Blog 17 – Digital Doppelgangers: Identity Theft in the Age of Deepfakes

In this blog  I Explore how generative AI and synthetic media are reshaping personal and corporate identity risks

Spoiler: In the age of AI, your voice, face, and reputation are no longer yours alone.

Deepfake Nation: Where Identity Gets an AI Makeover

There was a time when identity theft meant someone going through your recycling bin for a crumpled bank statement.

Back then, the worst-case scenario was a few dodgy transactions on your credit card and an awkward phone call with a customer service rep named Garry who put you on hold for eternity. But now?

Now, your identity can be stolen without anyone laying a finger on your bin, your phone, or even you.

All it takes is 30 seconds of your voice, maybe from that webinar you proudly posted. A couple of clips from LinkedIn. Maybe a company bio or two. Upload. Render. Done. Your digital doppelganger is born, and it sounds exactly like you asking someone to urgently approve a seven-figure transfer.

Still think this is hypothetical?

In February 2024, a multinational firm in Hong Kong fell victim to a deepfake-enabled video call where scammers impersonated not just one executive, but an entire virtual team. The employee thought they were in a real meeting with their UK-based CFO. What they were actually in was a fraud operation using AI-generated avatars. The result? US$25 million transferred to criminals. No ski masks. No hacking. Just synthetic humans with great lighting and forged authority.

This is not science fiction. This is “scams as a service”. And the barrier to entry is frighteningly low.

Deepfake tools are now plug-and-play. Anyone with Wi-Fi and a dodgy agenda can build a fake version of you in under an hour. No hoodie required.

Welcome to the synthetic media era, where being seen and heard no longer proves you are real. It just proves someone had access to your online footprint and the right toolkit.

Because in 2025, being yourself on the internet comes with fine print. And generative AI is not just automating tasks; it is automating identity. Not just yours. Everyone’s.

Your face, your voice, your presence, these are no longer things you own. They are now assets in someone else’s playbook.

Except you do not get royalties. Just reputational risk, legal nightmares, and a very uncomfortable board meeting.

Identity is No Longer Fixed — It’s For Sale

AI powered impersonation is no longer a fringe issue. It is not a curiosity for tech blogs or a subplot in cyber thrillers. It is now a mainstream threat that is growing faster than most organisations can react. The tools are getting sharper. The outputs are getting more realistic. And the price? Cheaper by the day.

Voice cloning used to require specialist labs. Now it is available through free apps. Face mapping once demanded high tech complex motion capture rigs. Today it can be done using a handful of public images and a browser. Full body avatars, complete with gestures and eye movement, are no longer the domain of Hollywood studios. They are being generated by hobbyists and scammers on laptops.

Everything that makes you recognisable, your voice, your mannerisms, your facial expressions can now be convincingly replicated by software. And it can be done in minutes, for pocket change.

The result?

• Fake CEOs issuing fake approvals for very real money
• Synthetic job applicants acing interviews using someone else's credentials
• Hijacked brands, with deep faked executives hosting believable online events

And here is the unsettling part. These impersonations are often convincing enough to pass. Not in theory. In practice.

Forget passwords and two factor authentication. The real breach is now psychological. If a deepfake looks like you, sounds like you, and behaves like you, then most people will believe it is you. Especially under pressure. Especially in business settings.

This is not just identity theft. This is identity replacement. And once a deepfake has done the damage, cleaning up the mess is not just a technical process. It is a reputational crisis.

So, the next time you see a video of an executive making a bold statement, pause before you share. Ask whether you are watching the real person or their digital double.

Because in a world where seeing is no longer believing, trust is the new attack surface.

The Fraud Factory Has Been Upgraded

Let us not kid ourselves. Cybercriminals are not just adapting. They are innovating. They are building faster than regulators can legislate and moving quicker than most security teams can patch.

This is no longer a matter of someone guessing your password or crafting a fake invoice. This is industrialised deception. Automation meets manipulation. Fraud at scale, powered by AI.

Welcome to the world of synthetic identity services, what some are already calling “Face Fraud as a Service”.

On the dark web and beyond, there is now an entire marketplace of tools designed to clone faces, mimic voices, and simulate identities. No technical background required. Just a credit card, a Telegram group, and a morally flexible attitude.

Need to bypass a biometric Know Your Customer (FYC) process? There is a deepfake generator that can pass facial recognition checks with alarming precision.

Need to reset someone’s password using their voice? There are dozens of voice cloning apps that can replicate tone, cadence, and inflection using only a short audio clip. Need to impersonate an entire executive team? Some attackers already have. In real-time. On live video calls.

This is not phishing with better graphics. This is impersonation at a level that is designed to defeat not just technical controls, but human intuition.

And the implications go far beyond fraud.

This changes how we verify, how we trust, and how we protect reputations. When a fabricated video or voice clip can trigger a financial transaction, a policy change, or even a public scandal, identity becomes an operational risk and a governance one.

Boards need to understand this is not just a technical issue for IT to solve quietly. It is a strategic threat that cuts across finance, legal, compliance, and brand.

If your organisation relies on visual or verbal confirmation for anything critical whether that is wire transfers, authorisations, interviews, or public communications it is already exposed.

In a world where criminals can rent a deepfake toolkit and deploy it in an afternoon, trust is no longer implicit. It must be designed, verified, and defended.

Because the fraud factory has been rebuilt. And this time, it speaks in your voice.

When Reality is Optional, Trust Becomes the Attack Surface

Here is the uncomfortable truth facing boards and executives right now:

How do you prove someone is real when everything about them can be convincingly faked?

It is no longer a philosophical question. It is an urgent operational one.

The traditional methods we rely on to verify identity multi factor authentication, biometrics, and video calls are all under siege. Once hailed as the gold standard for digital verification, these systems are now being manipulated by synthetic content that looks, sounds, and behaves like the real thing.

The machine does not just pass as human. In some cases, it passes better than the human.

And the fallout is no longer theoretical. It is already here:

• Financial transactions approved based on cloned voices of executives
• Public statements attributed to leaders who never opened their mouths
• Share prices impacted by entirely fabricated video interviews

This is not a glitch in the system. This is a fundamental shift in how reality itself can be engineered.

We have officially entered the era where the fake can move markets, influence decisions, and undermine trust at scale. If someone sees it and believes it, the damage is already done, regardless of whether it is real.

And that changes everything.

It means trust is no longer a passive assumption. It is now an active vulnerability. Your ability to establish, maintain, and verify digital trust is as critical as any firewall or intrusion detection system.

Because if your people, your executives, or your brand can be synthetically replicated, then trust becomes your new attack surface. And like any surface, it needs to be mapped, monitored, and reinforced.

Boards should be asking:

• How are we validating the authenticity of our internal communications?
• What are our protocols if a synthetic video of our CEO hits the media?
• Do we have the tools and talent to detect a deepfake before the damage is done?

This is no longer about whether something is fake or real. It is about how fast you can tell the difference and how ready you are when others cannot.

In a world where reality is optional, trust becomes the last line of defence.

Boardroom Questions that Can’t Wait

This is not a problem for tomorrow. This is a governance failure waiting to happen today.

Generative AI and synthetic media are not lurking in the future. They are operating in your supply chain, your inbox, your HR systems, and your customer interactions right now. The threat is not emerging. It has emerged.

Boards can no longer delegate this to the IT team or bury it in the risk register under "low likelihood." This is a strategic issue. It sits at the intersection of trust, reputation, operational continuity, and leadership credibility.

So, the questions directors, CISOs, and digital leaders should be asking are not theoretical. They are immediate. They are uncomfortable. And we need to prepare.

• Do we have a plan for deepfake impersonation of our executives, board members, or brand? Have we war-gamed the scenario where a fake video or audio recording of our CEO hits social media before breakfast?
• What is our crisis protocol if synthetic content goes viral before we can confirm or debunk it? Who leads the response? Who notifies the regulators, the media, the shareholders?
• Can we verify internal instructions and authorisations using more than just facial recognition, video calls, or familiar voices? Have we built authentication layers that are designed to resist psychological manipulation, not just technical spoofing?
• Are our suppliers, vendors, and third-party service providers applying the same level of identity verification? Or are we trusting someone else's weak link to protect our reputation?
• What safeguards are in place for sensitive tasks like wire transfers, hiring, executive approvals, and board communications? Are we relying on the same trust signals that synthetic media now mimics with ease?

And perhaps most critically:

If our identity systems were attacked today, would we even know?

Would anyone on the leadership team recognise that a synthetic impersonation was in play before the damage was done? Would we have the tools to detect it? The confidence to respond? The policy to support our next move?

Because when trust is the new attack vector, ignorance is no longer plausible deniability. It is liability.

This is the new digital due diligence. And boards that are not asking these questions are not just exposed, they are already behind.

Human Trust in a Synthetic World

We have spent the last two decades defending inboxes from phishing. Now we are facing something far more complex and insidious, the collapse of trust in what we see, hear, and believe.

This is no longer about stopping spoofed emails with poor grammar. This is about restoring confidence in the fundamental signals we use to assess credibility. Voice. Face. Presence. Authority.

In a world where anything can be synthetically generated, authenticity becomes both your greatest asset and your most fragile vulnerability.

Here are a few practices that deserve board-level traction:

• Digital watermarking of official videos, presentations, and public-facing content. If it is coming from your brand or leadership team, it should be traceable and tamper evident. Watermarks are no longer a cosmetic feature. They are a line of defence.
• AI deepfake detection capabilities embedded in your fraud, compliance, and threat intelligence systems. Do not wait until a synthetic voice approves a million-dollar transfer to start evaluating detection tools.
• Crisis communication protocols that assume synthetic media will eventually target your organisation. Who handles the response when a fake video of your CEO surfaces? What is your messaging strategy? Do your comms and legal teams even know what a deepfake looks like?
• Executive digital hygiene policies to limit exposure. Every keynote, podcast, or fireside chat uploaded online adds fuel to the model. Public speaking is great for visibility, but it is also great training data for someone else’s fraud. Knowing what is out there and where is now part of basic executive risk management.
• Proactive media engagement and digital signalling, such as verified channels, known branding cues, and published content schedules. If your audience knows what to expect, they are more likely to spot something that feels off.

I believe that the next reputational crisis will not come from a stolen spreadsheet. It will come from a fake video you did not create but that everyone believes.

And by the time you say "that is not me," it may already be too late.

Boards must now govern for a world where reality can be forged, trust can be faked, and perception can be weaponised.

This is not about becoming paranoid. It is about becoming prepared.

Final Thought: In a World of Copies, Authenticity Wins

We have spent decades building systems around proving who we are. Passwords. Tokens. Biometrics. Digital certificates. All designed to confirm identity in a world that used to assume humans were the only ones pretending to be humans.

But now, identity is no longer something fixed. It is fluid. Editable. Downloadable. Deployable. With the right tools, anyone can wear your face, borrow your voice, and channel your digital presence whether you gave them permission or not.

This is not a sci-fi trailer. It is a normal Tuesday.

If your digital self, your tone, your timing, your quirks and catchphrases, can be convincingly cloned and dropped into someone else’s agenda, then traditional security falls short. The firewall does not stop a face. Two factor authentication does not question authority. And no one has ever asked a synthetic CEO to explain themselves.

That part still falls to you.

And here is where I think cybersecurity needs to evolve. We are no longer just protecting systems. We are protecting selves, our people, our voices, and the trust we carry.

Because in the age of deepfakes:

• The algorithm will not deny the fraud
• The fake video will not issue a correction
• The synthetic CEO will not apologise at the AGM

You will.

I think that we should treat identity as a living, strategic asset. Something worth protecting with the same care we apply to financials, supply chains, and reputations.

And let us not panic. Let us prepare. Because while synthetic content may scale quickly, authenticity still earns trust slowly. It does not trend. It endures.

This is not about fear. It is about focus.

Yes, the tools are evolving fast. But so can we. By embedding trust into our technologies, our teams, and our culture. By being intentional in how we show up. And by staying just sceptical enough to ask the question: Is this real?

Because in a world full of copies, the organisations that win will be the ones that stay verifiably human.

Dr Glenn, signing off. (Still human. Still watching the machines. Still asking who you really are and how you prove it.)