Deepfake and AI Fraud Risk Assessment

Background

A Ukrainian software developer specialising in financial data protection and fraud detection and processing over $1B in annual transactions, requested a security assessment of their infrastructure against deepfake threats.

What We Did

With the company’s approval, Molfar conducted a simulated cyberattack. We created a high-quality deepfake of a top executive and used it to impersonate them during video meetings with key employees to test the organisation's resilience to AI impersonation.

Key Findings

• Uncovered a low level of employee awareness regarding the technical sophistication of deepfake threats.
• Identified critical gaps in existing identity verification procedures during online meetings.
• Provided tailored recommendations to bridge the divide between technical security and human vigilance.

Outcome

The company implemented a multi-factor authentication system and launched regular staff training sessions. This proactive approach enhanced their preparedness for future incidents and provided a documented defence against real-world AI threats.

‍

Background

A European digital banking platform offering real-time payment infrastructure and fraud prevention services across the EU requested an assessment of their resilience against AI-driven impersonation threats. With growing reliance on video-based authorization processes, the client recognised deepfake manipulation as an underaddressed attack vector.

What We Did

With the client's full authorization, Molfar designed and executed a controlled deepfake simulation targeting internal communication and approval workflows. Analysts generated a high-fidelity audio-visual deepfake of the company's Chief Financial Officer and deployed it across staged video interactions with employees in finance, operations, and IT — specifically those with access to sensitive systems or authority to approve high-value transactions. The simulation replicated social engineering tactics used in real-world AI fraud attacks, including urgent fund transfer requests and credential authorization prompts.

Key Findings

The simulation exposed significant vulnerabilities at both the human and procedural level:

• The majority of employees who interacted with the deepfake failed to detect any signs of AI manipulation, reflecting a low baseline awareness of modern deepfake capabilities.
• Existing protocols contained no standardised mechanism for verifying executive identity during video calls, leaving approval workflows exposed with minimal friction.
• Several employees acted on instructions delivered via the simulated deepfake, including initiating mock transfer approvals, without seeking secondary confirmation through an out-of-band channel.

Outcome

The client introduced mandatory out-of-band verification protocols for all video-based authorisation requests and deployed AI-assisted deepfake detection tooling at the network level. A company-wide training program was launched using simulation footage as a concrete training aid. The engagement gave the client both the evidence and the momentum to close a critical blind spot before it could be exploited in a live attack.

‍