Is That Really Your Manager Giving Instructions?

July 15, 2026

A request comes through from a director, manager or senior team member.

It sounds urgent. It sounds confident. It sounds like something they would say.

Maybe it arrives by email. Maybe it comes through a phone call. Maybe it is a voice message, a video message or even a live meeting invite.

The instruction might be to approve a payment, change bank details, send confidential files, share login information, buy gift cards or act quickly before a deadline.

The problem is, it may not be real.

Deepfake fraud and fake executive instructions are becoming a more serious risk for businesses because they target something most workplaces rely on every day: trust.

This Is Not Just a Technology Problem

When people hear the word “deepfake”, they often think of fake celebrity videos or strange online content. But in a business setting, the risk is much more practical.

Deepfake technology can be used to imitate a person’s voice, face or communication style. Combined with social engineering, it can make a fraudulent request feel more believable.

Cybercriminals do not always need a perfect fake. They only need enough confidence, pressure and timing to make someone act before they stop and verify.

This is why fake executive instructions are so dangerous. They often rely on authority and urgency.

A staff member may receive a request that appears to come from a CEO, managing director, finance manager, operations manager or supervisor. The request may be framed as confidential, time-sensitive or too important to delay.

For example:

  • “I need this payment approved today.”
  • “Please update these supplier bank details.”
  • “Send me the client file urgently.”
  • “Do not call me, I am in a meeting.”
  • “This needs to stay confidential for now.”
  • “Can you purchase these cards and send the codes through?”

Each request may seem unusual in isolation, but in a busy workplace, people often act quickly when instructions appear to come from someone senior.

Why AI Makes Impersonation Harder to Spot

Businesses have dealt with impersonation scams for years. Fake invoices, spoofed emails and business email compromise are not new.

What has changed is the quality and accessibility of the tools.

AI can make fraudulent messages sound more polished, more personal and more convincing. Voice cloning tools can imitate the tone and rhythm of a real person. Video manipulation can make a fake instruction feel more legitimate. Public information from LinkedIn, websites and social media can help attackers understand who works in the business, who reports to whom, and what kind of language they use.

That means the old advice of “look for spelling mistakes” is no longer enough.

A scam email may be well written. A voice message may sound familiar. A fake video may be convincing enough at first glance. The request may reference real projects, real clients or real team members.

This does not mean businesses need to panic. But it does mean they need better verification habits.

The Danger Signs to Watch For

Fake executive instructions often include a few common pressure points. Staff should be trained to pause when a request includes:

  • A sudden sense of urgency
  • A request to bypass normal approval steps
  • Instructions to keep the task confidential
  • A payment, refund or bank detail change
  • A request for sensitive files or login information
  • A new communication channel, such as a personal email or mobile number
  • Resistance to a phone call or normal confirmation process
  • Language that feels slightly out of character
  • A request made outside normal working hours
  • A senior person asking for something they would not usually handle directly

The important thing is not to make staff suspicious of every message. It is to give them permission to slow down when a request carries risk.

A good team culture should make verification feel normal, not awkward.

Verification Is Better Than Detection

Trying to spot whether a voice or video is fake can be difficult. The technology is improving quickly, and most staff are not trained forensic analysts.

A better approach is to build simple verification steps into business processes.

For example:

  • Payment changes must be confirmed using a known phone number, not the number in the message.
  • Supplier bank detail changes require two-person approval.
  • Sensitive files cannot be sent without checking the request through an approved channel.
  • Urgent executive requests still follow the same approval process.
  • Staff are encouraged to question anything that feels unusual.
  • Leaders agree that no one will be criticised for pausing to verify.

This is especially important in finance, payroll, accounts, HR, operations and client-facing roles, where staff may regularly handle sensitive information or approve actions that carry business risk.

The goal is not to slow the business down unnecessarily. The goal is to make sure risky actions are checked before they become expensive mistakes.

Leadership Sets the Standard

Deepfake fraud and fake executive instructions are not only an IT issue. They are a leadership and process issue.

If leaders regularly ask staff to bypass procedures, act urgently without context or keep operational requests secret, it becomes much harder for staff to identify when something is wrong.

A strong verification culture starts at the top.

Business leaders should be clear with their teams:

  • We follow approval processes, even when something is urgent.
  • We verify unusual requests, even when they appear to come from a senior person.
  • We do not punish people for double-checking.
  • We use approved channels for sensitive instructions.
  • We treat cyber risk as a shared business responsibility.

This helps staff feel confident enough to pause, question and confirm.

What Businesses Can Do Now

You do not need a complicated system to reduce the risk of fake executive instructions. Start with the areas where a fraudulent request could cause the most damage.

Review who can approve payments, change supplier details, access sensitive files or authorise unusual requests. Then make sure there are clear steps in place for verification.

A practical starting point might include:

  • Reviewing payment approval processes
  • Confirming how supplier bank details are changed
  • Training staff on impersonation and social engineering risks
  • Creating a simple “pause and verify” rule
  • Limiting access to sensitive data
  • Using multi-factor authentication
  • Reviewing executive and finance team email security
  • Testing whether staff know what to do with a suspicious request

These steps help reduce the chance that one convincing message, call or video can create a major business issue.

Make Verification Part of Everyday Risk Management

Deepfake fraud is concerning because it removes some of the cues people used to rely on. Seeing a face or hearing a voice no longer guarantees that an instruction is genuine.

But the response does not need to be complicated.

Businesses need clear processes, sensible controls and a team culture where verification is expected.

If your business is not sure how well it would handle a fake executive instruction, that is a useful place to start.

IQPC can help identify the people, process and technology controls that reduce this type of risk, so your team is better prepared to recognise, pause and verify before acting.


Related News

IT info

Cyber Insurance Is Getting Harder to Satisfy. Is Your Business Ready?

July 8, 2026

IT info

Creating an AI Policy: A Practical Starter Guide

June 24, 2026