How long would it take someone to become you?
Not to steal your identity in the traditional sense. Not to open credit cards in your name or drain a bank account.
I mean actually become you. Your voice on a phone call. Your face on a video conference. Your communication patterns in an email thread. Your mannerisms, your speech patterns, the way you phrase requests when you’re busy.
Eighteen months ago, the answer was weeks of work by a sophisticated team with significant resources.
Now it’s hours. Sometimes less.
And that timeline keeps shrinking.
The $25 Million Phone Call
There’s a case that’s been making rounds in security circles. I’ve discussed it with colleagues in Hong Kong, with fraud investigators, with executives who heard about it and suddenly couldn’t sleep.
A finance executive at a multinational firm received a video call. The person on the other end looked exactly like his CFO. Sounded exactly like his CFO. Referenced conversations that only his CFO would know, including details from internal emails and previous meetings.
The CFO explained there was an urgent acquisition opportunity. Time-sensitive. Confidential. Needed to move funds immediately to secure the deal.
The finance executive did his job. He followed what appeared to be legitimate instructions from his superior. He authorized a transfer.
$25 million.
Gone.
The “CFO” on the video call was a deepfake. A synthetic reconstruction built from publicly available footage, trained on earnings calls and media appearances, refined using weeks of email surveillance that the attackers had conducted after compromising a single account.
I keep thinking about the moment right before he clicked approve.
He probably felt confident. He was looking at his colleague’s face, hearing his colleague’s voice, referencing shared context that felt authentic. He probably thought he was being diligent by confirming on video rather than just email.
He trusted his own eyes and ears.
Why wouldn’t he? That’s what we’re wired to do. Our brains evolved to recognize faces and voices as the ultimate authentication. For millions of years, if someone looked and sounded like your tribal leader, they were your tribal leader.
Evolution didn’t prepare us for synthetic media.
The Technology Curve
The technology that made the Hong Kong attack possible isn’t classified. It isn’t rare. It isn’t locked away in intelligence agency vaults.
It’s available to anyone with modest technical skills, a consumer-grade GPU, and access to training data.
Three years ago, creating a convincing deepfake required specialized expertise, expensive hardware, and extensive manual refinement. The results were often detectable if you knew what to look for.
Today, there are tools that automate most of the process. Voice cloning requires as little as three seconds of sample audio. Face synthesis can work from a handful of photos. Real-time deepfakes, where someone controls a synthetic face during a live video call, have moved from research papers to commercial products.
The quality curve is steep. Each generation is more convincing than the last. Detection tools exist, but they’re locked in an arms race they may not win.
And the barrier to entry keeps falling.
A determined amateur can now produce results that would have required a nation-state budget five years ago. Organized crime has access to tools that exceed what most corporate security teams can detect.
This isn’t a future threat. It’s a present one.
Your Public Presence Is Their Training Data
Where does the training data come from?
This is where visibility becomes a double-edged sword.
Every podcast interview you’ve given. Every conference keynote you’ve delivered. Every media appearance, every earnings call, every video on your company website or LinkedIn profile. Every photo from every event.
All of it is training data.
All of it can be used to build a synthetic version of you.
I think about this when I talk to executives who are proud of their media presence. They should be proud. Visibility matters. Thought leadership builds businesses. Being the face and voice of a company creates trust with customers, investors, and partners.
But visibility is also exposure.
The same footage that establishes credibility can be used to synthesize a version of you that your own assistant might not question on a Tuesday morning when she’s busy and the request seems urgent.
The same voice samples that demonstrate your expertise can be cloned into a phone call that convinces your bank to wire funds.
The same photos that humanize your leadership can be animated into a video that impersonates you with terrifying accuracy.
I’m not suggesting executives should become invisible. That’s not realistic for anyone running a significant business or managing substantial assets. Public presence is often a professional requirement.
But the security implications of that presence need to be understood and addressed.
What’s Actually at Risk
Let me walk through the scenarios that keep me up at night.
The executive impersonation. Someone creates a deepfake of a CEO and uses it to authorize a wire transfer, approve a vendor payment, or instruct a subordinate to share sensitive information. The Hong Kong case is the template, but variants are appearing constantly.
The family emergency scam. A call comes in to a family office or personal assistant. It sounds exactly like the principal. There’s been an accident, a kidnapping, an emergency. Send funds immediately. Don’t tell anyone. The emotional manipulation compounds the technical deception.
The board manipulation. A synthetic video or audio recording of a board member surfaces, appearing to show them making statements they never made. Used for extortion, market manipulation, or simply to create chaos at a critical moment.
The access social engineering. Someone calls your residence using your spouse’s voice, asking the staff to admit a “repair person” or disable a security system temporarily. The synthetic voice creates a false sense of authenticity.
The reputational attack. A deepfake video shows you saying something inflammatory, illegal, or embarrassing. Even when debunked, the damage lingers. The phrase “seeing is believing” hasn’t caught up to the reality of synthetic media.
Each of these scenarios has already occurred in some form. They’re not theoretical. They’re operational.
The Defense: Verification Architecture
The defense isn’t invisibility. You can’t put the toothpaste back in the tube. Your public presence exists, and attempting to erase it creates its own problems.
The defense is a verification architecture.
Verification architecture means building systems and protocols that don’t rely on voice and face recognition as authentication. It means creating layers of confirmation that synthetic media cannot bypass.
Here’s what this looks like in practice:
Out-of-band confirmation. Any significant request, whether financial, access-related, or involving sensitive information, requires confirmation through a different communication channel than the request came through. If the request comes by video call, confirmation happens by text to a verified number. If the request comes by email, confirmation happens by phone to a known line.
Code words and challenge phrases. Offline authentication credentials that exist only in the minds of authorized parties. When your assistant receives a request that seems unusual, they have a phrase they can request that only the real you would know. These words never appear in email, never appear in digital form, and are changed periodically.
Tiered authorization. Significant transactions require multiple parties to approve, with each party confirming through independent channels. No single point of failure. No single person whose impersonation can authorize action.
Behavioral tripwires. Training staff to recognize requests that fall outside normal patterns, regardless of how authentic the requestor appears. Urgency, secrecy, and pressure to bypass normal procedures are red flags, even when the face and voice seem legitimate.
Communication trees. Pre-established protocols for who contacts whom in specific scenarios, with verification requirements at each node. If there’s a family emergency, there’s a specific sequence of calls with specific confirmation requirements.
Duress protocols. Signals that can be embedded in communication to indicate that the speaker is under coercion. If someone is being forced to make a call, they can incorporate elements that alert the recipient without tipping off the attacker.
The Question That Reveals Everything
I’ve started asking a simple question in every security assessment:
If someone called your gatekeeper tomorrow, using your voice and your face on a video call, and asked them to do something unusual… what would stop them?
The silence that follows tells me everything.
Most executives haven’t thought about this. Most families haven’t built protocols for it. Most organizations rely on the assumption that voice and face are sufficient authentication, because that’s how humans have operated for our entire existence.
That assumption is now exploitable.
When I ask the question, I sometimes get defensive responses. “My team knows me. They’d spot a fake.” But the Hong Kong CFO’s team knew him too. The fake was good enough.
“We have approval processes.” But approval processes often terminate in human judgment calls, and human judgment relies on recognition.
“We use secure channels.” But secure channels can be compromised, and synthetic media doesn’t care what app you’re using.
The question isn’t whether your current systems would catch a crude impersonation attempt. The question is whether they would catch a sophisticated one, executed with weeks of preparation, using the best available technology, targeting specific human vulnerabilities.
Most systems wouldn’t.
Implementation Priorities
If you’re reading this and recognizing gaps, here’s where to start:
First, audit your exposure. How much training data exists for synthesizing you? Catalog your public appearances, your voice samples, and your high-resolution images. Understand what an attacker would have to work with.
Second, identify your high-value targets.Who in your organization or household has authorization to take significant action based on your instruction? Executive assistants, finance teams, family office staff, household managers, security personnel. These are the people who need verification protocols.
Third, establish out-of-band confirmation. Define which requests require confirmation through a separate channel. Set the thresholds appropriately: too low creates friction that leads to workarounds, too high leaves gaps.
Fourth, create offline authentication. Establish code words and challenge phrases with key personnel. Document them securely offline. Train people to use them naturally.
Fifth, brief your inner circle. Make sure family members, key staff, and close advisors understand the threat. The attack vector often targets people who trust you implicitly, because that trust can be exploited.
Sixth, pressure-test your protocols. Conduct exercises where someone attempts to impersonate you and request action. Find out where your protocols break down before an actual attacker does.
The Uncomfortable Reality
So let me ask you the same question I asked at the start.
How long would it take someone to become you?
If you’ve given podcast interviews, conference talks, or media appearances, they already have your voice.
If you have photos on LinkedIn, company websites, or social media, they have your face.
If your email has ever been compromised or if anyone in your orbit has been phished, they may have your communication patterns.
The raw material exists. The tools are available. The only question is whether anyone has chosen to invest the time.
And if they did… what would stop them?
If you don’t know the answer, or if the answer makes you uncomfortable, that’s the gap.
That’s where we start.
Next Steps
Deepfake and synthetic media threats are evolving faster than most security frameworks can adapt. If your current protocols rely on voice and face recognition as authentication, they contain vulnerabilities that sophisticated attackers can exploit.
We offer a complimentary 30-minute security consultation where we can assess your current verification architecture and identify gaps in your impersonation defense.
We also have a downloadable Verification Protocol Checklist that walks through the key elements of synthetic media defense.
If you’d like to schedule a conversation or access the checklist, reach out through our website or contact our team directly.
Because the best time to build verification architecture is before someone tests it.
ABOUT THE AUTHOR
John Hamilton is the founder of HK Defense Solutions, a converged security firm serving ultra-high-net-worth families, family offices, and corporate executives. He spent twelve years in U.S. Air Force special operations, where he helped build combat search-and-rescue infrastructure across active war zones.
