imadethisup.org Retain →
BUSINESS · 2026-06-15

Building a deepfake incident-response plan for smaller firms

A cloned voice on a Friday-afternoon call asks the bookkeeper to wire funds. By the time anyone is sure it was synthetic, the money is gone. The plan you wrote before that call is the only thing that helps you in the hour after it.

~ 8 min read · BUSINESS CASE

Synthetic-media fraud has stopped being a problem only for the Fortune 500. The barrier to entry has collapsed: a usable voice clone can be built from a few seconds of audio scraped off a webinar or a voicemail greeting, and a convincing video of an executive can be assembled in an afternoon. In December 2024 the FBI’s Internet Crime Complaint Center warned, in alert I-120324-PSA, that criminals are using generative AI to scale fraud — producing audio clips of a “loved one in a crisis situation” and impersonating leaders to authorize transfers.[1] A month earlier, FinCEN told financial institutions the same thing from the other side of the counter: deepfake media is now being used to defeat identity verification at account opening, and banks were filing suspicious-activity reports about it.[2]

For a smaller organization — a law firm, a clinic, a family office, a regional nonprofit — the math is brutal. You hold concentrated, high-value information and authority, but you rarely have a dedicated security team standing by. The good news is that incident response is a discipline, not a budget line. A short, written plan that everyone has read beats an expensive tool that no one knows how to use at 4:55 p.m. on a Friday.

Why deepfake incidents break the ordinary playbook

Most incident-response plans assume an intrusion: malware, a phished credential, a ransomware note. A synthetic-media incident often leaves no technical footprint at all. There is no breached server — there is a phone call, a voicemail, a video meeting, or a forged message that persuaded a human being to act. NSA, FBI, and CISA flagged exactly this in their 2023 information sheet, Contextualizing Deepfake Threats to Organizations: the highest-impact abuses impersonate leaders and finance officers to authorize fraudulent transactions and to pry open access to networks.[3] That means your plan has to treat a suspicious communication as a reportable event, route it the same way you would route a malware alert, and resist the instinct to quietly “sort it out” one-on-one.

Anchor the plan to a recognized framework

You do not need to invent a methodology. NIST’s incident-handling guidance, refreshed as SP 800-61 Revision 3 in April 2025, organizes response around the Cybersecurity Framework 2.0 functions and supersedes the long-standing Revision 2.[4] Borrow its spine and adapt it to a five-step flow any small team can run from memory: detect, contain, preserve, notify, recover. Write it down. Keep it to two pages. Name a person for each step — even if several names are the same person — and list one external backstop (outside counsel, an IT consultant, a forensic firm) you will call when the incident exceeds what you can handle alone.

DEEPFAKE INCIDENT TIMELINE DETECT flag & report minute 0 CONTAIN halt transfer first hour PRESERVE capture files same day NOTIFY bank · IC3 · law ≤ 72 hours RECOVER harden · review days–weeks code words · callback verification · phishing-resistant MFA reduce the odds you ever reach CONTAIN accent boxes = steps where evidence is won or lost
FIG. 1 — A five-stage synthetic-media response timeline. Time windows are indicative, not legal deadlines; your actual notification clocks depend on the laws and contracts that apply to you.

Detect: make reporting frictionless

Detection in a deepfake incident is almost always a human noticing that something feels off — an unusual urgency, an off-channel request, a payment instruction that breaks the normal process. The single most valuable control is a verification habit your people use before acting: an agreed code word or a callback to a known number for any financial or credential request, exactly as the FBI recommends.[1] Pair that with one obvious reporting path. Staff should know, without looking it up, who to message the instant they suspect a synthetic call or message — and they should know they will be thanked for a false alarm, never blamed. Phishing-resistant multi-factor authentication, which CISA calls the gold standard, blunts the credential-theft variant of these attacks before detection is even needed.[5]

Contain: stop the money and the access

Containment for synthetic-media fraud is mostly about speed on two fronts. First, the transaction: if a transfer has gone out, call the bank’s fraud line immediately and request a recall — wire and push-payment recovery windows are measured in hours, not days. Second, the access: if the lure was aimed at a login, reset the affected credentials, revoke active sessions, and assume any account the target could reach may be compromised. Containment is also a communications act. Put a short, factual hold on the impersonated channel — “we have a suspected impersonation incident; verify any request from this person by callback” — so the same fake cannot claim a second victim while you work.

Preserve: the step everyone skips

This is where small organizations most often lose. In the rush to fix the problem, people delete the voicemail, clear the call log, or close the video meeting without saving anything — and with it goes the evidence that investigators, insurers, and a possible civil claim all depend on. Preserve the artifact in its original form: the audio or video file, the message with full headers, the meeting recording and chat, and any platform metadata. Do not edit it; make working copies and keep the original untouched. Note who received it, when, and on which device, and record a hash of each file so its integrity can be shown later. This is the same provenance discipline that decides whether synthetic media holds up under scrutiny — see /provenance and our War Room for the forensic side.

Notify: know your clocks before the clock starts

Notification is where a generic plan fails, because the obligations depend entirely on who you are. Build your list in advance:

  1. Law enforcement and IC3. Report fraud and attempts to the FBI’s Internet Crime Complaint Center at ic3.gov; speed materially improves the odds of clawing back funds.[1]
  2. CISA, where applicable. Critical-infrastructure entities will have mandatory reporting duties once CISA’s CIRCIA final rule takes effect, and CISA already accepts voluntary incident reports from any organization — a 72-hour posture is a sound default to plan around.[6]
  3. Sector regulators. A non-banking financial institution under the FTC Safeguards Rule must notify the FTC of a qualifying breach as soon as possible and no later than 30 days after discovery.[7] Financial institutions filing suspicious activity should reference the FinCEN deepfake alert key term in the SAR.[2]
  4. Intimate-image abuse. If the synthetic media is non-consensual intimate imagery, route victims to the right channel — NCMEC’s CyberTipline and the Take It Down service for content involving minors, with the federal TAKE IT DOWN Act now requiring platforms to remove verified NCII within 48 hours.[8]

Add your own contractual and ethical clocks — client-notification duties, cyber-insurance reporting windows, and state breach-notice laws — next to each line so no deadline is discovered after it has passed.

Recover: close the loop, then practice

Recovery is more than restoring operations. Harden the path the attacker used: tighten payment-authorization rules so no single person can move funds on a verbal instruction, expand callback verification, and shore up MFA. Then do the part most teams omit — the post-incident review NIST builds into the lifecycle. Write down what was detected and when, what worked, what didn’t, and which one change would most reduce the next incident’s damage.[4] Finally, rehearse. A 30-minute tabletop — “a cloned voice of the managing partner just told accounting to wire a deposit” — surfaces the gaps in your two-page plan far more cheaply than the real thing will.

None of this requires an enterprise budget. It requires deciding, in advance and on paper, who does what in the hour after a synthetic call lands — and practicing it once before you need it. That plan is the difference between an incident and a catastrophe.

Sources

  1. [1]
    FBI Internet Crime Complaint Center (IC3). “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud” (Alert I-120324-PSA), 3 Dec. 2024.ic3.gov
  2. [2]
    FinCEN. “FinCEN Alert on Fraud Schemes Involving Deepfake Media Targeting Financial Institutions” (FIN-2024-Alert004), 13 Nov. 2024.fincen.gov
  3. [3]
    NSA, FBI & CISA. “Contextualizing Deepfake Threats to Organizations” (Cybersecurity Information Sheet), 12 Sept. 2023.cisa.gov
  4. [4]
    NIST. “Incident Response Recommendations and Considerations for Cybersecurity Risk Management” (SP 800-61 Rev. 3), Apr. 2025 — supersedes the Computer Security Incident Handling Guide (SP 800-61 Rev. 2).csrc.nist.gov
  5. [5]
    CISA. “Implementing Phishing-Resistant MFA” (fact sheet).cisa.gov
  6. [6]
    CISA. “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)” — 72-hour reporting framework and voluntary reporting.cisa.gov
  7. [7]
    Federal Trade Commission. “Safeguards Rule notification requirement now in effect” — notify FTC no later than 30 days after discovery (effective 13 May 2024).ftc.gov
  8. [8]
    National Center for Missing & Exploited Children — CyberTipline (report.cybertip.org) and the Take It Down service; the federal TAKE IT DOWN Act (signed 19 May 2025) requires platform removal of verified NCII within 48 hours.report.cybertip.org
More

Plan before the call lands.