By now most business owners have heard about voice cloning scams — AI-generated audio that sounds like a director or supplier calling to request an urgent bank transfer. What’s less well known is that the same technology has moved into video. Deepfake video calls impersonating executives, suppliers, or even bank representatives are now appearing in fraud attempts against UK small businesses, and the defences most teams have in place weren’t designed for this threat.

A Birmingham manufacturing firm lost £340,000 in early 2026 after a finance manager took part in what appeared to be a video call with the company’s CFO. The face was right. The voice was right. The CFO appeared to be calling from their usual home office background. The call was authorising an emergency payment for a supplier contract that had supposedly run into complications. It was entirely fabricated.

This isn’t an isolated incident. Cyber fraud involving AI-generated media is up roughly 38% in UK businesses year on year, and the cases that are being reported publicly are almost certainly the visible tip of a larger pattern.

How deepfake video fraud actually works

The technical barrier to creating a convincing video deepfake has dropped dramatically over the past two years. The basic process doesn’t require specialist expertise — it requires a few minutes of source footage (often scraped from LinkedIn, company websites, YouTube interviews, or past video calls) and access to commercially available AI video synthesis tools.

The resulting video is rarely perfect. There are often artefacts around the hairline, unusual blink patterns, or slight mismatches between the audio and lip movements. But in a compressed video call format, over a modest internet connection, with someone who isn’t specifically looking for forgery indicators — it’s convincing enough.

The social engineering layer is what makes these attacks work. Fraudsters research their targets before calling. They know the organisational structure, the names of senior staff, the tone of internal communications, often the specific payment processes the company uses. The fake video call comes in a context that feels plausible — an urgent supplier issue, a confidential acquisition discussion, a payment that needs to go through before close of business.

The emotional pressure of the situation — urgency, authority, confidentiality — is deliberately designed to bypass the normal friction that would stop someone from transferring a large sum of money.

Why small businesses are particularly at risk

Larger organisations have started implementing controls specifically designed for this threat: out-of-band verification requirements for payment authorisations, multi-person approval thresholds, and awareness training that specifically covers deepfake indicators.

Small businesses often haven’t got there yet. The finance function is frequently one or two people who regularly take instruction directly from directors and partners. The verification steps that exist in larger organisations simply don’t exist. And the personal relationships involved — “I know the MD’s voice and face” — are exactly what the attacker is exploiting.

There’s also a reluctance to question authority in small companies, particularly when the instruction is coming from a senior person in what looks like an official context. The social dynamics work in the fraudster’s favour.

What you can do about it

The good news is that the technical complexity of deepfake attacks doesn’t mean the defences need to be technically complex.

Establish a payment verification process that doesn’t depend on recognising someone visually or by voice. This is the most important step. For any payment above a threshold you set (£5,000? £10,000?), require a second channel of confirmation — a message to a known, saved phone number, not one provided during the call. A quick text saying “did you just call about X?” takes 30 seconds and defeats the attack.

Be especially sceptical of urgency and confidentiality. Legitimate payment requests from real people inside your business almost never require immediate action and explicit instructions not to verify. These are fraud indicators, not business norms.

Look for deepfake tells during video calls. Blurring or distortion around the face edges, unnatural eye movement, slight lip-sync delays, background that looks artificially smooth. Not every video call with these issues is a fake — but they’re worth being aware of. If something feels off, it’s fine to end the call and ring back on a known number.

Reduce your public video footprint where possible. This isn’t realistic for everyone, but it’s worth knowing that any video of your senior staff that’s publicly accessible is potential training data. Private LinkedIn posts, member-only webinars, and reduced social video can marginally raise the cost of attack.

Brief your team. This threat isn’t yet on most people’s radar. A 15-minute conversation about what deepfake video fraud looks like, and what to do if something feels wrong about a video call requesting financial action, costs almost nothing and significantly raises the baseline of awareness.

The underlying technology is going to keep improving, and the attacks are going to keep getting more convincing. The answer isn’t to become paranoid about every video call — it’s to build process controls that don’t rely on trusting your senses. Identity verification through a second channel is the straightforward solution, and it works regardless of how good the deepfake gets.