Home  /  Insights  /  AI Deepfakes: A Threat to Companies and Campaigns
Insights

AI Deepfakes: A Threat to Companies and Campaigns

AI Deepfakes: A Threat to Companies and Campaigns
In an active situation right now? Request an urgent consultation and we will get you a same-day or next-available time with a senior strategist.
Request urgent consult →
Key takeaways
  • Deepfakes are no longer hypothetical. A fabricated video call of a company's executives led one firm to wire out 25 million dollars, and the 2026 midterms saw the first realistic deepfake videos of real candidates run as attack ads.
  • The threat hits two audiences the same way. For companies it is fraud and brand sabotage; for campaigns it is fabricated statements that stick in voters' minds even after they are debunked.
  • The law is a patchwork. There is no federal rule, around 30 states regulate election deepfakes mostly through disclosure, and at least one state law has already been partly struck down on free-speech grounds.
  • The defensible position is preparation, not reaction. The organizations that weather a deepfake are the ones that hardened verification, monitoring, and rapid-response before the fake appeared.

There are two stories I have started telling clients in the same breath now, even though one is about a company and the other is about a candidate, because they are really the same story.

The first is about Arup, the global engineering firm behind landmarks like the Sydney Opera House. In early 2024, a finance employee in their Hong Kong office joined a routine video call. The chief financial officer was on it. So were other colleagues he recognized, faces and voices he knew. Over the course of that call and the instructions around it, he authorized fifteen transfers totaling about 25.6 million dollars. Every person he saw and heard on that call was an AI deepfake, built from publicly available footage of real Arup executives. The money was gone in a day, and as of last year none of it had been recovered (CNN Business).

The second is from this spring. In a U.S. Senate race, a party committee ran an attack ad built around a computer-altered version of a sitting state representative, making him appear to read his own old social-media posts on camera. It was reported as the first realistic candidate deepfake used in a major American race (CNN Politics). Within weeks there was another, an AI-generated video and voice of a different Senate candidate, doing the same kind of work (WGME).

A company lost 25 million dollars. A candidate had words put in his mouth on television. Different worlds, identical mechanism. Someone with a modest budget and public footage of you can now manufacture a convincing version of you saying or doing something you never said or did. Having spent more than twenty-five years protecting reputations, I can tell you this is the fastest-moving threat I have watched arrive.

Why this is a reputation problem, not just a tech problem

It is tempting to file deepfakes under cybersecurity and move on. That misreads the damage. The 25 million dollar wire was a fraud loss, yes, but the lasting harm in most deepfake incidents is to belief. People saw something that looked real, and a piece of that impression survives even after the fake is exposed.

The research on this is uncomfortable. Studies have found that people genuinely struggle to identify deepfake videos, and that voters who see a fabricated clip of a candidate saying something inflammatory tend to retain that impression even after they are told it was fake (Detroit News). The correction almost never travels as far as the original. That is the part that should worry any executive or candidate. A debunking is not a reset. The fake leaves a residue.

For a company, the exposure runs in a few directions at once. There is direct fraud, like the Arup case, where a synthetic executive authorizes something costly. There is brand sabotage, a fabricated clip of your CEO appearing to say something offensive or admit to something untrue. And there is the slower erosion of a deepfake that quietly poisons what people, and increasingly what AI systems, believe about you.

For a campaign, it is the fabricated statement, the invented moment, the manufactured scandal dropped late enough in a cycle that the truth cannot catch it before votes are cast.

The law is a patchwork, and it is not going to save you in time

People assume there must be a law against this. There is, sort of, in places, unevenly.

There is no federal statute governing AI-generated content in political advertising, and nothing comprehensive covering deepfakes of executives or private figures. What exists is a state-by-state quilt. As of the spring of 2026, roughly 30 states had passed laws addressing deepfakes in elections, up from 28 at the start of the year, and most of them center on disclosure rather than outright bans (Public Citizen). The typical requirement is a disclaimer that content was generated or substantially altered with AI.

Where the law standsReality
Federal law on political deepfakesNone comprehensive
States with election-deepfake lawsAbout 30, and rising
Most common approachDisclosure and disclaimers, not bans
Deepfakes of executives or private figuresLargely outside these election-specific laws
DurabilityAlready being tested; a federal judge struck down parts of California’s law in 2025 on free-speech grounds

That last line matters. Even the laws on the books are contested. In 2025 a federal judge struck down portions of California’s election-deepfake law, finding they likely conflicted with existing federal protections and the First Amendment (Wiley). So the legal landscape is both incomplete and unsettled. Even where a law clearly applies, enforcement takes time the news cycle does not give you. By the time a remedy arrives, the clip has done its work.

To be clear about my lane, none of this is legal advice, and a real incident may call for real lawyers. The point is simpler. You cannot treat the law as your first line of defense against something that spreads in hours.

What actually protects you

The organizations that come through a deepfake well are the ones that prepared for it before it happened. The work splits cleanly between the two audiences, then converges.

For companies, the single highest-value move is procedural and almost boring. Most corporate deepfake fraud, including the kind that hit Arup, dies the moment a transfer or a sensitive instruction requires out-of-band confirmation. If a convincing video of your CFO can never, by itself, authorize a wire, then the most expensive version of this threat is largely defused. The World Economic Forum’s writeup of the Arup case lands on exactly this lesson (World Economic Forum).

For campaigns, the highest-value move is speed and a pre-built response. The fabricated clip will not wait for your team to convene. You need monitoring that catches it fast, holding language ready to go, proof of what is real, and the channels to push the truth out while the story is still forming.

And for both, the quiet foundation underneath is the same one I push on constantly. You need a strong, well-documented, easily found public record of who you actually are and what you actually said. When a fake appears, the truth needs somewhere authoritative to point. That is also what increasingly shapes whether AI systems repeat the fake or the fact, which ties this directly to the work in reputation defense and to the way AI now narrates people in what ChatGPT says about you. On the campaign side, it connects to everything in political reputation management.

The steps above lay out the preparation in order. None of it is exotic. All of it is the difference between absorbing a hit and being defined by one.

The honest bottom line

Deepfakes are not a future problem to monitor. They are a present one that has already moved real money and already aired against real candidates. The technology will keep getting cheaper and more convincing, which means the question is not whether your industry or your race will see this, but whether you will have done the unglamorous preparation before it is your face on the screen.

That preparation is exactly the kind of out-of-the-box, get-ahead-of-it work we do, for executives and for campaigns. If this is a live concern, the time to build the defense is while it is still hypothetical for you. For an active situation, do not wait.

Sources

Frequently asked questions

What is a deepfake and why is it a reputation threat?

+

A deepfake is AI-generated audio, video, or imagery that convincingly imitates a real person saying or doing something they never did. It is a reputation threat because it can manufacture a damaging statement, a fraudulent instruction, or a fabricated scandal that looks authentic. The lasting harm is to belief: research shows people struggle to identify fakes and tend to retain the false impression even after it is debunked.

Have deepfakes actually caused real damage to companies or campaigns?

+

Yes. The engineering firm Arup lost about 25.6 million dollars after an employee was tricked by a video call full of deepfaked executives. In the 2026 U.S. midterms, party committees ran the first realistic deepfake attack ads against real Senate candidates, fabricating video and voice of them. Both show the same mechanism used for very different ends.

Are there laws against political or corporate deepfakes?

+

The protection is uneven. There is no comprehensive federal law on political deepfakes, and around 30 states regulate election deepfakes, mostly by requiring disclosure rather than banning them. Deepfakes of executives or private figures largely fall outside these election-specific laws. Some of the existing laws are also being challenged in court, so the legal landscape is incomplete and unsettled, and enforcement is usually too slow to stop a fake before it spreads.

How can a company protect itself from deepfake fraud?

+

The single most effective step is procedural: require out-of-band confirmation for any transfer of funds or sensitive instruction, so a convincing video or voice can never authorize action on its own. That alone defuses the most expensive version of the threat. Beyond that, map who could be impersonated, monitor for misuse of your executives' likenesses, and have a rapid-response plan ready before an incident.

What should a campaign do to prepare for a deepfake attack?

+

Assume it could happen and prepare for speed. Set up monitoring that catches a fabricated clip within hours, have holding language and proof of the real record ready to deploy, and maintain channels to push the truth out while the story is still forming. Because corrections rarely travel as far as the original fake, getting an accurate response out fast, backed by a strong documented public record, is the best available defense.

More in this series
How to Build a Crisis Communication PlanLitigation PR: Winning the Court of Public OpinionHow to Handle a PR Crisis in the First 48 Hours