Business email compromise (BEC) attacks continue be successful, with the FBI reporting 21,442 complaints last year and $2.8 billion in losses. As deepfake and voice-cloning technologies become increasingly accessible, criminals are elevating their deception tactics beyond simple text-based communications to include convincing video and audio impersonations of executives. A seemingly authentic Zoom call authorizing a wire transfer carries far more persuasive weight than email or text messages alone.

Yet this technological evolution presents security leaders with a dilemma: in the aftermath of an alleged AI-powered BEC attack, how can organizations verify what actually occurred? With no digital evidence of a deepfaked call to investigate, security teams must contend with an uncomfortable question — could the supposed ‘victim’ actually be complicit in the theft? The crime may not involve sophisticated AI at all, but rather an employee who initiates an unauthorized payment and then claims to have been fooled by a phantom deepfake.

This scenario demands that CISOs and security teams balance healthy skepticism with fair treatment of employees. As organizations strengthen their defenses against external BEC threats, they must simultaneously consider the possibility of insider collaboration.

The Clock Is Ticking

The first 48 hours after an incident are crucial. Organizations must have a pre-established incident response team, including legal, IT security, and HR, but excluding anyone directly involved in the fraudulent transaction. 

The first response phase is immediate containment: freezing affected accounts and transactions will prevent further financial loss and notifying law enforcement promptly is the first step toward recovering funds. Police officers may also wish to conduct passive inquiries into those involved to establish any previous criminal history or criminal associations. 

Organizations must handle personnel with care, adhering strictly to the principle of “innocent until proven guilty” and avoiding any actions or communications that imply wrongdoing. However, to protect the integrity of the investigation, temporary measures may be necessary. These can include restricting access to relevant systems and data, reassigning duties, or even placing the employee on administrative leave with full pay and benefits. 

It is crucial to communicate clearly that these steps are standard protective measures, not punitive actions. Affected staff should not feel that they are being treated as suspects, and making it part of the playbook ensures transparency and fairness throughout the process.

Preserving Digital Evidence

During the forensic investigation, a thorough log analysis must be conducted to trace any unauthorized access and find anomalies. Until proven otherwise, investigators should not rule out remote access to the corporate network or executives’ email accounts. Isolate any involved devices and ensure logs are preserved for forensic analysis.

To maintain impartiality and technical accuracy, external forensic experts may be brought in to assist in the analysis. Having a trusted provider already contracted will save valuable time. Take legal advice regarding the data that can be included in the search of any devices and how best to preserve evidence to ensure its admissibility in case of a prosecution.

If cooperation is not forthcoming from the individual(s), consult with legal counsel about the company's rights to access information based on existing policies and agreements.

The third phase is the post-incident review and policy update that includes a reassessment of existing security policies in light of the breach. Lessons learned should inform strengthened controls, particularly around high-risk financial processes, and some may be shared with peer organizations.

Reputational damage often follows a successful BEC attack; transparent communication with stakeholders becomes especially important when insider involvement is suspected. Communications must be carefully managed to protect the investigation’s integrity and avoid unfairly implicating individuals before conclusions are reached.

A Future of Increasingly Sophisticated Attacks

The speed at which AI capabilities are being democratized means an increase in real deepfake attacks is likely. Preventing individual employees from being able to make large payments without a signatory workflow is an easy first step, but cyber risk management controls should also be updated.

Implementing a modern, zero-trust architecture reduces the risk of external (or unauthorized internal) actors getting access to corporate systems that could be used to facilitate fraud. Increasing cyber awareness and fostering a culture of healthy skepticism towards unusual requests without fear of repercussions also play a part. Having the CEO and CFO declare to staff that they would never request payments outside normal channels, and promising to reward staff for reporting such approaches, could also help.

An established playbook for any incident is critical. Minutes count in the wake of a BEC fraud and having defined roles and responsibilities could make a significant difference. This is an attack that is almost entirely preventable with the right controls and planning. In an era where deception is fast becoming indistinguishable from reality, the biggest mistake is trusting without verification.