Deepfake CEO fraud: protecting a Mauritian business when voice and video can lie

CEO fraud has always rested on three levers: authority, urgency and secrecy. Deepfakes have not changed the script — they have destroyed the reflex that used to protect teams: "I recognise his voice, I can see her on screen, so it must be them." The defence is not technological, it is procedural: no voice and no face should ever be enough, on its own, to trigger a payment.
From the pressing email to the cloned video call
The classic scheme is well known: a message impersonating the CEO asks accounting for an urgent, confidential transfer, usually outside normal procedure, leaning on hierarchical pressure. What has changed is the quality of the impersonation. Accessible tools can now clone a voice from a few public audio samples — interviews, webinars, voice notes — and animate a face in real time inside a video call.
The channels evolve accordingly: a phone call "from the director" who is travelling, a voice note on a personal messaging app, a video meeting where several participants seem familiar. So do the targets: no longer just the person who approves transfers, but anyone able to change a supplier's bank details, validate a payroll run or open an access. Deepfake fraud against a business is not an exotic threat: it is the old fraud, with a fabricated proof of identity added on top.
Why Mauritian companies are favourable ground
Without overdramatising, several traits of the Mauritian economy make this scenario easier:
- an internationally oriented economy: executives who travel often, European clients, and time-zone gaps that normalise "out of hours" and remote requests;
- the weight of financial services and BPO: teams handling payments and third-party data every day;
- a multilingual environment: between French, English and Kreol, an unusual accent or turn of phrase alerts no one;
- a culture of hierarchical respect: saying no to "management" does not come naturally, especially under pressure.
These factors do not make an attack inevitable; they make the verification procedure all the more essential, as any SME cybersecurity baseline keeps reminding us.
The central defence: out-of-band double validation
The principle fits in one sentence: any sensitive request received through one channel must be confirmed through another channel, initiated by you, to a contact you already know. In practice:
- systematic call-back to the number in your internal directory — never the number provided in the message or shown by the incoming call;
- dual approval above a defined amount, by two different people, each verifying independently;
- a deliberate verification delay on any change to a supplier's bank details, with a counter-call to a long-standing contact;
- registered beneficiaries and payment ceilings in the banking tool, so the procedure is enforced by tooling, not just declared.
The non-negotiable point: there is no urgency exception. Urgency is the alarm signal, not a reason to bypass the rule. And the procedure applies to everyone — above all to the CEO, since it is precisely the CEO's identity that will be impersonated.
Train, rehearse, and protect the person who says no
A procedure nobody dares apply protects nothing. Three practices make the difference:
- train by demonstrating: a short session where teams hear a cloned voice and watch a doctored video call leaves a deeper mark than any memo;
- rehearse: regular internal simulations, including for remote workers, who receive these requests with no colleague at the next desk to consult;
- protect verification: the person who slows down an order to check it must never be sanctioned, even when the order turns out to be genuine. A CEO who publicly accepts being called back gives the whole company permission to verify.
The rule worth posting on the wall: "No transfer and no bank-detail change will ever be requested through personal messaging, and every request can always be verified by a call-back."
What technology can do — and where it stops
Technology shrinks the attack surface upstream. Many of these frauds start with a compromised mailbox, which gives the attacker the tone, the calendar and the right interlocutors: company-wide MFA — ideally phishing-resistant passkeys —, external email tagging, sender domain authentication. Watching for abnormal logins on email accounts is exactly the kind of signal that continuous monitoring such as SOVALYX's raises before the compromised account is used to stage the fraud.
On the other hand, do not build your defence on detecting the deepfakes themselves: tools exist, but their reliability in real conditions remains insufficient, and the artefacts that betrayed early fakes fade with every model generation. The durable line of defence remains the procedure: what triggers a payment is never a voice or a face, but a completed verification.
Anti-deepfake checklist for your organisation
- Every transfer or bank-detail change requested by email, phone or video call is confirmed through a second channel initiated by us.
- Call-back numbers for executives and suppliers are kept in a verified internal directory.
- A dual-approval threshold is defined and applied without exception, management included.
- Supplier bank-detail changes go through a deliberate verification delay.
- Finance and HR teams are trained on cloned-voice and cloned-video scenarios.
- A simulation exercise has taken place within the last twelve months.
- No one has ever been sanctioned for verifying a genuine order.
- MFA or passkeys protect email and payment tools.
- A fast reporting channel exists for doubts, reachable outside office hours too.
If any of these lines makes you hesitate, the time to fix it is before the too-convincing call, not after: a conversation with a specialist is enough to set the priorities.
How SOVALYX can help
SOVALYX helps Mauritian businesses close both doors on this fraud: on the organisational side, out-of-band double-validation procedures and awareness training for finance teams; on the technical side, company-wide MFA, hardened email and 24/7 monitoring that spots compromised accounts before they are used to stage the attack. Everything is validated through regular exercises, not just written into a procedure.
Talk security with an engineer🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.
Reviewed and optimised by AI.