Awareness training covers deepfake + CEO-fraud
Demonstrate that security awareness training programs include specific, current instruction on identifying and responding to deepfake-enabled impersonation and CEO fraud tactics.
Description
What this control does
This control requires that security awareness training explicitly covers social engineering techniques leveraging deepfake technology (synthetic audio, video, or images) and CEO fraud (business email compromise targeting executive impersonation). Training must educate employees on recognizing manipulation tactics such as voice-cloned phone calls, AI-generated video conference impersonation, and fraudulent payment requests appearing to originate from senior leadership. The control matters because generative AI has lowered the barrier for sophisticated impersonation attacks that bypass traditional phishing indicators, requiring human judgment as a critical defense layer.
Control objective
What auditing this proves
Demonstrate that security awareness training programs include specific, current instruction on identifying and responding to deepfake-enabled impersonation and CEO fraud tactics.
Associated risks
Risks this control addresses
- Employees authorize fraudulent wire transfers after receiving voice-cloned phone calls or deepfake video instructions purportedly from executives
- Staff divulge sensitive credentials, financial data, or proprietary information to attackers using AI-generated executive impersonations in video conferences
- Help desk or IT support personnel reset authentication credentials for attackers presenting deepfake video 'verification' of identity
- Employees fail to escalate suspicious executive requests due to lack of awareness that realistic synthetic media can be weaponized
- Organization suffers reputational and financial damage from successful CEO fraud schemes that exploit untrained workforce trust in audiovisual communication
- Incident response is delayed because employees cannot distinguish legitimate urgent requests from AI-enhanced social engineering
- Attackers exploit organizational hierarchy and authority bias when employees lack training on verifying unusual requests through secondary channels
Testing procedure
How an auditor verifies this control
- Obtain the current security awareness training curriculum, including all modules, slide decks, videos, and learning management system course catalogs
- Review training content to identify specific sections addressing deepfake technology, synthetic media threats, and CEO fraud or business email compromise
- Verify that deepfake training includes concrete examples such as voice cloning, video synthesis, and distinguishing characteristics of AI-generated media
- Confirm that CEO fraud training covers verification procedures for urgent financial requests, out-of-band authentication methods, and escalation protocols
- Select a random sample of 15-20 employees across departments and job levels who completed training within the past 12 months
- Interview sampled employees to assess their ability to describe deepfake indicators, recall verification procedures for executive requests, and explain appropriate escalation steps
- Review training completion records and assessment scores to verify that employees passed knowledge checks specifically covering these threat scenarios
- Examine phishing simulation or tabletop exercise records to confirm that deepfake and CEO fraud scenarios are periodically tested in practice drills
Where this control is tested