It is 7:42 a.m. on a wet Monday morning. The finance team of a regional financial institution is already tense because payroll is due, suppliers are calling, and the board pack must be closed before midday. A softly spoken finance officer, the kind who keeps two pens in his shirt pocket and avoids office politics, receives a message that appears to come from a senior executive. The tone, greeting and pressure are correct. The message says, a strategic partner must be paid urgently because the CEO is joining a regulatory meeting and cannot be disturbed.
Then comes the video call. On the screen is a senior-looking man with a clean-shaven face, slightly tired eyes and the controlled impatience of someone used to being obeyed. He says, “Please handle this discreetly. We discussed it last week, send confirmation to the team.”
The officer hesitates for three seconds. That hesitation later becomes the most important evidence in the case. Because in fraud, the truth often hides inside the smallest pause. The payment was processed in two tranches. The first went through a bank transfer to a local account that appeared to belong to a legitimate vendor. The second moved through mobile money wallets linked to field facilitators, allegedly for urgent mobilisation costs. The approvals looked clean, the email trail looked normal, the invoice carried the right logo, the payment narration matched previous transactions, and even the phone number used for confirmation had once appeared in an earlier supplier communication. That is synthetic trust.
It is not merely deepfake video, it is fake email. It is the construction of a believable trust environment using fragments of truth stolen from ordinary work life. The attackers did not need to break every control, they only needed to imitate enough reality for busy people to stop thinking.
In court, that distinction matters. A weak investigator calls it a cyberattack. A serious investigator calls it a trust manipulation scheme supported by digital impersonation, payment diversion, internal process weakness and human pressure.
The fraud did not start on Monday, it started weeks earlier, quietly. The attackers studied the organisation’s rhythm. They knew when payroll pressure peaked, which suppliers were frequently paid, which executive travelled often, that approvals were commonly chased through WhatsApp after documents were uploaded into the system and that one department treated urgency as authority.
One junior staff member later told the investigation team, “Sir, the instruction looked strange, but not strange enough.” That sentence should be written on every boardroom wall. Most fraud does not look abnormal but slightly faster than usual.
The attackers used four layers.
- They created a credible email chain by copying old language from genuine correspondence.
- They used a cloned voice note to reinforce urgency.
- They arranged a short video call in which the “executive” spoke briefly and avoided long interaction.
- They pushed payment into a mixed channel, part bank transfer and part mobile money, to create speed and fragmentation.
This is where average investigators miss the case. They chase the face on the screen and forget the payment behaviour. They admire the technology and ignore the control failure. They focus on the fake executive and forget the real question, who inside the organisation knew the payment habits, approval weaknesses and pressure points? Take note that:
- synthetic trust feeds on predictable behaviour. If your organisation always pays urgent invoices on Friday, if senior people always bypass normal channels, if finance fears upsetting power more than breaking controls, then attackers do not need magic. They need observation.
- authenticity is no longer proof. A voice can be copied, a face can be generated, an email can be spoofed, and a familiar writing style can be imitated. The question is no longer, “Does this look like the executive?” The better question is, “Can this instruction survive independent verification?”
- mixed payment channels are a red flag when urgency is used to defeat normal review. A genuine emergency may exist, but genuine emergencies still leave disciplined evidence.
- internal culture determines whether technology becomes protection or decoration. If staff are punished for asking questions, they will obey fraud politely.
Take your last five urgent payments and reconstruct the evidence trail. Ask your team, “If this transaction were challenged in court, would we prove authority, purpose, beneficiary legitimacy and independent verification without relying on memory?” If the answer is no, you do not have a payment process. You have a trust ritual.
How it was noticed
The fraud was not discovered by a genius system, it was noticed by a stubborn internal auditor with the irritating habit of reading narrations slowly. She was a quiet woman, always carrying a small notebook, the kind of professional people underestimate because she does not perform intelligence loudly. She saw three things.
The supplier invoice had the correct logo, but the spacing around the tax number was different from previous invoices. The email requesting payment had a familiar sign-off, but the punctuation was slightly cleaner than the executive’s usual messages. The mobile money schedule carried names that appeared unrelated to the vendor’s known field operations.
Individually, none of these proved fraud. Together, they created what investigators call a pattern of discomfort. That is frontline skill. Good investigators do not start by accusing people. They start by preserving doubt.
The auditor did not shout, she froze the next payment batch, requested the original supplier contract, obtained the vendor master change history, asked ICT for email header details, and requested call logs from the approving officers. She also did something many investigators forget. She wrote down the exact time she first noticed the anomaly.
That timestamp later protected the integrity of the investigation.
- fraud detection begins with disciplined curiosity, not suspicion. Suspicion makes people defensive while curiosity makes evidence speak.
- small formatting changes are not small when money has moved. Courts respect consistency, and fraud often disturbs consistency before it exposes itself.
- a payment file must be read like a witness statement. Who created it? Who touched it? Who approved it? Who benefited? Who was absent? Who was unusually quiet?
- The first responder can damage the case by acting emotionally. Once staff start calling suspects, deleting chats, forwarding screenshots and warning colleagues, evidence begins to rot.
In your next audit committee or ExCo meeting, place one real payment file on the table and ask each leader to identify five pieces of independent evidence supporting the payment. Do not allow explanations. Allow only documents, logs, approvals and confirmations. The room will learn quickly that confidence is not evidence.
How the investigation unfolded
When Summit Consulting Ltd was brought in, we did not begin with the technology. That would have pleased the fraudster. We began with the business process. Who originated the request? Who validated the supplier? Who approved the payment? Who released the funds? Who confirmed receipt? Who changed or relied on contact details? Who had access to prior emails? Who knew the executive’s travel schedule? Who benefited from urgency?
In the room sat four key characters. Suspect 1 was a confident operations staff member, broad-shouldered, well dressed, always helpful and always near the centre of information. Suspect 2 was a finance assistant with nervous hands and a habit of over-explaining simple things. Suspect 3 was an external intermediary who spoke softly, carried two phones and claimed to know everyone. The witness was the finance officer who processed the payment and now looked like a man replaying the same mistake in his mind every five minutes.
We separated the technology evidence from the human evidence, then connected them carefully. Email headers showed routing irregularities. The vendor master file showed that no formal supplier change had been approved, but the team had relied on “updated details” shared through informal channels. The mobile money recipients were not on the supplier’s approved field list. The video call lasted less than two minutes, and the fake executive avoided open-ended questions. The cloned voice message used phrases the executive often used publicly, but lacked the small informal expressions staff knew from private working sessions.
That last point is important.
Fraudsters can copy sound.
They struggle to copy relationship memory.
Digital evidence must be handled with chain of custody discipline. Screenshots are useful for orientation, but they are weak if not supported by original logs, metadata, device records, system exports and properly documented collection steps. Interviews must test knowledge, not merely collect denials. We asked Suspect 1 to explain the normal payment journey, then asked him to explain why this transaction moved differently. His answers were fluent until we asked for the source of the changed contact details. Good investigators reconstruct the fraud clock. Minute by minute, action by action, device by device, approval by approval. Courts like time because time is hard to argue with. Defence counsel will attack contamination, authority and alternative explanations. They will ask whether the evidence was properly preserved, whether the accused had exclusive access, whether the transaction could have been a genuine mistake, whether the organisation’s own weak controls caused the loss, and whether the investigators confused suspicion with proof. Prepare for that from day one.
As a fraud investigator, try doing this. Build a fraud timeline with five columns: time, actor, action, evidence source and control breached. Then remove every line supported only by verbal claims. What remains is your case. What disappears is your investigation gap.
A fraud case is like bringing a blood-stained knife to court without proving where it was found, who picked it, how it was stored, who examined it and whether anyone else touched it before analysis. The knife may be real, the blood may be real, and the story may even be true. But if the chain is broken, the court sees doubt.
Digital evidence is the same. An email printout is not the email, a screenshot of a WhatsApp message is not the device record, a voice note forwarded five times is not clean evidence, a transaction schedule without system logs is a map without a compass. This is where many organisations lose cases they should win. They discover the fraud emotionally, investigate it administratively and present it legally as if courts punish bad behaviour merely because management is angry.
Courts punish what evidence proves. You must know that,
- the law is less interested in what management believes and more interested in what the evidence can independently establish.
- every digital artifact must answer three questions, where did it come from, how was it preserved, and how does it connect to the issue being proved?
- internal policy breaches are not automatically criminal proof. A staff member may breach procedure without committing fraud, and a fraudster may exploit weak procedure without leaving obvious fingerprints.
- the best investigators write for the judge from the beginning. They do not merely collect facts. They build admissible clarity.
Synthetic trust rises where organisations confuse familiarity with verification. This is not a message against technology. It is a message for disciplined adoption.
AI, digital identity tools, automated workflows and biometric systems can improve trust, but only when the organisation has clarity on authority, segregation of duties, evidence retention, exception handling, vendor validation, payment controls and accountability. Without those disciplines, technology becomes a more elegant way to make old mistakes.
The Board must therefore ask better questions, not, “Do we have cybersecurity tools?” Ask, “Which business processes still rely on personal trust?” not, “Do we use multi-factor authentication?” Ask, “Can a senior person still override controls through pressure?” not, “Have we trained staff?” Ask, “Have we made it safe for staff to pause suspicious instructions from powerful people?” not, “Was the fraud sophisticated?” Ask, “Which ordinary weakness made sophistication unnecessary?”
You must understand that synthetic trust is a governance problem wearing a technology jacket. The best control is not suspicion, it is independent verification designed into the workflow. Tone at the top must protect staff who slow down risky instructions. If speed is always rewarded and caution is mocked, the organisation is training employees to assist fraud unknowingly. Cybersecurity will belong to organisations that combine digital forensics, behavioural insight, legal discipline and execution controls.
What else you should know
Synthetic trust will not always arrive as a dramatic deepfake call. Sometimes it will arrive as a supplier email, a board paper attachment, a recruitment candidate with polished credentials, a customer onboarding file with real-looking documents, an internal instruction from a compromised account or an AI-generated report that sounds authoritative but contains subtle lies.
The future will reward verified organisations and not paranoid ones. That means leaders must build cultures where evidence is respected, questions are welcomed, controls are practical, and speed does not defeat judgment.
In the case I have described, the loss was contained because one auditor respected her discomfort, one finance officer admitted his hesitation honestly, and the investigation team treated the matter as a full trust-chain failure rather than a simple technology incident.
That is the lesson. The enemy is not only the fake face, but the unverified assumption. The rise of synthetic trust demands a new leadership discipline. Trust must be earned by evidence, renewed by controls and protected by culture because in the age of artificial intelligence, the most expensive words in business may soon be, it looked genuine.
Institute of Forensics & ICT Security.
