CEO fraud and deepfakes: preventing transfer fraud in 2026

Transfer fraud is not an abstract threat reserved for large corporations. It hits sole traders, professional practices and businesses with a handful of employees — often at the worst possible moment: summer holidays, year-end close, or a period of high transaction volume. What has changed in 2026 is the quality of the deception. Generative AI tools can clone a voice from a few seconds of public recording and simulate a face in a video call. The signals that used to expose the scam have largely disappeared.

This article explains how CEO fraud works when amplified by deepfake technology, which internal controls will block it even in a two-person back office, and what you must do in the first hours after a fraudulent transfer has been executed.

Quick answer. CEO fraud, or the fake transfer order (FOVI), is a criminal offence under article 313-1 of the French Criminal Code. In 2026, voice and video deepfakes eliminate the last human safeguards. The defence is organisational, not technical: dual approval of transfers, a callback on a known number, a written procedure for changing bank details, and segregation of duties. None of these controls is expensive; all of them depend on consistent application without exception.

CEO fraud — also called FOVI (faux ordre de virement, or fake wire transfer) or business email compromise (BEC) — involves impersonating a director, a supplier or an adviser to obtain an urgent bank transfer. Under article 313-1 of the French Criminal Code, this is criminal fraud: deceiving someone about identity in order to obtain funds.

The basic scenario has been the same for years: an email or a phone call, an urgent and confidential request, a transfer to an account the business does not recognise. What changes in 2026 is how convincing the staging is.

Generative AI can clone a voice from a few seconds of publicly available audio — a podcast appearance, a LinkedIn video, a Teams meeting transcript. The output is convincing enough to deceive a team member who knows their director's voice well.

Video deepfakes are more complex to produce but they exist and have been used. A widely reported 2024 case saw an employee at a large engineering group approve transfers worth tens of millions after a video call in which every participant — including the supposed CFO — was a deepfake. This shift sits alongside the broader spread of AI in business, now framed by the European AI Act.

For a small business, the threat is more commonly a voice clone: a phone call where the apparent director asks the accounts assistant to wire money urgently to a new supplier, bypassing the usual authorisation chain because the matter is commercially sensitive.

Attacks almost always follow the same structure.

Stage 1 — Intelligence gathering. The fraudster collects public information: the company website org chart, LinkedIn profiles, announced holiday periods, press releases about new contracts or acquisitions. The goal is to identify who can authorise a transfer and who is in a position of authority over them.

Stage 2 — Identity selection. The fraudster chooses who to impersonate: the director for an urgent transfer request, a known supplier for a bank-detail change, the company's bank or accountant for a supposed account-security procedure.

Stage 3 — Pressure. The request is always urgent and usually confidential. Phrases like "I'm in a meeting, do not go through anyone else" or "this payment must clear tonight" are characteristic. The urgency is designed to short-circuit verification procedures.

Stage 4 — Execution. The transfer is made. Funds move through several accounts within hours before being dispersed.

Effective protection does not rely on software. It relies on simple internal rules, known by everyone and applied without exception. A fraudster's entire strategy depends on the exception — "just this once, it is urgent."

These controls integrate naturally into a digitised supplier workflow and into a formal anti-fraud protocol.

The right to be slow. An employee must never be penalised for taking the time to verify. Stating this explicitly in writing neutralises the pressure the fraudster deliberately creates.

Bank-detail fraud is the most frequent variant precisely because it is the least dramatic. The fraudster sends, from an address that closely resembles the supplier's (one character different, or a cousin domain), a new invoice or a brief message announcing a change of bank account. The next routine payment goes to the fraudster's account.

The defence is a systematic contradictory check: any bank-detail change is confirmed by direct contact with the supplier, using the contact details already held in the supplier master file — never those provided in the suspicious message. For a deeper look at the specific warning signs for this type of attack, see our dedicated article on supplier bank-detail fraud controls.

Consider a trading SME with eight employees. The director is travelling to Lyon. His assistant receives a phone call: a voice she recognises as the director's asks her to wire €28,000 to a new Spanish supplier urgently, before 5 pm, without telling the rest of the team for reasons of commercial confidentiality.

Without a procedure: the assistant, trying to be helpful, executes the transfer. The next morning the director discovers the transaction. The funds have already moved through two intermediary accounts.

With a procedure: the internal rule requires a callback to the director's mobile number registered in the company directory — not the number displayed by the caller. This thirty-second call is enough to confirm that the director has made no such request. The attempt fails.

This scenario is representative of what we observe in SME files that have experienced or narrowly avoided a fraud. The callback procedure, even in its simplest form, defeats the voice-clone attack in the vast majority of cases because the deepfake cannot be sustained through an independent channel.

Speed is decisive. Every hour reduces the probability of recovering the funds.

1. Call your bank immediately to trigger the recall procedure before the funds are dispersed further.
2. File a criminal complaint with the police or gendarmerie. State that this is criminal fraud under article 313-1 of the Criminal Code and preserve all evidence: emails, calling numbers, screenshots.
3. Report on cybermalveillance.gouv.fr, which provides guidance and signposts approved remediation providers.
4. Notify your insurer if a cyber or fraud policy covers this type of loss.
5. Check whether personal data has been compromised. If the attack involved access to the company's email system or files, a personal data breach affecting employees, clients or suppliers may have occurred. In that case, GDPR Article 33 requires notification to the CNIL within 72 hours of discovering the breach.

When the company itself authorised and executed the transfer, the bank will almost always contest liability on the grounds that the transaction was authenticated through normal procedures. The debate then shifts to the bank's duty of vigilance and to whether there were apparent anomalies — an unusually large amount, an unknown foreign beneficiary, obvious urgency — that the bank should have flagged before processing.

French case law is nuanced and assesses each set of facts individually. In practice, a company that had no documented internal controls typically bears the bulk of the loss. This is one more reason to treat prevention as a priority, alongside legal counsel and a structured SME cybersecurity approach under NIS2.

No company size is immune. But businesses with fewer than 50 employees present two specific vulnerabilities: a single person can often authorise a transfer without a second signatory, and internal control procedures are rarely documented.

Fraudsters prepare their attacks carefully. They gather public information — the org chart on the website, director names, LinkedIn activity, published holiday schedules, press releases about new contracts. This data allows them to construct a convincing scenario. Good hygiene begins with restraint in what is published about the business and its people.

The same techniques used in CEO fraud fuel other AI-driven attacks: voice phishing impersonating a financial adviser, fake IT support requesting system access, or impersonating an accountant to collect sensitive documents. The defence is always the same: verify through an independent channel before acting. This is consistent with the broader principles of back-office automation security.

Procedures only work if they are known, understood and applied. Practical levers:

• Write the rules down on a single page, signed by the director, and make it accessible to every relevant employee.
• Run a brief awareness update each quarter — five minutes is enough to reinforce reflexes. Sharing a recent anonymised attack example makes the threat concrete.
• Run a simulation: send a fake bank-detail-change email and observe how the team responds. This identifies weak points before a real fraudster does.
• Create an internal reporting channel so that an employee who receives a suspicious request can flag it without fearing they will be seen as obstructive.
• Set per-user transfer limits with your bank where the platform allows it.

Updated 2026-06-14. This article is for information purposes and does not replace personalised advice. For your specific situation, consult a registered expert-comptable.