It took criminals about five years to move from Business-Email-Compromise to Business-Face-Compromise. Generative video tools that once required a film studio now run on a gaming GPU. The result: a 2025 UK study recorded a 1,200 % spike in whaling attacks using real-time deepfakes during high-value negotiations.
Corporate risk & due diligence teams are the last firewall. You can’t rubber-stamp UBOs with a D&B report anymore; you need to prove the human in 4K is breathing. That’s where deepfake due diligence powered by OSINT comes in.
For a broader look at spotting red flags before money moves, see our guide on Due Diligence with OSINT: Identifying Red Flags in Corporate Investigations.
The Deepfake Kill-Chain: From Zoom to Wire in Five Moves
- Target selection: Attackers scrape earnings calls, press junkets, TikTok dances—anything with voice and face.
- Model training: 30 seconds of clean audio is enough for voice cloning; 300 face images nail lip-sync.
- Social pre-text: Fake exec “has to close the deal early” before regulators or press catch wind.
- Real-time call: Deepfake video piped through a virtual camera; low-latency voice changer handles Q&A.
- Wire instructions: Urgent PDF signed with a stolen DocuSign key; money routed through nested shell companies.
Total calendar time from recon to payday: 11 days according to the FBI IC3 2025 report.
Open Source Intelligence: Your Reality Check Toolkit
Good news: deepfakes are detectable if you insist on corroboration. Great OSINT is less about ninja tools and more about disciplined corroboration loops. Below is the field-tested checklist we give clients during M&A sprint diligence.
1. Multi-Channel Identity Corroboration
| Channel | What to Collect | Quick Verification |
|---|---|---|
| Corporate Registry | Officer IDs, appointment dates | Cross-check against stock-exchange filings |
| LinkedIn API | Profile creation date, historic posts | Look for post gaps during takeover talks |
| Twitter / X | Historical photos, EXIF geotags | Use twitpic-exif or Wayback |
| Press Photos | Event timestamps | Match with Getty Images metadata |
| Domain WHOIS | Exec’s personal email | Ensure age predates deal rumors |
2. Voice Liveness Tests
- Ask the exec to say a sentence you type in chat mid-call. Deepfake latency usually jumps above 400 ms.
- Request a landline callback; most vishing farms can’t spoof the enterprise PBX timestamp.
- Use open-source acoustic fingerprint tools such as
audacity-spectrumto look for missing 8–12 kHz bands typical of neural voice.
3. Video Artefact Forensics
Because generative video re-encodes frames, run:
- Erratic Level 3 quantization tables with
ffmpeg-bitstream - Face landmark jitter via
mediapipe(anything > 3 px avg is suspect) - Eye-gaze tracking; deepfakes rarely nail sclera reflection continuity
Need a refresher on automated media forensics? Our AI-Generated Deepfakes in Criminal Investigations write-up shows identical tactics used by LE units.
Automating the Hunt with Kindi
Manual checks don’t scale when you’re staring at 14 term sheets before lunch. Kindi ingests corporate filings, social graphs, and leaked breach data, then fuses them into a single risk score. If an exec’s face pops up on a Kazakhstani hiring ad three days before your call, Kindi flags it. One dashboard, zero PowerPoints.
Crafting the Deepfake-Resistant Deal Workflow
Here’s the four-phase workflow we deploy for Fortune 500 clients:
Phase 1 – Pre-NDA Sweep
Scrape open press, trademark databases, and domain permutations to build a baseline persona. Any new social-media profile created after deal chatter starts is a red flag.
Phase 2 – Live Identity Gate
Before confidential data changes hands, schedule a 10-minute video call. Use randomized challenge phrases and request screen-share of the exec’s corporate email inbox header. OSINT already showed you the real domain; if the inbox is missing, walk away.
Phase 3 – Document Provenance
Insist on documents with qualified e-signatures backed by hardware tokens. Open-source intel includes querying public CRL and OCSP logs to confirm the cert serial wasn’t revoked. Deepfake scammers hate crypto-backed paper trails.
Phase 4 – Post-Wire Monitoring
Even after money moves, continue to monitor the acquiring exec’s public presence. Sudden disappearance of LinkedIn activity or a flurry of new friend-requests from accounts created in the same week often signals account takeover and a second hit attempt.
Metrics That Matter to the Board
| Metric | Baseline | Target | How OSINT Helps |
|---|---|---|---|
| Deepfake call detection time | 48 hrs | < 5 min | Real-time artefact scanning |
| False-positive identity alerts | 38 % | < 5 % | Cross-channel corroboration |
| Cost per M&A fraud incident | $137 M | $0 | Early-stage kill chain break |
| Due-diligence cycle | 90 days | 14 days | Automated data fusion |
Speed without accuracy is just a faster disaster. That’s why corporate risk units bake OSINT for Corporate Risk Detection into every stage of the M&A lifecycle.
When (Not If) the Attack Hits
Assume compromise. Keep a one-page incident play-book taped to the SOC wall:
- Step 1: Kill the call, capture packet dump.
- Step 2: Feed PCAP to
py-webrtcvadto extract audio artefacts. - Step 3: Issue 4-eye wire release; notify receiving bank of fraud flag.
- Step 4: Preserve video frames for chain-of-evidence; open FBI IC3 ticket within 24 hrs.
- Step 5: Feed attacker IOCs (domains, crypto addresses) into Kindi for automated expansion; share with peers via ISAC.
One external resource worth bookmarking: the NIST AI Risk Management Framework includes a deepfake mitigation playbook aligned with ISO 23894.
Bottom Line
Due diligence used to be a checklist of PDFs. Today it’s a race against generative AI. Build a process that treats every smiling face on Zoom as potentially synthetic until open source intelligence proves otherwise. Your shareholders, auditors—and yes, your real CEO—will thank you.
Want to strengthen your OSINT skills? Check out our free course
Check out our OSINT courses for hands-on training.
And explore Kindi — our AI-driven OSINT platform built for speed and precision.
FAQ
Q1: Are deepfake CEO scams common in 2025?
The FBI logged 2,400 attempted incidents in H1 2025, up 1,040 % year-over-year. M&A and wire transfers remain the favorite payout routes.
Q2: Can free OSINT tools spot deepfakes reliably?
Yes, if you triangulate. Use ffmpeg for compression artefacts, exiftool for provenance, and open media hash databases like imagematch for reuse detection.
Q3: How fast can Kindi flag a synthetic exec profile?
Typical correlation time is under 90 seconds across 120 million leaked profiles and 4 billion historic tweets.
Q4: Do I need legal consent to analyze an exec’s public LinkedIn data?
Public data, by definition, carries no expectation of privacy under U.S. and EU law. Still, store minimal data and follow GDPR purpose-limitation rules.
Q5: What’s the single biggest mistake in deepfake due diligence?
Relying on one channel—usually video. Always corroborate face, voice, domain, documents, and behavioral history before releasing funds.
