A voice on the phone that is exactly your CEO's. A video conference where everyone seems real. A rushed call for an urgent transfer. Welcome to the age of deepfakes — and to the new responsibility that Quebec's Law 25 places on any organisation that holds biometric data about its employees, clients or executives.
Julie got a call from her boss — but it wasn't him
Julie is a financial controller at a manufacturing SME on the South Shore. One Thursday afternoon, she receives a video call from her general manager. The voice is the same. The face is the same. Even the office backdrop he has used for years.
Somewhat rushed, he explains that he is travelling discreetly for a strategic acquisition. He needs her to make a transfer of $87,000 to an escrow account before 5 p.m. Confidential, for now. He'll call her back as soon as he lands.
Julie hesitates. But it's clearly him. She wires the funds.
Her real boss calls her the next morning to ask how her day went.
In February 2024, a multinational in Hong Kong lost US$25.5 million in exactly this way. An employee in the finance department believed he was taking part in a video conference with his CEO and several colleagues. They were all deepfakes, generated in real time from public videos available online.
What is a deepfake? Plainly, no jargon.
A deepfake is audio, video or photo content generated or altered by artificial intelligence to make it appear that a person said or did something they never said or did.
The AI analyses photos, videos or voice recordings of a person, then reconstructs their face or voice with striking realism. The more source material is available, the better the result.
And here is the part that should give you pause: your employees, your executives and you yourself probably publish enough content online to feed a convincing deepfake. A filmed speech. A YouTube webinar. A LinkedIn video. Conference photos. That's all it takes.
Before 2018, creating a credible deepfake video required specialised skills and cost between $300 and $20,000 per minute. Today, free tools can clone a voice from less than 10 seconds of recording. A convincing video can be generated for less than $5 — in a matter of minutes.
The numbers that send a chill down your spine
In 2025, global losses attributable to deepfake fraud exceeded €1.33 billion, according to vendor Surfshark. Recruitment scams alone — fake candidates infiltrating organisations through deepfake interviews — are estimated to have caused more than €765 million in losses.
This is no longer isolated fraud. Experts speak of a genuine industrialisation of manipulation.
Why Quebec SMEs are ideal targets
You might think this kind of fraud only targets large corporations. It's the opposite.
SMEs are precisely the prime targets of fraudsters using deepfakes — for four simple reasons:
Fewer verification protocols
In an SME, a call from the GM is often enough to trigger a transfer. There is no mandatory dual authorisation and no independent validation channel.
A strong relationship of trust
Employees know their leaders personally. That familiarity, normally a strength, becomes a lever the fraudster exploits.
Plenty of public content available
SME leaders are increasingly present on LinkedIn, YouTube and Facebook. That content directly feeds the AI models used for voice and facial cloning.
Little training on this specific risk
Phishing awareness campaigns have existed for years. Deepfake awareness remains almost non-existent in most organisations.
Deepfakes and Law 25: your face is personal information
Here is something many organisations overlook: under Law 25, your face and your voice are personal information. And when they make it possible to identify or authenticate you biometrically, they benefit from enhanced protection.
The Commission d'accès à l'information (CAI) defines biometric data as unique characteristics that make it possible to identify or authenticate a person — including facial recognition, voice and gait.
What this means in practice for your organisation
✓ If you use biometrics legitimately
You must notify the CAI before deploying any biometric identity verification system, obtain the consent of the individuals, and document the processing (s. 45 of the Act to establish a legal framework for information technology).
⚠ If you fall victim to a deepfake
If personal information of your employees, clients or executives was used to create a malicious deepfake, it may constitute a confidentiality incident reportable to the CAI.
Law 25 provides that any breach in the protection of personal information that presents a risk of serious injury must be reported to the CAI and to the individuals concerned (s. 3.5 and 3.7). The unauthorised creation of a deepfake from images or recordings may fall within that framework.
Law 25 requires any organisation wishing to carry out the verification or confirmation of identity using biometric characteristics to notify the CAI in advance by completing the prescribed form. This obligation applies to both the private and public sectors. Reference: Commission d'accès à l'information du Québec.
Quebec responds: Bill 24
This Quebec initiative is part of a worldwide legislative movement. The European Union adopted its AI Act in 2024, which imposes transparency obligations and clear labelling for any deepfake content. Canada is also working on a specific federal framework.
The signal is clear: governments are taking the problem seriously. Organisations that fail to prepare now will be behind within a few months.
Five concrete reflexes to protect your organisation
Technology alone will never be enough. The first line of defence against deepfakes is an organisational culture of verification. Here are five measures to put in place right now.
No transfer should be authorised on the basis of a single communication channel — phone, video or email. Set up a second, independent validation channel: a call to the official internal number, for example.
As simple as it sounds: a phrase or word agreed in advance between management and the finance teams can foil even the most sophisticated deepfakes. Kept confidential and renewed regularly.
Slight lip-sync lag, abnormal blinking, variable audio quality, unusual urgency, a request for confidentiality — these signals, often ignored under pressure, are the telltale signs of a deepfake. Annual training makes the difference.
The more public audio and video content is associated with an executive, the better a potential deepfake will be. Review what is available online and establish a policy for publishing video and audio content.
If your organisation falls victim to deepfake fraud — or if an employee's image is used without consent — you may have legal obligations under Law 25. Your incident register must account for this kind of scenario.
Building the deepfake threat into your compliance posture is exactly the kind of challenge Synéra tackles:
- Assess your specific risks related to biometric data and digital identity
- Update your security policies and your transaction validation procedures
- Embed deepfake detection into your employee training program
- Document biometric processing in your Conformaze register and notify the CAI where required
- Develop an incident response plan covering AI-driven identity theft scenarios
Key takeaways
Deepfakes are no longer a futuristic hypothesis. They exploit human trust — the very trust that makes tight-knit teams strong — and turn it against them.
The good news: most successful attacks rely on the absence of protocols, not the absence of technology. Simple organisational measures, properly implemented and well understood by teams, are enough to foil the most common scenarios.
Law 25 already requires you to protect the personal information of your employees and clients — including their biometric data. Bill 24 reinforces that framework specifically for AI-generated content. The regulatory signal is unequivocal.
The question is not whether your organisation will be exposed to this threat. It's whether it will be ready when it happens.
- Your face and your voice are personal information under Law 25. Biometrics is a regulated area that requires consent and notification to the CAI.
- SMEs are the prime targets — fewer protocols, a more direct relationship of trust, and an abundance of public content to feed AI models.
- Defence is organisational before it is technological: verification protocols, employee training and an incident response plan are your best tools.
Is your organisation ready for deepfakes ?
Talk to our team to assess your risks and integrate this threat into your Law 25 compliance approach — policy, training, incident response plan and biometric notifications to the CAI.
Further reading
- La Presse — Deepfakes and fake emails (January 2025)
- CIO Online — Surfshark 2025 study (March 2026)
- Le Monde Informatique — Deepfake fraud 2025
- YouSign — Deepfakes and document fraud
- Forum des Compétences — AI and financial fraud
- Silicon.fr — Deepfakes, the next human vulnerability (October 2025)
- Langlois Lawyers — Deepfakes and the legal framework
- Actualité politique du Québec — Bill 24 (May 2026)
- Commission d'accès à l'information du Québec
Synéra packages mentioned in this article
- Synéra Conforme — Law 25 compliance and Privacy Impact Assessment (PIA) support (including biometrics)
- Synéra Vigile — continuous monitoring and compliance
- Privacy Officer on demand — an outsourced certified officer, starting at $750/month
Follow the author and Synéra
This article is written for general information and awareness purposes. It does not constitute legal advice. The "Julie" scenario is an illustration; the February 2024 Hong Kong case and the other examples cited are documented by the referenced sources. For any question relating to your specific situation, contact Synéra or your legal advisor.