In the past few years, deepfake technology has rapidly evolved from a novelty to a real cybersecurity threat. Originally used in entertainment and misinformation campaigns, deepfakes—AI-generated audio or video that convincingly mimics a real person—are now being weaponized in new, more sophisticated attacks.
One alarming trend gaining traction: deepfake video password reset scams.
What’s a Deepfake Video Password Reset Scam?
At a high level, this type of scam involves an attacker using AI-generated video (or audio) to impersonate a legitimate user—usually a high-ranking executive or system owner—in order to convince IT helpdesks, service providers, or security teams to reset account passwords or bypass multi-factor authentication (MFA).
Imagine this:
A helpdesk agent receives a video call or recorded message appearing to be from your CIO. The face, voice, tone, and background look authentic. The “CIO” says they’re locked out of their corporate account and urgently need access reset due to a business-critical situation.
If procedures aren’t airtight, the attacker gets access—and potentially full control—over sensitive systems.
Why This Threat Is Growing
Deepfakes Are Getting More Convincing
AI models can now replicate a person’s voice and facial expressions from just a few minutes of sample footage or audio, much of which is publicly available (LinkedIn videos, interviews, webinars).
Helpdesk Social Engineering Remains a Weak Link
Human error is still one of the weakest points in any security program. Even well-trained staff can be fooled under pressure or in the face of a convincing request from a seemingly legitimate executive.
Remote Work and Video Calls Normalize This Behavior
As video communication becomes the norm, many organizations are more accepting of password reset requests over video, increasing the opportunity for abuse.
Real-World Impacts
While specific incidents are often kept quiet, security researchers and threat intelligence reports confirm a sharp increase in:
- Voice deepfakes in vishing attacks (voice phishing)
- AI-generated video in spoofed Zoom calls
- Attempts to bypass identity verification protocols using synthetic media
In one case, an attacker used a voice deepfake of a CEO to trick an employee into transferring over $200,000. It’s only a matter of time before these tactics become common in identity-driven attacks, like password resets.
How to Defend Against Deepfake-Based Attacks
1. Strengthen Password Reset Protocols
- Require multi-factor verification beyond verbal or video identification.
- Enforce in-person or hardware-token verification for high-risk roles.
- Use pre-established callback procedures to verify identity out-of-band.
2. Educate Helpdesk Staff and Admins
- Train teams to be skeptical of urgent, high-pressure reset requests—even from executives.
- Share real-world examples of deepfake threats during security awareness training.
3. Implement Identity Verification Tools
- Adopt advanced identity proofing solutions that verify physical presence (e.g., liveness detection).
- Monitor for behavioral anomalies during login or reset attempts.
4. Limit Publicly Available Media
- Encourage key personnel to reduce the amount of public-facing video and audio online.
- Review what information could be used to train AI on your executives.
5. Log and Audit Every Reset
- Keep detailed logs of all password reset activity, including requestor identity, method of request, and approver.
- Regularly review these logs for signs of abuse.
Final Thoughts
Deepfake technology isn’t just a future threat—it’s here now, and it’s being actively used to compromise identities and systems. As these attacks grow more sophisticated, organizations must rethink how they verify identity—especially during password resets.
Security is no longer just about strong passwords; it’s about verifying who is asking to reset them. It’s time we stop trusting faces and voices alone and start building processes that assume even the most convincing identity could be a fake.