Deepfake technology started as a curiosity. Today, regulators, law enforcement, and central bankers warn it poses real threats to financial institutions — from CEO impersonation to onboarding fraud. What can banks do about it?
A few years ago, deepfakes were mostly a novelty. Filmmakers used synthetic media to de-age actors. Advertisers created campaigns featuring historical figures endorsing modern products. Museums brought long-dead artists to life in interactive exhibitions. The underlying technology — generative AI that can produce realistic video, audio, and images of real people — was impressive, occasionally unsettling, and broadly seen as a creative tool.
That framing still holds in many contexts. Synthetic media powers legitimate applications in entertainment, education, accessibility, and marketing every day.
But for anyone responsible for the security and reputation of a financial institution, the picture looks very different.
A threat the regulators take seriously
Over the past two years, an unusually broad coalition of authorities has sounded the alarm on deepfakes in banking. These are not academic papers or think-piece warnings. They are official advisories, speeches, and threat assessments from organisations whose job it is to protect the financial system.
In April 2025, U.S. Federal Reserve Governor Michael S. Barr warned explicitly that banks are “frontline defenders” against deepfake-enabled fraud and cybercrime. His remarks left little room for ambiguity: AI-generated impersonation is an active and growing risk to the sector.
In November 2024, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a targeted alert to help financial institutions identify fraud schemes involving deepfake media — covering fraudulent identity documents, authentication circumvention, and the red flags that compliance teams should watch for.
Around the same time, FS-ISAC — the global cyber-intelligence sharing body for financial services — published what it described as a first-of-its-kind taxonomy of deepfake risks, threat scenarios, and mitigations specifically for financial institutions.
And the concern is not limited to the United States. Europol’s 2022 report Facing reality? analysed the criminal use of deepfakes and called out CEO fraud, disinformation, and blackmail as concrete risks. A follow-up Europol assessment in 2023 noted that deepfake technology can help criminals circumvent remote onboarding measures — and that CEO fraud is a particular concern because information on senior figures at financial institutions is publicly available.
It has already happened
This is not a theoretical exercise. In August 2024, the Governor of the Bangko Sentral ng Pilipinas (the Philippine central bank), Eli Remolona, publicly disclosed that he himself had been the victim of a deepfake — a synthetic video that appeared to show him recommending an investment scam.
If a sitting central bank governor can be deepfaked convincingly enough to be used in a fraud campaign, the same can happen to a private bank CEO, a wealth management director, or a compliance officer. The raw material — public speeches, interviews, conference appearances — is freely available.
Switzerland is not immune
The threat is not distant or abstract for Swiss institutions. It is already here.
In January 2026, an entrepreneur in the canton of Schwyz lost several million Swiss francs to attackers who cloned the voice of a trusted business partner using AI. The synthetic voice was convincing enough to sustain phone calls over a two-week period. The money was transferred to an account in Asia. The case was highlighted by the Swiss Federal Office of Cybersecurity (BACS, formerly NCSC) in its Week 4 report for 2026.
An earlier incident, reported by the NCSC in April 2024, showed a different pattern: a financial officer was invited to a video conference with what appeared to be their boss — generated in real time by AI. In that case the fraud was detected because the synthetic face and voice were not yet convincing enough. The attackers failed, but the attempt demonstrated that the technique is being actively deployed against Swiss targets.
The scale of the problem is growing rapidly. The BACS semi-annual report for the first half of 2025 documented a nearly fivefold increase in reports of deepfake-enabled investment fraud — from 729 to 3,485 cases in a single year. Deepfake videos of prominent public figures, including Swiss Federal President Karin Keller-Sutter, were used to lure victims to fraudulent investment platforms. Across all forms of online investment fraud, approximately CHF 250 million was stolen in Switzerland in 2025.
The Swiss Bankers Association (SBA) has also weighed in. In a December 2025 statement titled Fraud in the Age of AI, the SBA acknowledged that “fraud has entered a new era, one defined by industrialised crime networks, behavioural manipulation, and AI-driven attacks,” and noted that banks are deploying AI defensively to identify deepfakes. A companion SBA report on preventing fraud in Swiss payments noted that Swiss cyber fraud cases increased 40% in 2024 — exceeding 42,000 incidents — and that more than 40% of detected fraud attempts in the European financial sector are now AI-driven.
Three risk categories banks should understand
The institutional warnings converge around three core scenarios:
Executive impersonation. A synthetic audio or video clip impersonates a CEO, CFO, or board member to influence staff, clients, or counterparties. This can be used to authorise payments, redirect funds, or issue false instructions. The U.S. NSA, FBI, and CISA issued a joint advisory in September 2023 specifically warning that deepfakes can impersonate leaders and financial officers.
Fraud enablement. Deepfakes strengthen existing attack vectors — phishing, business email compromise, payment redirection, account takeover. FinCEN’s alert describes how AI-generated identity documents and manipulated selfie videos are already being used to bypass know-your-customer (KYC) and onboarding controls.
Reputational and coercive risk. A fabricated compromising video of a senior executive could be used for extortion, blackmail, market manipulation, or simply to damage an institution’s public standing. Europol’s analysis treats this as a serious and distinct threat category.
What banks can do
The same advisories that describe the threat also outline practical defences. While no single measure is foolproof, a layered approach substantially raises the bar for attackers:
Strengthen verification protocols. Any instruction involving fund transfers, account changes, or sensitive actions should require multi-channel verification. If a request arrives by video call, confirm it by a separate channel — a phone call to a known number, a secure messaging platform, or in person. Never rely on a single communication channel for high-value decisions.
Invest in detection technology. Deepfake detection tools are improving rapidly. Liveness detection for identity verification, audio analysis for synthetic speech, and video forensics can all help identify manipulated media. These tools are not perfect, but they add a meaningful layer of defence, especially in onboarding and authentication workflows.
Train staff to be sceptical. Social engineering succeeds when people trust what they see and hear. Regular awareness training — including demonstrations of how convincing deepfakes can be — helps build a healthy culture of verification. Staff should feel empowered to challenge and confirm unusual requests, regardless of who appears to be making them.
Prepare an incident response plan. If a deepfake of a senior executive surfaces publicly, the institution needs to respond quickly and credibly. Having a pre-agreed communications protocol — who confirms authenticity, who issues public statements, how the institution coordinates with law enforcement — makes the difference between a managed incident and a reputational crisis.
Monitor your digital footprint. The more public material exists of an executive — speeches, interviews, social media video — the easier it is to create a convincing deepfake. Institutions should be aware of this exposure and consider it as part of their broader risk management. This does not mean executives should avoid public appearances, but it does mean the organisation should factor this visibility into its threat model.
A new dimension of operational risk
Deepfakes are not going away. The technology is becoming cheaper, faster, and more accessible. For the entertainment industry, that means new creative possibilities. For banking, it means a new and evolving dimension of operational, reputational, and fraud risk.
The good news is that the threat is now well understood at the institutional level. The regulatory and law-enforcement community has provided unusually clear and actionable guidance. Banks that take this guidance seriously — and invest in the verification, detection, training, and response measures outlined above — will be far better positioned to protect their institutions, their clients, and their executives.
The era of “seeing is believing” is over. In financial services, verification must replace trust.