Security Trends 2026: Deepfakes

Fb “When you look ahead to 2026, what do you see as the most important way the deep fake threat is changing - not just growing - and why does that matter for organisations?”

AS “The deepfake threat is becoming industrialised and autonomous.

We're past the phase where deepfakes were one-off scams. Now you've got coordinated operations hitting you with fake audio, then video, then forged documents. All delivered across email, chat, and live calls. Multi-step, multi-channel attacks that look exactly like legitimate business processes.

In 2025, we saw explosive growth in the attack-as-a-service model. So in 2026, there are thousands of people selling plug-and-play deepfake tools and templates, complete with tutorials and playbooks. Need a hospital scene for your romance scam? Here's the template, just swap the face. Need to convince the IT helpdesk to reset a password? Here's your step-by-step guide to harvest the audio for voice cloning, plus the script to convince them.

And we're now seeing autonomous AI agents that can execute entire fraud chains without human supervision. They can handle the operational cycle from research to approach to conversation to payment extraction. It's only a matter of time before these are deployed at scale.”

FB “What do you think organisations are most commonly getting wrong in how they understand or frame deepfake risk today?”

AS “Organisations think voice clones and fake videos are about someone impersonating their CEO on social media. They under‑appreciate the intersection of deepfakes with classic social engineering and process fraud.

Threat landscape reports highlight that finance and vendor relationship teams are high targets, yet these teams do not receive training in social engineering and deepfake fraud resilience. 

The second error is assuming that deepfake detection tools solve the problem. On its own, detection technology is not enough. I see firms invest heavily in cybersecurity tech, whilst ignoring training and verification processes. They’re still testing employees on the “think before you click” model. Perpetrators very rarely send a simple phishing email now!

And very few companies include social engineering and deepfake risks in their table top exercises and incident response plans. You wouldn't run your business without a fire drill, but somehow you'll wing it when someone deepfakes your CFO?

The fundamental framing error is treating this as a technology problem. Deepfakes exploit human trust and broken processes. Technology is just the delivery mechanism. Until you fix the human and procedural vulnerabilities, detection tools will not help.”

FB “Based on your work, what does effective preparation for deepfake-enabled threats actually look like in practice?”

AS “Effective preparation to mitigate risks from deepfake-enabled fraud starts with people.

Training has to be role-specific, experiential, and reinforced regularly. What your finance team needs to recognise is different from what your executives need to know, which is different from what your board needs to understand.

You need to learn the attacker's psychology and motivations. Attacks manifest in different ways. We can't predict exactly how or when the next one hits. But we can learn from case studies and identify vulnerabilities in our own environment before attackers do.

Next focus should be on processes. How do you know your verification protocols will hold under pressure? Unless you stress-test them, you won't find out. And if you don't include deepfake scenarios in your tabletop exercises, you won't have thought through the nuances of how to contain damage and resume normal operations when it happens.

This is where most organisations fail. They document a process and assume it works. But processes break down under duress, when someone's panicking, when there's time pressure, when the request appears to come from someone senior. You need to test whether your people will actually follow the protocol when it's uncomfortable to do so.

Finally, deploy ethical hackers. Unless you've actually attempted the attack yourself, you won't see the vulnerabilities the way they do. You think you've secured everything, but there's almost certainly a gap you haven't spotted. They'll find it.

Most firms do one of these three. You need all three, continuously. Not once - at regular intervals, because attack methods evolve.”

FB “When a deepfake incident occurs, what distinguishes organisations that respond well from those that struggle or cause further harm?”

AS “Having a documented incident response plan that includes social engineering and deepfake scenarios. When teams have a plan, they respond with confidence and in a measured way rather than panicking. This also gives them leverage in ransom negotiations, as they're not scrambling, they know their options.

I advise my clients that the Litmus test for a truly prepared organisation is, can you operate without technology, using paper and pen? If the answer is yes, you'll be resilient. You might fall over when attacked, but you'll be back on your feet quickly. If the answer is no, you're vulnerable.

The other thing that distinguishes good responses is how they handle internal communication. Employee morale matters. False narratives can spread internally just as easily as externally, and that can do as much damage. You need to contain the story inside your organisation whilst managing the external crisis.

And finally, and this often gets forgotten, you have to take care of the victim. The individual who was manipulated, experiences high levels of stress and embarrassment, even though it's not their fault. If you don't support them properly, you send a message to everyone else, 'If this happens to you, you'll be blamed.' That destroys your security culture immediately.

FB “If organisations take one practical step now to reduce their exposure to deepfake-enabled risk over the next few years, what should it be - and why?”

AS “Train everyone in the organisation on these attack vectors. Now.

Remember, deepfake-enabled social engineering exploits human trust. It works because people instinctively believe familiar voices and faces. Their confirmation bias kicks in, and they don't question it. Training changes that reflex. It makes people pause and think 'could this be fake?' before acting on requests through digital channels.

And it's immediate. You don't need to wait for new technology or redesign your systems. You can start training next week. It's cost-effective, relatively easy to procure and implement. And if done properly, it raises your security posture immediately.

The key is making it role-specific and experiential, not generic awareness. Show finance teams what invoice fraud looks like. Show HR what a deepfake interview sounds like. Make it real, make it relevant to what they do every day.

Low effort, high ROI. Most organisations will ignore this because they want a technology solution. Training feels too simple. But it's the foundation for everything else. You cannot secure what people don't recognise as a threat.”

FB “Is there anything else about the deep fake outlook for 2026 that you think is important for people to understand but doesn’t get enough attention?”

AS “Two things are not getting enough attention. 

First: fraud travels laterally. If your employee is caught up in a romance scam or investment fraud in their personal life, they don't know they're a victim. They think they're in a genuine relationship. So they're naturally sharing information, company structure, internal processes, communication patterns etc.

That information gets fed straight into the fraud design to target your organisation. Criminals are using your employee as an unwitting intelligence source to craft attacks against your business.

Your employee has no idea this is happening. They don't know there's a threat. This is why training matters. People need to recognise the signs that they might be targets, so they can protect both, themselves and their employer.

And the second is security silos.  The CISO’s team and adjacent functions such as engineering and IT tend to work closely and are aware of the threats. But functions such as HR and Marketing tend to be a little removed from these conversations. They are easy targets. Companies need to bring all functions into the security and threat awareness fold to raise vigilance, and therefore, security.”