Deepfake Invoice Fraud: The New Way Criminals Are Targeting Your Accounts Payable Team

A finance employee sits down for a routine video call. On screen: the CFO, two senior colleagues, and a familiar vendor contact all asking to expedite a wire transfer. Everything looks right. The faces are real. The voices match. The request is approved.

Every person on that call was a deepfake. The money $25 million was gone within hours.

That wasn’t a hypothetical. It happened in early 2024 at Arup, a global engineering firm. And it’s no longer a one off case study. Deepfake invoice fraud has become a systematic threat. Financial losses from deepfake enabled fraud exceeded $200 million in the first quarter of 2025 alone, according to Resemble AI’s Q1 2025 Deepfake Incident Report. The PYMNTS Intelligence April 2025 AP Fraud Tracker found that 90% of U.S. firms reported being targeted by modern AP fraud techniques. Your accounts payable team is on the front line of a battle most organizations aren’t equipped to fight.

Here’s what you’re up against and what to do about it.

What Deepfake Invoice Fraud Actually Looks Like in 2025

Deepfake invoice fraud isn’t a single scheme. It’s a category of attack that combines synthetic media AI generated audio, video, or images with traditional financial fraud tactics to manipulate the payment process. In 2025, these attacks take several forms:

The Fake Executive Call. Fraudsters clone a senior executive’s voice or create a deepfake video likeness, then contact the AP team directly to authorize an urgent payment. According to a 2025 Medius survey, 53% of finance professionals have experienced deepfake scam attempts and 43% admitted they’ve fallen for one.

The Vendor Impersonation Invoice. Criminals research your existing vendor relationships, create fake invoices mirroring legitimate vendor branding and formatting, then submit them through compromised email channels or lookalike domains. Combined with AI generated correspondence that mimics the vendor’s writing style, these invoices pass basic visual scrutiny.

The BEC Plus Deepfake Combo. Business Email Compromise (BEC) has always targeted AP teams it’s cited as the top fraud vector by 63% of organizations in the 2025 AFP Payments Fraud and Control Survey. Now criminals layer deepfake voice or video calls on top of phishing emails to add a second layer of false legitimacy. The email comes first, the deepfake “confirmation call” follows.

The Bank Detail Change Request. A vendor calls in voice cloned from past recordings to update their banking details. An AP clerk who has spoken to this contact before hears a familiar voice and approves the change. Funds from the next legitimate invoice go directly to the fraudster.

These aren’t theoretical scenarios. The accessibility of generative AI tools has lowered the barrier to entry so significantly that even low sophistication criminals can produce convincing deepfake content at scale. CEO fraud now targets an estimated 400 companies per day.

Why Accounts Payable Is the Prime Target

AP teams operate under conditions that make them structurally vulnerable to deepfake invoice fraud. Understanding these vulnerabilities is the first step toward fixing them.

Volume creates cover. Organizations processing thousands of invoices monthly develop automated approval habits. Fraudulent invoices exploit this rhythm they’re designed to look routine so they don’t trigger manual review.

Authority creates pressure. When the “CFO” calls asking for an urgent wire, AP staff feel institutional pressure to comply. Criminals know this and exploit the power dynamic deliberately.

Siloed verification creates gaps. Many AP teams lack a standardized process for independently verifying bank detail changes, new vendor additions, or payment redirects. A Medius survey found that 57% of finance professionals can independently authorize financial transactions without additional approval a control failure that deepfake fraudsters actively seek out.

Fear suppresses reporting. Here’s the one that rarely gets discussed: the same Medius survey found that 81% of finance professionals stay silent when they suspect internal or external fraud, primarily fearing retaliation. That silence is a critical control failure. Internal fraud and vendor fraud both thrive in organizations where employees don’t feel safe escalating concerns.

The Real Cost: Beyond the Initial Wire Transfer

Invoice fraud costs the average U.S. company approximately $1.2 million annually, with an average per incident loss of $133,000, according to CFO.com’s 2025 analysis of Medius data. But the financial figure is only part of the picture.

Recovery is difficult. Only 22% of businesses recovered three quarters or more of stolen funds in 2024, per AFP data. Thirty percent recovered nothing. Once a wire clears, particularly to international accounts, the funds are typically unrecoverable through conventional channels.

Beyond direct financial loss, deepfake invoice fraud creates regulatory exposure, vendor relationship damage, and significant operational disruption. The forensic accounting work required to unwind a sophisticated AP fraud scheme is extensive and expensive. Understanding how fraud investigations work before you need one is a significant advantage.

AI powered fraud losses in the U.S. are projected to climb from $12.3 billion in 2023 to $40 billion by 2027 (Deloitte Center for Financial Services). Organizations that treat this as a future problem are already behind.

Six Controls That Stop Deepfake Invoice Fraud

Prevention requires layered controls because any single control can be circumvented. Here’s what actually works:

1. Implement a callback verification protocol. Any request to change banking details, add a new vendor, or approve an out of cycle wire must be verified via an independently sourced phone number not the number provided in the request or email. This single control defeats the majority of BEC and deepfake voice attacks.

2. Enforce strict segregation of duties. No single employee should be able to onboard a vendor AND authorize payment to that vendor. Separate those functions at the system level, not just the policy level. Review your anti fraud policy to ensure these controls are documented and enforceable.

3. Create a “challenge word” system for executive payment requests. Establish a pre agreed, out of band verification word or phrase that executives must provide when making urgent payment requests including over video call. Deepfakes cannot supply a word they don’t know. This is a low cost, high effectiveness control.

4. Automate invoice matching with three way verification. Every invoice should match against an approved purchase order and delivery confirmation before payment is released. Invoices without matching POs should trigger automatic review not payment.

5. Train AP staff specifically on deepfake indicators. Deepfake video still produces tells: unnatural blinking, lip sync lag, lighting inconsistencies, pixelation around the face border. Audio deepfakes often have unnatural pauses or audio quality shifts. Regular, scenario based training that includes actual deepfake examples is far more effective than general fraud awareness sessions. Only 40% of organizations currently cite deepfake protection as a top priority that gap is an open door.

6. Establish a safe reporting channel. The silence statistic 81% of staff not reporting suspected fraud should alarm every executive. Anonymous tip mechanisms and a documented non retaliation policy are not optional extras. They are a core fraud control. Whistleblowers are often your earliest warning system.

What to Do If You’ve Already Been Hit

If your organization has been victimized by deepfake invoice fraud, speed matters but so does process.

First, do not alert the suspected fraudster or alter the payment environment before consulting legal counsel. Preserve all communications, invoice copies, email headers, and call logs as potential evidence. Contact your bank immediately to initiate a recall the first 24 hours are critical. File a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.

Then engage a qualified fraud investigator or forensic accountant to conduct a structured review. The goal is to determine scope, identify control failures, and document findings in a way that supports both legal recovery and insurance claims. Understand what a forensic accounting investigation actually involves before you’re in crisis mode. And know your legal options for recovering stolen funds civil litigation and insurance claims are often viable even when criminal prosecution is slow.

Frequently Asked Questions

1. How is deepfake invoice fraud different from traditional invoice fraud? Traditional invoice fraud relies on falsified documents and email deception. Deepfake invoice fraud adds AI generated audio and video to impersonate executives or vendors in real time, making the fraud significantly harder for employees to detect through standard vigilance. The psychological convincingness of a familiar face and voice on a video call bypasses skepticism that a suspicious email might trigger.

2. Can deepfake detection software stop these attacks? Detection tools exist and are improving, but they’re not a complete solution. The effectiveness of AI detection tools drops by 45–50% when applied to real world deepfakes outside controlled environments, according to 2025 industry data. Detection software should be one layer of a multi control strategy, not a standalone solution.

3. What regulatory obligations does my organization have after an AP fraud incident? This depends on your jurisdiction, industry, and the type of data involved. Financial services firms often have breach notification obligations. Organizations handling personal data may trigger GDPR or state level privacy law requirements. Consult legal counsel before making any public disclosures. A fraud investigator can help you understand the scope before you determine what requires reporting.

4. How do I know if my current AP controls are adequate? Conduct a structured AP fraud risk assessment independently, not just through self reporting. Review your vendor onboarding process, bank detail change protocols, approval authority limits, and segregation of duties at the system level. If you haven’t had an external review of your AP controls, that gap itself is a risk indicator. Consider whether a fraud investigation vs. internal audit approach is right for your current situation.

5. Are small and mid sized businesses really at risk, or is this a large enterprise problem? Deepfake invoice fraud is not limited to large organizations. In fact, small businesses are often more vulnerable because they lack dedicated AP teams, formal approval workflows, and fraud training. Criminals follow the path of least resistance, and smaller organizations frequently provide it.

6. How can FraudOrder help if we suspect AP fraud or want to assess our exposure? FraudOrder provides fraud investigation services, forensic accounting support, and fraud risk assessments tailored to the complexity of AI enabled financial crime. Whether you’ve already experienced a deepfake invoice fraud incident or want to identify vulnerabilities before criminals do, our team can help you understand your exposure and build an evidence based response. Visit fraudorder.co to connect with our team.

References

1. FBI Internet Crime Complaint Center (IC3). (2024). 2023 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
2. Association for Financial Professionals (AFP). (2025). 2025 Payments Fraud and Control Survey Report. https://www.afponline.org/publications data tools/reports/survey research economic data/Details/payments fraud
3. Resemble AI. (2025). Q1 2025 Deepfake Incident Report. https://variety.com/2025/digital/news/deepfake fraud caused 200 million losses 1236372068/
4. PYMNTS Intelligence. (2025, April). Rising Risk: Confronting Modern AP Fraud Threats. https://www.pymnts.com/news/artificial intelligence/2025/from faked invoices to faked executives genai has transformed fraud
5. Medius / CFO.com. (2025). Invoice fraud costs average company more than $1M per year. https://www.cfo.com/news/invoice fraud costs average company more than 1m per year report deepfakes finance team whistleblowe/726580/
6. Deloitte Center for Financial Services. (2024). Generative AI and the future of financial fraud. https://www2.deloitte.com/us/en/insights/industry/financial services/financial services industry outlooks/banking industry outlook.html
7. Keepnet Labs. (2026). Deepfake statistics and trends 2026. https://keepnetlabs.com/blog/deepfake statistics and trends
8. Pindrop. (2025). 2025 Voice Intelligence and Security Report. https://www.pindrop.com/resources/reports/voice intelligence security report
9. ACFE (Association of Certified Fraud Examiners). (2024). Occupational Fraud 2024: A Report to the Nations. https://www.acfe.com/fraud resources/report to the nations
10. Eftsure. (2025). Deepfake statistics 2025: 25 new facts for CFOs. https://www.eftsure.com/statistics/deepfake statistics/

Disclaimer: This article is for informational and educational purposes only. It does not constitute legal, financial, or professional advice and does not create a client relationship of any kind. Fraud risks vary by organization, industry, and jurisdiction consult qualified legal, financial, and fraud prevention professionals for guidance specific to your situation. For questions about FraudOrder services, visit https://fraudorder.co/