Yunus Scheepers, group divisional manager of cyber security operations at BUI.
Deepfake attacks have increased by more than 2 000% globally over the past three years. In the last 12 months, 62% of organisations worldwide have experienced at least one deepfake attack, while estimates suggest deepfake-related losses in Latin America alone could reach nearly $40 billion by next year.
This is according to Yunus Scheepers, group divisional manager of cyber security operations at BUI, who addressed delegates on day one of the ITWeb Security Summit 2026 in Johannesburg.
Scheepers said organisations are facing a growing threat from deepfake attacks that exploit people rather than systems. He warned that the rise of AI-powered deception is changing the nature of cyber risk and placing trust at the centre of the security conversation.
“One of the largest engineering firms in the world, Arup, lost $25 million after a finance employee was tricked into transferring funds following what appeared to be a legitimate video conference call with the company’s CFO and other executives,” Scheepers said. “Nobody on that call was real except the employee. The money was transferred into five different bank accounts in five separate transactions and, to date, none of it has been recovered.”
He added: “A few months later, somebody pretending to be Benedetto Vigna, CEO of Ferrari, contacted an executive and attempted a similar fraud. It failed because the employee asked a simple question, ‘What was that book you recommended to me last week?’ The call ended immediately. These attacks are no longer just exploiting ignorance. They’re exploiting trust.”
Scheepers said trust has become a primary target of modern cyber criminals. While traditional phishing attacks often featured poor spelling, bad grammar and obvious warning signs, today’s AI-powered attacks are designed to appear authentic and familiar.
“We have AI that can perform explorations of your data, open source intelligence and dark web information on you and your acquaintances. AI can be used to craft something that looks like it comes from somebody that you know. These things are no longer just exploiting ignorance – they’re exploiting trust, because you trust that the person communicating with you is someone you know.”
He argued that the digital environment places people at a disadvantage because interactions are limited to sight and hearing, both of which can be manipulated.
“In the digital world, what you see and what you hear is not real – it’s an electronic representation of reality. Even with the best internet connection and the best hardware, your sight is still down from three dimensions to two. So you’re down from five senses to two highly compromised senses.”
According to Scheepers, this reduction in sensory cues means people increasingly rely on instinct when evaluating online interactions. “The Ferrari employee had that feeling. The Arup employee probably also had that feeling – but only one of them felt empowered enough to question authority.”
He described this instinct as a form of sixth sense, but said it is closely connected to experience and training. Scheepers repeatedly returned to the idea that employees must feel comfortable challenging unusual requests, regardless of who appears to be making them.
“One of the things you really want is for people to speak up when they see something wrong, like the Ferrari employee did. If the people in your business are too afraid to speak up when they see something not quite right, you are exponentially more likely to fall victim to a deepfake attack.”
He said creating an environment where employees can question authority is as important as implementing technical security controls.
Scheepers explained that creating a convincing deepfake no longer requires extraordinary resources. Freely available AI models, access to quality video and audio recordings, a capable graphics card and enough training time can produce highly convincing results.
To counter the threat, he outlined several layers of defence, beginning with training rather than simple awareness programmes. “Education has its place, but it creates awareness. Training is where you put someone in a simulated scenario and see how they react.”
He also advocated for a zero-trust approach, describing it as “institutionalised paranoia”, where every action is verified and access is limited to only what is required. Beyond internal controls, he encouraged organisations to work with external security partners that can monitor environments around the clock, assist with incident response and provide independent security testing.
Scheepers warned that no organisation can realistically claim complete immunity from deepfake attacks.
“I don’t think any company can say they’re fully immune to deepfake attacks unless they can say that every single one of their employees can identify every single one of these deceptions every single time. Considering the fact that the attack factor is humans and humans make mistakes, I don’t think you can say you are fully immune.”
For organisations looking to take immediate action, Scheepers recommended educating executives about the capabilities of deepfake technology, reviewing approval processes, conducting simulations, assessing organisational culture and exploring technologies designed specifically to identify synthetic media. But above all, he urged leaders to ask a simple question: if someone pretending to be the CEO contacted an employee with an unusual request, would that employee feel psychologically safe enough to push back?
