Deepfakes & AI scams: The new face of digital deception

Kampala, June 2025. A senior finance officer at a regional bank receives a Zoom call from her Group CFO. The CFO is in Nairobi, but his face is on screen. His voice is unmistakable. He urgently instructs a confidential payment of UGX 680 million to a new supplier in Nairobi.

She verifies the caller ID. Matches the voice. Sees the familiar hand gestures. Approves the transaction.

Two hours later, she gets an actual call from the real CFO, confused, not on Zoom, and certainly not in Nairobi.

The money is gone.

What happened?

She didn’t just get tricked. She got deepfaked.

Welcome to the new battlefield: Trust

Forget old-school hacking. In 2025, cybercriminals aren’t just stealing passwords. They’re stealing faces, voices, and identities, and weaponizing them.

Deepfakes and AI scams have become the new face of deception, and Uganda is not immune. In fact, we are particularly vulnerable.

Why?

• Low awareness levels
• Overreliance on WhatsApp, Zoom, and unverified voice calls
• Absence of verification protocols beyond “I know that voice”

And criminals know this.

What is a deepfake?

A deepfake is a synthetic media file, video or audio, generated by artificial intelligence to mimic a real person’s face or voice.

Think of it as Photoshop on steroids. But instead of editing a photo, you’re fabricating reality.

• Want to make a politician endorse your NGO? Deepfake it.
• Want to trick a bank into wiring funds? Deepfake the CFO.
• Want to manipulate the public? Release a fake press statement, on video.

The worst part?

You won’t tell the difference.

The anatomy of an AI scam in Uganda

Let’s break down how a real scam unfolded in a Kampala logistics firm:

1. Data harvesting. Fraudsters scraped social media, YouTube interviews, and conference recordings to train an AI model on the CEO’s voice and face.
2. Email compromise. They hacked the CEO’s Gmail via a phishing attack disguised as a URA tax notice. Now they had access to past vendor invoices and board emails.
3. Synthetic video creation. Using tools like Synthesia and ElevenLabs, they generated a fake video of the CEO instructing an emergency transfer to a “strategic vendor.”
4. Deepfake delivery. A video file was shared via WhatsApp with the Head of Finance, marked “Confidential– Urgent”. The voice was emotional. The story plausible. The pressure real.
5. Transaction authorized. UGX 420 million was wired to a Kenyan fintech account. Within 12 minutes, it was broken into smaller chunks and laundered through mobile money agents in Busia and Kakuma.

The red flags that were missed

• Urgency and secrecy.

“Do not discuss this with anyone else. Just get it done.”

• Slight video lag.

Deepfakes often have slight inconsistencies, lip sync issues, awkward blinks, unnatural pauses.

• Unusual instructions

The CEO had never requested payments directly before, but no one questioned it.

The rise of Voice Cloning scams

In Masaka, a businesswoman lost UGX 18 million after “her daughter” called crying and begging for money.

It was not her daughter.

Just 20 seconds of an Instagram video was enough for fraudsters to clone the girl’s voice and simulate distress.

What you must do now

1. Zero-trust culture. Even if it’s “the boss” calling, verify. Create a policy: no transaction is above verification.
2. Two-channel confirmation. If an instruction comes via video, confirm via SMS. If it comes via WhatsApp, confirm via call. If it comes via call, confirm via email.
3. Use AI to fight AI. Adopt tools that detect synthetic media, like Microsoft’s Video Authenticator or Deepware Scanner.
4. Train staff on voice phishing (vishing). Add deepfake drills to your cybersecurity training. Make people experience it before the real attack hits.
5. Monitor your digital footprint. Your voice is on that podcast? Your face in that YouTube webinar? That’s training data for your enemies. Limit exposure.

Who’s behind these scams?

We’ve seen links to cross-border fraud rings with operations in Nairobi, Lagos, and increasingly, Kampala.

At Summit Consulting, we traced one attack back to a Telegram group where fraudsters exchange deepfake templates and Ugandan bank staff data for UGX 250,000 per package.

Yes. You are being bought and sold in pieces, email by email, voice clip by voice clip.

What boards and CEOs must ask immediately:

• Have we done a deepfake exposure audit of our C-suite?
• Do we have a no-exception verification policy for payments above UGX 5M?
• Have we trained our team to spot and stop voice and video-based scams?
• Are we running AI red team simulations to test response reflexes?

Case study: How a fraud was averted using a password… not on a system, but in speech

A leading telecom company in Uganda now uses verbal passphrases in every financial video call.

When the CFO needs to issue a payment instruction, he always includes the words: “Pineapples and power cables.” That’s the internal signal. Anything without it is fake.

It may sound silly. But it’s worked.

Final word from Mr Strategy:

The world has entered the era where reality is programmable. Truth is now something you verify, not just trust.

In the old world, criminals needed to impersonate your boss physically. Today, they generate him, in HD, with perfect voice tone and facial expressions.

Your firewall won’t save you.

Only vigilance will.

Need help stress-testing your team against deepfakes and AI scams? Summit Consulting offers synthetic media simulation drills, AI scam red-teaming, and digital risk assessments tailored for Uganda.

Book your simulation now: www.summitcl.com

Don’t wait to be fooled. Train to detect. Prepare to defend.

Because in this new world, seeing is no longer believing.