CaraComp
CaraComp
Forensic-Grade AI Face Recognition for:
Get Started7-day refund guarantee**
ai-regulation

That "Urgent" Call From Your Boss? The Face and Voice Are Fake — and It Just Stole $1.1 Billion

That "Urgent" Call From Your Boss? The Face and Voice Are Fake — and It Just Stole $1.1 Billion

An employee at a large company joined what looked like a normal video call. On screen: her CFO, two senior managers, and a colleague she'd worked with for years. They needed her to move a significant sum of money — urgently, confidentially. She did it. Every single person on that call was fake. The whole meeting was AI-generated, start to finish. The company lost the equivalent of $25 million in one afternoon.

TL;DR

AI can now fake your CEO's face, your boss's voice, and your bank's logo convincingly enough to fool smart, careful people — and criminals are using this to steal at a scale that should make every one of us rethink what "verification" actually means.

That story isn't hypothetical. It happened. And the NatWest CEO deepfake incident — reported this week by SC Media — is the same playbook, just louder and more public. Someone fabricated a BBC radio interview featuring NatWest CEO Paul Thwaite and journalist Emily Maitlis, complete with a caption hinting at controversy around Thwaite's 33% pay rise to £6.6 million. That detail wasn't accidental. The scammers made the fake feel newsworthy — something you'd forward without thinking twice.

This is not a story about one bank or one executive. This is a story about a new kind of con that's coming for ordinary people, in ordinary moments, wearing very familiar faces.


A $1.1 Billion Problem That Barely Anyone Sees Coming

Here's the number that stopped me cold. According to Fortune, AI-powered deepfake fraud drained $1.1 billion from U.S. corporate accounts in 2025 alone — triple the $360 million stolen the year before. Deepfake-related fraud incidents quadrupled the entire 2024 total before the year was even halfway done.

$1.1B
stolen from U.S. companies via deepfake fraud in 2025 — triple the prior year's losses
Source: Fortune / corporate fraud analysis, 2026

And yet only 32% of corporate executives think their organizations are actually ready to handle a deepfake attack. Meanwhile, more than half of cybersecurity professionals — 51%, up from 43% last year — say their company has already been targeted. That gap between "we think we're fine" and "we're actively being hit" is exactly where criminals like to work.

The NatWest deepfake circulating online is what security researchers call a brand manipulation attack — using a real executive's face and name to create false credibility in the public space, not just in a private email. That's a shift. It used to be that these scams targeted one finance employee at a time, quietly, via fake emails. Now they're going bigger: fake the CEO publicly, generate social proof, let the lie spread on its own. This article is part of a series — start with Your Kids Face Unlocks The Vending Machine A Strangers Rules.

"They are another reminder of criminal activity designed to defraud people." — NatWest spokesperson, quoted in TechRadar Pro

Short statement. Big understatement. Because what it doesn't say is that Thwaite is not the first. The Bank of England's governor has already had his face used in similar scams. These aren't random targets — they're chosen because their authority is unquestioned, their faces are publicly available, and their names instantly trigger trust.


Your Brain Is the Vulnerability

There's a psychological shortcut most of us use without realizing it: when someone looks familiar and sounds authoritative, we skip the skepticism. Psychologists call it authority bias — the tendency to comply with requests from people we perceive as being in charge. It's not stupidity. It's how humans are wired. We learned to trust the village elder, the doctor, the boss. That instinct kept us safe for centuries.

Now criminals are hacking it directly.

According to Brightside AI's research on deepfake CEO fraud, a convincing voice clone — a fake audio version of someone's voice that sounds just like them — can be built from as little as 20 to 30 seconds of recorded speech. A believable deepfake video? About 45 minutes, using software that costs nothing. This isn't a nation-state superpower. This is something a moderately motivated criminal with a laptop can pull off on a Tuesday.

So picture this: you get a call. The caller ID shows your company's CFO. The voice sounds right. If it's a video call, the face looks right. They need you to process a wire transfer — the deal closes tonight, the CEO already approved it, just keep it quiet until the announcement. What do you do?

Most people, according to the research, would complete two or three verification steps before authority bias kicks in and overrides their hesitation. Two or three steps may not be enough anymore.

Why This Matters to You Specifically

  • It's not just CEOs — criminals test tactics on executives, then roll them out on the rest of us. The "fake boss" call is already targeting mid-level employees at companies of every size.
  • 📊 Your face and voice are already out there — anyone with a LinkedIn photo, a social media profile, or a YouTube video has given scammers enough raw material to work with.
  • 🔮 The next frontier is personal — researchers are already tracking deepfake scams targeting family members, fake "emergency" calls from cloned children's voices, and fraudulent "bank verification" video calls from people who look exactly like your actual banker.

Trusted by Investigators Worldwide
Run Forensic-Grade Comparisons in Seconds
Court-ready facial comparison reports. Results in seconds.
Get Started
7-day refund guarantee**
🎆 July 4th Sale: 50% OFF your first month — use code JULY426 at checkout · ends July 11

The Part Nobody Wants to Admit

Here's the uncomfortable truth about why these scams work so well: our existing defenses were never built for this. Previously in this series: That Real Face On Your Tv Espn Just Proved You Cant Tell Any.

Think about how most organizations verify an internal request. They check whether the email came from the right address. They confirm the sender's name. Maybe they call back on a known number. These controls were designed to catch pretenders — people faking credentials from scratch. They weren't designed to catch a criminal who has synthesized your CFO's face, cloned your CEO's voice, and joined a video call as a fully authenticated participant.

As Digital Samba's analysis of deepfake video call attacks explains it: encryption protects your call from being intercepted by a third party — but it does absolutely nothing to stop someone who has already synthesized the face of a person who belongs on that call. The lock on your door keeps strangers out. It doesn't help if the stranger has already learned to look exactly like you.

And Proofpoint's deepfake threat research puts a fine point on it: when criminals add a video appearance or voice call to what used to be a simple phishing email (a fake message designed to trick you into giving up information or money), the attack becomes dramatically more effective precisely because it looks like your organization's own internal safety check being completed successfully. The verification step designed to protect you becomes the weapon used against you.

That's not a detection problem. That's a broken-trust problem. And it doesn't have a simple patch.


So What Can You Actually Do Right Now?

Look, nobody's saying you need to treat every phone call like a suspect lineup. But there are a few things genuinely worth doing — not someday, now.

First: establish a code word. Sounds almost old-fashioned, right? It works. Pick a private word or phrase with your family members — something you'd never post online — and agree that any "urgent" request for money or personal information over a call requires that word. No word, no action. A few families have already started doing this for exactly the reason you'd expect: a parent got a call that sounded like their child in trouble. It wasn't. Up next: Ai Regulation Reactive Deepfake Protection Gap.

Second: slow down when someone tells you to hurry up. Urgency is the scammer's best friend. "Close tonight." "Don't tell anyone yet." "We need it in the next hour." Legitimate requests almost never collapse if you take 10 minutes to verify through a completely separate channel — hang up, call back on a number you find yourself, not one they gave you.

Third: for anything involving money or personal information, always verify identity independently. A face on a screen is no longer proof. A familiar voice is no longer proof. If you've ever found yourself wondering whether the person contacting you is actually who they claim to be, that instinct is the right one to follow — and there are tools built specifically for that kind of identity verification that go well beyond what your eyes and ears can tell you in the moment.

Key Takeaway

A familiar face, a known voice, and a correct caller ID are no longer enough. Any request for money, personal details, or confidential information — no matter who appears to be asking — deserves independent verification through a channel you control. Not the one they handed you.

The NatWest CEO had no idea his face was being used to run scams until it was already circulating. Paul Thwaite didn't authorize a single second of that fake interview. His likeness was simply taken, shaped into something useful for criminals, and deployed — and there was nothing he could do to stop it after the fact.

That's the part worth sitting with tonight. The deepfake version of you doesn't need your permission to exist. It only needs your photo, thirty seconds of your voice, and a criminal who thinks your face is worth something.

Right now, for most people, it's still executives and celebrities who are high-value enough targets to bother with. The question worth asking — the one that should probably keep the financial industry up at night — is exactly how long before that calculus changes, and your face becomes worth faking too.

Ready for forensic-grade facial comparison?

Full forensic reports with detailed similarity scoring. Results in seconds.

Run My First Search