The fortunes and reputations of executives and corporations are at great risk because of the ability of cybercriminals to target vulnerable executives with artificial images or videos for the purposes of extortion and physical harm. As more evidence of the reality and likelihood of deepfake attacks emerge, awareness of the need to take action to prevent these threats is growing. More than half of IT security practitioners (54 percent) surveyed in this research say deepfake is one of the most worrying uses of artificial intelligence (AI).
Click here to download the full report
The purpose of the research – sponsored by BlackCloak Inc. but conducted independently by the Ponemon Institute — is to learn important information about how organizations view the deepfake risk against board members and executives and how these attacks can be prevented. According to the research, executives were targeted by a fake image or video an average of three times. Another serious threat covered in this research for the second year is the risk to executives’ digital assets and their personal safety. In this year’s study, attacks by cybercriminals against executives and their families increased from 42 percent to 51 percent of organizations represented in the research.
It is not if, but when your executives and board members will be a target of a deepfake attack, and it is likely they will not even know it. Respondents were asked to rate the likelihood of a deepfake attack, the difficulty in detecting it and the confidence in the executives’ ability to know that they are being targeted. Respondents said an attack is highly likely (66 percent), it is very difficult to detect (59 percent) and there is no confidence that executives would recognize an attack (37 percent).
The following findings illustrate the severity of deepfake and digital asset attacks
- Is the person calling your company’s CEO a trusted colleague or a criminal? Forty-two percent of respondents say their organizations’ executives and board members have been targeted an average of three times by a fake image. Or worse, 18 percent are unsure if such an attack occurred. Of those targeted, 28 percent of respondents say it was by impersonating a trusted entity such as a colleague, executive, family member or known organization. Twenty-one percent of respondents say executives and board members received urgent messages such as the requirement of immediate payment or information about a security breach detected.
- It is difficult to detect imposters seeking to do harm. Executives must understand that a zero-trust mindset is essential to not becoming a deepfake victim because 56 percent of respondents say It is essential to distinguish between what is authentic and what is fake in messages. For example, imposter accounts are social media profiles engineered for malicious activities, such as a deepfake attacks. The two types of deepfakes of greatest concern are social imposters (53 percent of respondents) and financial fraudsters (37 percent of respondents).
- Executives need training and a dedicated team to respond to deepfake attacks. Despite the threat from deepfake cybercriminals, 50 percent of respondents say their organizations do not plan to train executives on how to recognize an attack. Only 11 percent of respondents currently train executives to recognize a deepfake and only 14 percent have an incident response plan with a dedicated team when a deepfake occurs.
- Threatening activities may go undetected because of a lack of visibility into erroneous activities. Only 34 percent of respondents say their organizations have high visibility into the erroneous activity happening within their organization to prevent deepfake threats. Fifty-two percent of respondents say it is highly likely that their organization will evaluate technologies that can reduce the risks from deepfakes targeting executives. Fifty-three percent of respondents say technologies that enable executives to verify the identity and authentication of messages they receive are highly important.
- The financial consequences of deepfake attacks are not often measured and therefore not known. Only 36 percent of respondents say their organizations measure how much a deepfake attack can cost. If they do, the top two metrics used are the cost to detect, identify and remediate the breach and the cost of staff time to respond to the attack.
- Organizations are in the dark about the severity of the financial consequences from a cyberattack involving digital assets. Forty-three percent of respondents measure the potential consequences of a cyberattack against their executives and in 2023 only 39 percent of respondents said they had metrics in place. Forty percent of respondents say their organizations measure the financial consequences against the business due to a cyberattack against the personal lives of executives and digital assets, a slight decrease from 2023.
- Metrics used to determine the financial consequences of a digital cyberattack against executives remain the same since 2023. The top two metrics for cyberattacks against executives are the cost of staff time (62 percent of respondents) and the cost to detect, identify and remediate the breach (51 percent of respondents).
- Despite the vulnerability of executives’ digital assets, most training occurs following an attack. Most training is done after the damage is done, according to 38 percent of respondents in 2023 and 2024.
- Attacks against executives and family members increase. Organizations need to assess the physical and digital asset risks to executives and their families. In 2023, 42 percent of respondents of respondents said there were attacks against executives and family members. This increased to 51 percent in 2025.
- Online impersonations increased significantly since 2023. The most prevalent attacks continue to be malware on personal or family devices (58 percent of respondents in 2024 and 56 percent of respondents in 2023), exposure of home address, personal cell and personal email (50 percent of respondents down from 57 percent of respondents in 2023). However, online impersonations increased significantly from 34 percent of respondents in 2023 to 41 percent of respondents in 2024.
- While still a low number, more organizations are increasing budgets and other resources because of the need to protect executives and their digital assets. Since 2023 48 percent of respondents say their organizations incorporate the risk of cyberthreats against executives in their personal lives, especially high-profile individuals in its cyber, IT and physical security strategies and budget, an increase from 42 percent of respondents. More organizations have a team dedicated to preventing and/or responding to cyber or privacy attacks against executives and their families, an increase from 38 percent to 44 percent of respondents.
- More cybercriminals are targeting IP and executive’s home network. Organizations should be concerned that their company information, including IP and executives’ home networks, have become more vulnerable since 2023. The theft of intellectual property and improper access to the executive’s home network have increased from 36 percent of respondents to 45 percent of respondents and 35 percent of respondents to 41 percent of respondents, respectively. Significant consequences were the theft of financial data (48 percent of respondents) and loss of important business partners (40 percent of respondents).
- The likelihood of physical attacks and attacks against executives’ digital assets has not decreased in the past year. Sixty-two percent of respondents in 2023 and 2024 say it is highly likely a cybersecurity attack will be made against executives’ digital assets and 50 percent in both years say there will be a physical threat against executives. As discussed previously, organizations are slow to train executives on how to avoid a successful attack against their digital assets. Sixty-eight percent of respondents say it is highly likely that an executive would unknowingly reuse a compromised password from their personal accounts inside the company and 52 percent of respondents say an executives’ significant other or child would click on an unsolicited email that takes them to a third-party website.
- More organizations are providing self-defense training. Self-defense training has increased since 2023 from 53 percent of respondents to 63 percent of respondents in 2025. Slightly more organizations are assessing the physical risk to executives and their families from 41 percent to 46 percent of respondents. Forty-one percent assess the risk to executives’ digital assets when working at home.
- Why is it difficult to protect executives’ digital assets? The top two challenges are due to remote working and not making protection of digital assets a priority when executives work outside the office, 53 percent and 51 percent of respondents, respectively. As a consequence of not training executives to protect their digital assets, only 38 percent of respondents say their executives and families understand the threat to their personal digital assets and only 32 percent of executives take personal responsibility for the security and safety of their digital assets.
- Confidence in CEOs’ and executives’ ability to do the right thing to stop cyberattacks continues to be low. While there is an increase in confidence in the CEO or executive knowing how to protect their personal computer from viruses (32 percent of respondents, an increase from 26 percent of respondents in 2023), it is still too low. Also, there is a significant decrease in executives knowing how to determine if an email is phishing (23 percent of respondents from 28 percent in 2023). Organizations lack confidence in their executives knowing how to set up their home network security (25 percent of respondents percent of respondents and 26 percent of respondents in 2023) and knowing if their email or social media accounts are protected with dual factor authentication (20 percent of respondents and 16 percent of respondents in 2023).
- Difficulty in stopping cyberattacks against executives and their digital assets remains high. It continues to be highly difficult to have sufficient visibility into executives’ home networks cyberattacks (63 percent of respondents), to have sufficient visibility into executives’ personal devices (66 percent of respondents), sufficient visibility into executives’ personal email accounts (67 percent of respondents), sufficient visibility into executives’ password hygiene (60 percent of respondents) and sufficient visibility into executives’ privacy footprint (65 percent of respondents).