent executes an unauthorized action, the malicious instruction has been normalized into its context. Research from Palo Alto Networks Unit42 confirms that agents with long conversation histories are significantly more susceptible to this drift.

Model and data theft. As businesses fine-tune proprietary models on sensitive data, the models themselves become high-value targets. A stolen model is not just intellectual property loss — it's a roadmap for crafting targeted adversarial attacks against your organization's AI systems.

Detection Tools and Practical Defenses

Real-time deepfake detection platforms. Tools like Reality Defender and Sensity AI embed directly into communication workflows — Zoom, Microsoft Teams, call centers — analyzing voice and video for synthetic artifacts in real time. Reality Defender's suite scans for mismatched speech patterns, anomalies in voice characteristics, and cross-modal inconsistencies between audio and visual channels. Sensity AI uses multilayer engines that analyze metadata and behavioral cues alongside visual glitches, ensuring that even a near-perfect deepfake triggers a red flag on secondary indicators.

Out-of-band verification. For any high-stakes action — wire transfers, credential changes, large purchase orders — require a callback to a pre-registered number or an in-person confirmation through a separate channel. This single step would have prevented most of the multi-million-dollar losses described above.

AI-powered security awareness training. Platforms like Adaptive Security simulate realistic deepfake attacks across voice, SMS, and email, then deliver targeted training to employees who fail. The key is making simulations feel real enough to be instructive without being punitive.

Agent runtime protection. For organizations deploying agentic AI, enforce human-in-the-loop approval for financial transactions, data deletions, and external communications. Red-team your agents using MITRE ATLAS TTPs. Apply security testing to every component the agent touches — APIs, memory systems, retrieval databases, and plugins.

The Governance Framework Your Board Needs

Technology alone will not close this gap. Organizations need an AI-specific cybersecurity governance framework that addresses three levels:

Policy layer. Establish clear rules for how AI tools are procured, deployed, and monitored. Ban shadow AI — unauthorized tools that employees adopt without security review. Align your framework with NIST AI RMF and the OWASP LLM Top 10. In April 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, which provides a concrete starting point.

Operational layer. Integrate deepfake detection into incident response plans. Define escalation paths for suspicious communications. Assign a response team with authority to halt transactions. Update tabletop exercises to include deepfake scenarios — not just ransomware and data breaches.

Cultural layer. Give employees explicit permission to challenge unusual requests from senior leaders. The biggest vulnerability in every deepfake case was a human who felt they could not question authority. Build a culture where verification is rewarded, not penalized.

The Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) released joint guidance in 2026 on the careful adoption of agentic AI services, emphasizing that organizations should prioritize secure and resilient use from day one — not as an afterthought. Their publications on using AI to strengthen cyber defence and the impact of frontier AI models on cyber risk provide actionable frameworks for security leaders.

FAQ

How much does a deepfake voice clone cost an attacker? Almost nothing. Free tools can generate a convincing voice clone from as little as three seconds of audio sourced from a YouTube video, podcast, or earnings call. The cost of the attack is effectively zero — the cost to the victim averages $600,000.

Can employees really detect deepfake voices on a call? Not reliably. In a real-time conversation, even trained listeners struggle to distinguish AI-generated speech from genuine human speech. The right approach is not to train humans to be detectors but to build systems — mandatory callbacks, multi-factor verification, real-time detection software — that do not rely on human perception alone.

What is prompt injection, and why should a business leader care? Prompt injection is an attack where someone crafts input that overrides an AI system's instructions. In a chatbot, the worst outcome is a wrong answer. In an AI agent with access to your email, file system, and payment APIs, the same attack can authorize wire transfers, exfiltrate data, or delete records. If your organization uses AI agents for any automated workflow, prompt injection is a direct financial risk.

What frameworks should we align with? NIST AI Risk Management Framework (AI RMF), the OWASP LLM Top 10, and MITRE ATLAS (Adversarial Threat Landscape for AI Systems). For organizations in critical infrastructure, the emerging NIST AI RMF Profile for Trustworthy AI provides sector-specific guidance. The ASD ACSC's 2026 guidance on agentic AI adoption is also a practical reference for any English-speaking organization.

Conclusion

The threat landscape has shifted from "attackers exploiting software vulnerabilities" to "attackers exploiting human trust, amplified by AI." Deepfake social engineering is the sharp end of that spear — immediate, high-impact, and difficult to detect without the right tools and processes in place. But the broader risks from prompt injection, memory poisoning, and model theft are equally urgent for any organization deploying AI agents at scale.

The organizations that will weather this shift are the ones building governance now — not waiting for the next headline-grabbing loss to justify the budget. Start with out-of-band verification for high-value transactions, deploy real-time deepfake detection on communication channels, and ensure your AI governance framework covers every agent, tool, and model your employees use.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. ASD ACSC — Using AI to strengthen cyber defence
  2. ASD ACSC — New joint guidance provides mitigations for careful adoption of agentic AI services
  3. Reality Defender — Understanding the $603,000 Problem: The Real Cost of Voice Fraud in Banks
  4. Regula — One-Third of Global Businesses Already Hit by Voice and Video Deepfake Fraud
  5. NCITE — Deepfakes and Fraud: Real-World Examples of AI Misuse (June 2025)
  6. OWASP LLM Top 10 (2025 Edition)
  7. NIST AI Risk Management Framework (AI RMF 1.0)

TL;DR

  • A bug in Apache Tomcat (a program that runs websites) lets attackers take control of a server.
  • Attackers started using it just 30 hours after someone showed how it works online.
  • There's a fix — just update to the newest version of Tomcat.

What Happened, in Plain English?

Imagine your school has lockers. Now imagine someone figured out that sliding a specially shaped package through the air vent makes the locker open itself and follow whatever instructions are inside — even "give me everyone's lunch money."

That's basically what happened with Apache Tomcat, a program millions of companies use to run websites [5]. A bug called CVE-2025-24813 lets an attacker send a sneaky file to the server [1]. When the server opens it, it follows the hidden instructions, giving the attacker control [8].

The scary part: someone posted a how-to guide online, and within 30 hours, real attackers were already using it [2].

Which Versions Are Affected?

Three "flavours" of Tomcat have this bug [1]:

  • Tomcat 9: versions 9.0.0-M1 through 9.0.98 → update to 9.0.99
  • Tomcat 10: versions 10.1.0-M1 through 10.1.34 → update to 10.1.35
  • Tomcat 11: versions 11.0.0-M1 through 11.0.2 → update to 11.0.3

What Should You Do?

  1. Find your Tomcat servers. Check which version each one is running.
  2. Update them. Install the patched version (9.0.99, 10.1.35, or 11.0.3) [1].
  3. Check your settings. Make sure the server doesn't let unknown visitors upload files [10].
  4. Clean up old libraries. Remove or update outdated Java libraries that are known to be unsafe [7][8].

FAQ

Yes. Tomcat often runs behind the scenes in tools you might not realise depend on it [5].

No — it's a small point-release designed to change as little as possible. Test in staging first, then roll it out [1].

Serious enough that CISA flagged it [4], but completely fixable with a straightforward update. The fix costs minutes; ignoring it could cost millions [6][9].

References

[1] Apache Software Foundation, "CVE-2025-24813: Apache Tomcat - Potential RCE and/or Information disclosure," Apache Tomcat Security, Mar. 2025.

[2] Wallarm, "CVE-2025-24813: Apache Tomcat RCE Exploited in the Wild," Wallarm Research, Mar. 2026.

[3] NIST National Vulnerability Database, "CVE-2025-24813 Detail," NVD, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Shodan, "Apache Tomcat Server Distribution," Shodan.io, 2026.

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] OWASP, "Deserialization of Untrusted Data," OWASP Top 10, 2021.

[9] Verizon, "Data Breach Investigations Report 2025," Verizon, 2025.

[10] SecurityWeek, "Apache Tomcat Vulnerability Important to Patch, Difficult to Exploit," SecurityWeek, Mar. 2026.

Want help checking your servers or setting up automatic updates? We can walk you through it.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation