How Deepfakes Turn Human Trust Into the Weakest Link in Enterprise Security

For years, the standard advice for verifying a suspicious request was simple: talk to the person, see the person. That human check was the fallback when emails and texts could not be trusted. Deepfakes have now eliminated that fallback. Voice cloning started the erosion, and real-time video impersonation is finishing it, leaving enterprises without a reliable way to confirm that the person on the other end of a call is who they claim to be.

Hazel Cerra is Director of Digital Security Convergence at BlackCloak, a firm that provides digital executive protection for C-suite leaders, board members, and their families. A 25-year veteran of the U.S. Secret Service, she led cyber-enabled financial crime investigations and executive protection at the presidential level. That background gives her a direct line of sight into how attackers exploit people, not systems, and why the convergence of digital and physical threat vectors makes executive protection a cybersecurity problem.

“If you can’t trust what you’re seeing, then how else are you going to verify where that message is coming from? It’s particularly concerning for enterprises because there are a lot of transactions that take place. That human factor was eliminated, then because of trust, you tried to add it back again, and now you have nothing you can trust,” says Cerra.

The targets are specific, but the training is not

Executives are 12 times more likely to be targeted by cybercriminals because of their access and authority. But Cerra says attackers also go after anyone who controls money. "In my past life in the Secret Service, what I would see is a lot of criminals targeting the accounting division because all they did was process transactions all day long," she says. "If you targeted them and asked for a larger wire, or said to change a bank account, they didn't question it."

The problem is that most organizations still train for this with a blanket approach. "That's where I see failures take place," Cerra says. "They're doing security awareness training once or twice a year for the whole organization. That's not effective. You really need to break it down and make it specialized for that particular department and also your executives, because they're the ones that are going to be specifically targeted."

Urgency and hierarchy are the real weapons

Deepfakes amplify a pattern that predates the technology. CEO fraud, once powered by simple phishing emails, now carries the weight of a familiar voice or a live video feed. "The CEO would reach out to an employee and say, I'm at a busy conference, can you buy me 50 gift cards?" she says. "The employee thinks, the CEO is reaching out to me, of course, I'm going to do this."

The dynamic runs on urgency, authority, and the desire to do good work. "We as people want to do good. So, listening to an authority figure, especially your CEO, you don't want to question it," Cerra says. "But now you kind of do." The threat extends beyond the office. Voice-based kidnapping scams that use cloned audio of a family member have now evolved into video impersonation, pulling on emotional levers that override rational judgment. "When it has to do with your family, you may not think about it," Cerra says. "There's a con for everybody that someone will fall for."

Verification has to catch up

Cerra outlines several practical defenses. The first is establishing clear communication protocols from leadership: if the CEO only communicates via Slack, a text message asking for a wire transfer is immediately suspect. The second is rotating verification codes, similar to authentication apps, that change weekly or monthly and confirm identity in high-stakes conversations. The third is closed-loop verification tools that allow executives and their families to confirm whether a message actually came from them through a secure channel.

But Cerra warns that tooling alone is not enough. The deeper issue is that digital and physical security teams still operate in silos. "The CISO is worried about IT and the company. The CSO is worried about the physical part. But they're not talking," she says. Attackers do not respect that boundary. They start online, gather intelligence from social media and public sources, and use it to execute both digital and physical attacks.

The deepfake threat will keep improving. The defenses that worked six months ago, like asking someone to turn their head or checking for visual artifacts, are already losing reliability at scale. For Cerra, the answer is a security culture built around slowing down, verifying, and treating human trust itself as part of the attack surface. "It's about having the right people in the room and having those conversations so it can be done safely," she says. "With everything good, especially in technology, threat actors are going to figure out a way to use it for crime."