Beyond Technology: MAS’s Deepfake Guidelines and the Human Side of Fraud Prevention

March 10, 2026 No Comments

Introduction

When the Monetary Authority of Singapore (MAS) issued its September 2025 circular on deepfake risks, it marked a turning point for financial institutions and businesses. The guidance followed a series of documented incidents — from the HK$200M Hong Kong CFO impersonation scam (The Guardian) to a €20M cryptocurrency fraud in Spain (PANews Lab) and a crypto scam in Hong Kong using AI-generated personas (Protos). Even Singapore has seen close calls — including a $499K near-miss prevented in March 2025 (MAS).

The circular shows that MAS understands the scale of the problem. It does not just prescribe technology like liveness detection or endpoint detection tools. It emphasises the human side of fraud prevention: training employees, building stronger verification processes, and reinforcing separation of duties for high-risk transactions.

For companies, the lesson is clear: fraud is not just a technical problem. It is a verification problem that spans people, process, and tools.

The $67.4M Wake-Up Call

Hong Kong CFO Scam (HK$200M / $25M)

In February 2024, a Hong Kong employee was tricked into authorising HK$200M in fund transfers after attending a video call where fraudsters used deepfakes of colleagues and the CFO (The Guardian).

The scam worked because the criminals controlled the conversation, eliminated doubt by having multiple “participants,” and applied pressure with fake urgency. The lack of a secondary verification process meant one employee’s actions led directly to multimillion-dollar losses.

Spanish Crypto Scam (€20M / $21M)

In April 2025, Spanish authorities investigated a deepfake-driven cryptocurrency fraud that cost investors €20M. Fraudsters used manipulated video content and fabricated endorsements to convince victims that the scheme was legitimate (PANews Lab).

Unlike older scams, this case showed that deepfakes can be combined with polished marketing and credible details to bypass even cautious investors’ judgement.

Hong Kong “Superior Women” Crypto Scam

In October 2024, Hong Kong police broke up a fraud ring that used AI deepfakes of women — marketed as “superior women” — to lure victims into false relationships before convincing them to transfer money into crypto wallets. Losses reached tens of millions of dollars (Protos).

This incident highlighted how fraud tactics prey on trust and personal connection, not just corporate processes. It demonstrated that both executives and ordinary employees can be victims of scams.

Singapore Near-Miss ($499K)

In March 2025, MAS and police intervened to prevent a $499,000 fraudulent transfer, citing it as a near miss for Singaporean businesses (MAS). The incident showed that local verification processes can fail under pressure, but also that rapid coordination with authorities can stop the fraud in time.

Together, these examples show why MAS has escalated its focus on corporate verification.

What Is at Stake for Businesses?

For companies and financial institutions, the implications are wide-ranging:

  1. Fraud is escalating — attacks that once relied on crude phishing emails now use AI deepfakes. 
  2. CEO fraud and business email compromise are evolving — video impersonation is the new frontier. 
  3. Verification failures undermine trustemployees and customers alike struggle to distinguish authentic communications. 

The consequence is not only monetary losses. Regulatory fines, reputational harm, and loss of investor confidence can all follow when a company fails to address verification risks.

Why Corporate Verification Fails

Biometric Authentication Defeat

In August 2024, an Indonesian financial institution reported a KYC bypass using deepfake photos — proving that static identity verification is not enough (MAS Circular, 2025).

Social Engineering via Fake CEO Calls

Fraudsters impersonate executives on video calls, pressuring employees to approve fraudulent transactions. The psychological manipulation is as powerful as the technical deception.

Trust Breakdown Inside Companies

Employees are conditioned to respect hierarchy. Without escalation processes, they may act on instructions from fraudulent CEOs without question.

Fraud Tactics MAS Has Highlighted

MAS emphasised that fraudsters now combine AI with proven fraud tactics:

  • Phishing emails enhanced with AI-generated wording. 
  • Business email compromise evolving into deepfake-enabled impersonation. 
  • Fund transfers manipulated by fake authorisation. 
  • Account creation with falsified documents and synthetic data. 

This hybridisation makes fraud both harder to detect and more convincing.

MAS’s Regulatory Response

MAS Deepfake Compliance Singapore Explained

On 18 September 2025, MAS issued its circular mandating a comprehensive approach to fraud prevention. It stresses that controls must be both technical and human-centred.

Key MAS Mitigation Requirements

  • Biometric liveness detection for onboarding and identity verification. 
  • Separation of duties for high-value transactions. 
  • Multi-factor authentication for privileged accounts. 
  • Employee security awareness training on deepfakes and fraud tactics. 
  • Endpoint deepfake detection tools to stop manipulation before funds are moved. 
  • Regular fraud detection tests and vulnerability assessments. 

These requirements reflect lessons from the cases: single points of failure, weak processes, and untrained employees make fraud easier.

Why MAS’s Controls Matter in Practice

Each MAS guideline addresses a real vulnerability:

  • Liveness detection thwarts fraudsters using fake photos for account creation. 
  • Separation of duties prevents a lone employee from moving millions without oversight. 
  • Multi-factor authentication ensures even stolen credentials cannot authorise high-value transactions. 
  • Employee training builds resilience, helping staff spot suspicious video calls or manipulated details. 
  • Endpoint detection tools catch deepfake content before it is used in fraud. 

In short, MAS is closing the gap between technical solutions and human fallibility.

What Are the Key Risks for Companies?

MAS listed five categories of risk:

  1. Market risk — false signals or fabricated news moving markets. 
  2. Cyber risk — social engineering combined with AI. 
  3. Fraud risk — CEO fraud, falsified accounts, fraudulent transactions. 
  4. Regulatory risk — penalties for failing to prevent fraud. 
  5. Reputational risk — erosion of trust in executives and businesses. 

Each risk has measurable impact: loss of money, erosion of shareholder confidence, or regulatory censure.

Global Context: Deepfakes Beyond Singapore

The FBI has warned of similar patterns in the U.S. In 2023, companies reported business email compromise losses exceeding $2.9B, often involving CEO fraud layered with new AI techniques (IC3.gov).

What is clear: MAS’s guidance is not an isolated directive. It is part of a global trend recognising that deepfake threats are now embedded in corporate fraud. For multinational companies, aligning with MAS requirements is a way to raise global standards of resilience.

How to Strengthen Corporate Verification

How to Prevent CEO Fraud

  • Use multi-channel verification for fund transfers: phone confirmation, secondary approvals, or callbacks. 
  • Train employees to pause and escalate if instructions seem unusual. 

How to Strengthen Account Verification

  • Introduce layered identity verification with biometric liveness checks. 
  • Audit accounts regularly for anomalies or suspicious account creation attempts. 

How to Improve Employee Awareness

  • Run simulations of deepfake-enabled scams. 

Provide employees with toolkits to verify executives’ communications.

Category

  • Resilience & Compliance
  • Threat Intelligence & Trends
  • Operational Excellence
  • Culture & Awareness
  • Lorem ipsum

Recent Posts