Deepfakes, spear phishing, and social engineering: a practical cyber security guide for busy teams

Cyber crime has evolved from obvious spam emails into highly targeted, convincing approaches known as spear phishing and social engineering. These attacks can include AI-generated “deepfake” content, including realistic emails, audio clips, and even video calls designed to impersonate trusted people.

The goal is usually the same: to rush someone into sharing sensitive information, changing bank details, or making a payment that should never have been made.

Here is a straightforward guide to the warning signs and the habits that reduce risk.

What makes modern scams harder to spot?

Attackers increasingly copy real working patterns. They may:

• Use names of senior leaders, suppliers, advisers, or customers

• Mirror internal language and project names

• Share documents via legitimate platforms to appear authentic

• Create urgency to trigger fast action and reduce scrutiny

AI tools can now produce convincing writing and voice. That means “it sounded like them” is no longer proof.

Red flags to watch for

1) Impersonation of senior leaders or decision makers

Be cautious of messages that appear to come from directors, senior leadership, or executives that:

• Demand urgent action

• Ask you to bypass normal checks

• Push you to make exceptions “just this once”

• Arrive through unusual channels (personal email, WhatsApp, unfamiliar numbers)

2) Unusual payment requests

Treat any urgent payment request as high risk, especially if it involves:

• New bank details or a “changed account” story

• Split payments across multiple transactions

• Payments to new jurisdictions or unfamiliar accounts

• Credit card payments requested for speed

3) Use of legitimate tools to create “proof”

Attackers may send links via well-known platforms (for example e-signature or file-sharing tools). The platform can be real while the request is not. Always validate the request itself, not just the tool used.

4) Pressure and enforced secrecy

A classic technique is to frame a request as confidential, sensitive, or time-critical, paired with instructions like:

• “Do not involve anyone else”

• “Do not speak to Finance”

• “This is legally privileged”

• “Sign this NDA and act immediately”

5) Fake external advisers

Messages may claim to be from a well-known law firm, broker, or consultant to “confirm” a transaction. Verify independently using contact details you already hold, not the details in the message.

6) Look-alike email addresses and domains

Watch for subtle changes such as:

• Misspellings in the domain name

• Extra characters, swapped letters, or missing letters

• Non-Latin characters that look similar to normal letters

If anything looks slightly off, treat it as a prompt to verify.

Mandatory validation habits that reduce risk

Do not bypass approval processes

If your organisation uses multi-layer approval for payments, payroll changes, supplier onboarding, or data access, those controls exist because they work. Urgency is often used to push people around them.

Be alert to “exclusion” instructions

Any request that tries to remove your manager, Finance, or usual approvers from the loop is a serious warning sign.

Always verify before taking action

No financial or sensitive action should be taken based on email, voice, or video alone. Verify using a second trusted channel, for example:

• Call the person using a known number from your directory

• Speak to them in person or via an internal messaging platform you already use

• Check the request with your usual approver or Finance contact

Report and escalate immediately

If something feels odd, pause and escalate through your organisation’s security route. Reporting quickly helps protect others, even if it turns out to be a false alarm.

A simple rule that saves money and stress

When in doubt: stop, verify, and report.

Checking is a protective habit. It supports

you, your colleagues, and your customers, and it keeps normal controls doing their job

.