Background

On 18 September 2025, the Monetary Authority of Singapore (“MAS”) released an information paper aimed at addressing the cyber risks associated with deepfakes. The paper was released reacting to deepfake incidents that financial institutions face covering impersonation, biometric bypassing, falsified documents, and misinformation.

What Risks Are Involved?

Deepfakes impose various forms of risks for financial institutions. Some examples include:

• Market Risks: Deepfakes can distort corporate news by making fake news, leading to market volatility, mispricing, and eroded investor confidence.
• Cyber Risks: Deepfakes can bypass biometric security and enhance social engineering attacks, increasing vulnerability to phishing, credential theft, and cyber breaches.
• Fraud Risks: Criminals may use deepfakes to forge documents or impersonate individuals, facilitating unauthorized transactions, financial fraud, and losses.
• Regulatory Risks: Threat actors from sanctioned countries could use deepfakes to fake identities in hiring, exposing firms to compliance violations and legal risks.
• Reputation Risks: Falsified executive statements or manipulated content can harm trust, damage brand reputation, and reduce stakeholder confidence.

Deepfakes Defeating Biometric Authentication

Deepfakes can bypass biometric authentication methods by creating false identities or altering biometric features. Suggested methods to mitigate the risk posed by deepfakes upon biometric authentication includes:

• Robust document verification: Use advanced document verification methods, including holograms and high-resolution video, alongside forensic analysis.
• Liveness detection: Implement multi-layered tools like motion analysis, thermal imaging, and behavioural analysis to verify the liveness during biometric checks.
• Vulnerability Assessments and Security Testing: Testing their liveness detection mechanisms against a diverse sample of deepfakes should be used.
• Endpoint-level protection: Use real-time injection detection and other tools to prevent manipulated content from entering security systems.
• Strong encryption: Ensure end-to-end encryption of biometric data and use cancellable biometric methods to protect against unauthorized access.

Deepfakes Enable Social Engineering and Impersonation

Deepfakes can manipulate people to perform various actions such as initiating fund transfers, clicking malicious links and granting permissions or confidential information. Suggested methods to mitigate the risk posed by deepfakes relating to social engineering and impersonation includes:

• Deepfake simulations: Complement phishing programmes with deepfake identification simulations to enable staff to detect common signs.
• Awareness and training: Educate employees and customers on the dangers of deepfakes and best practices to identify suspicious requests or communications.
• Sender verification measures: The use of ScamShield, call blocking or in-app verification features can help block or verify the authenticity of calls and/or messages.
• Internal controls for high privileged roles: Implement multi-factor authentication, endpoint detection, and separation of duties, especially for high-privilege roles, to reduce the risk of individual manipulation.

Deepfakes Enable Misinformation and Disinformation

Fake news, misinformation and disinformation may be spread by deepfakes undermining public trusts in institutions, manipulating the markets and deceiving investors. Suggested methods to mitigate the risk posed by deepfakes upon falsified information includes:

• Monitoring Tools: Tools can be used to detect deepfake brand abuse and impersonation across digital platforms, using anomaly detection and algorithms to verify content.
• Incident Response Plans: Establish reporting protocols for the investigation and communication of incidents and the use of authenticated channels to clarify and counter false narratives.
• Collaboration across the sector: Intelligence sharing with regulators peers and ISACs allow for the monitoring and response to threats.

What’s Next?

Management should:

• Implement robust employee training programs to raise awareness of deepfake threats and equip staff with skills to identify and respond to social engineering attacks.
• Conduct regular vulnerability assessments and stress-test security systems, including deepfake simulations, to ensure resilience against evolving threats.
• Invest in advanced deepfake detection technologies and real-time monitoring tools to mitigate misinformation, impersonation, and other malicious content.

How Can We Help?

Capital Governance assists FIs by:

• Tailoring comprehensive risk assessments to identify vulnerabilities and mitigate deepfake threats across authentication, communication, and decision-making systems.
• Customising employee training programs focused on social engineering, deepfake identification, and best practices to prevent fraud and breaches.

And more…

Contact us now to explore how our GRC solutions can strengthen your defences against modern cyber risks. Find out more here.