Deepfakes and Vishing: What You Need to Know to Stay Protected | FINRA.org
Avoid Fraud

Deepfakes and Vishing: What You Need to Know to Stay Protected
Deepfakes and Vishing: What You Need to Know to Stay Protected

Have you ever received a text or voice message from someone claiming to be an investment professional and requesting confidential personally identifiable information? Have you seen a video posted on social media featuring a known celebrity promoting a “fantastic” investment opportunity? Has someone who sounds like a family member called with a frantic ask for you to wire them money? Videos and calls like these might look and sound real, but they might actually be scams using deepfakes and vishing, two rapidly evolving cyber threats facing investors today.

Understanding Deepfakes and Vishing

As artificial intelligence (AI) grows in sophistication, its ability to mimic voices and likenesses has become more convincing. Deepfakes are audios or videos that are altered or fully generated by AI to convincingly imitate a real person. Vishing (voice phishing) involves scams conducted via phone or voice channels that seek to manipulate targets through real-time conversation, applying pressure to create a sense of urgency. Modern vishing can use AI-powered voice cloning created from just seconds of recorded speech harvested from social media, public interviews or other sources. The result is a hyper-realistic voice impersonation that can engage in conversations, respond intelligently and adapt in real-time.

Some examples of deepfakes and vishing scams include:

  • Social media videos that appear to feature a well-known business executive or celebrity offering what they claim is an elite investment opportunity and often citing a “limited time offer” or “guaranteed” returns. They might promote a link that then takes you to a professional looking website designed to take your deposit and disappear.
  • Real-time phone conversations using cloned voices of family members who seem to be in emergency situations. The impersonator might then urge immediate payment via wire transfer, payment app, gift cards or cryptocurrency, all payment methods that make recovering your money difficult. They’ll also likely ask you to keep the “emergency”—and the payment—secret from other family members.
  • Real-time phone conversations using cloned voices of alleged investment professionals who say there’s an urgent issue with your account. The impersonator might claim to need personal information such as your email address and password. Brokerage firms have reported to FINRA that bad actors are employing these vishing techniques to fraudulently gain access to customer credentials, which can lead to customer account takeovers.
  • Voicemails that sound like investment professionals asking you to share sensitive information. These messages often appear to be official communications and instruct you to call a number to either verify your identity or restore access to your account, prompting you to reveal confidential information.

Look for Red Flags

How can you protect yourself from deepfake and vishing scams? Sometimes there are clues that might indicate what you’re seeing or hearing isn’t what it appears to be and is actually a deepfake or vishing scam.

Behavioral Red Flags:

  • Extreme urgency – e.g., "This must happen right now"
  • Requests for secrecy – e.g., "Don't tell anyone"
  • Pushback when you ask to verify their identity
  • Communication through unexpected channels
  • Claims of connection/internet issues to disguise inconsistencies in audio or video communications

Audio Red Flags:

  • Voice sounds overly polished or, alternatively, slightly "off"
  • Mispronunciations, especially of names
  • Odd pauses or robotic pacing
  • Interruptions handled unnaturally
  • Artificial or inconsistent background noise

Video Red Flags:

  • Mouth movements out of sync
  • Limited blinking or stiff expressions
  • Lighting doesn't match environment
  • Refusals of simple requests like moving the camera or waving their hand over their face to test whether the scammer is using AI-powered software

Protecting Yourself From Deepfakes and Vishing

If a request involves money, account or device credentials/access, or sensitive information, always verify through a different, trusted channel.

Also, keep in mind these safety tips:

  • Never share verification codes or personal information over phone or text.
  • Never use contact information, including links and QR codes, provided in the suspicious communication itself.
  • If contacted by phone, hang up and call back using trusted numbers.
  • Be skeptical of urgent calls from banks, schools or "family in trouble."
  • Establish family code words to verify one another during emergencies.

If you think that your information or assets have been compromised, consider taking the following actions:

  • Stop the interaction immediately.
  • Contact your bank or investment professional (if applicable).
  • Contact law enforcement—such as your local police department, the FBI (Field Office or Electronic Tip Form) or, in the case of cybercrime, the Internet Crime Complaint Center (IC3)—and the Federal Trade Commission (FTC).
  • Consider contacting your financial institution to lock or freeze your existing financial accounts and monitor them for any suspicious activity.
  • Close any new or unauthorized accounts.
  • Place a fraud alert on your credit profiles.
  • Keep a detailed report of the mitigation steps you’ve taken.

Additionally, if you think you’ve been a target or victim of investment fraud, file a regulatory tip with FINRA.

Learn more about how to protect your money.