top of page

Deepfakes, DORA and a 495% Fraud Surge: Why This Was Cyber's Loudest Week of the Year

Deepfakes, DORA and a 495% Fraud Surge: Why This Was Cyber's Loudest Week of the Year

As of this week, financial institutions face an identity-fraud landscape reshaped almost overnight, and the regulators are done being patient.

If cybersecurity leaders in financial services thought Q1 was hectic, the last seven days delivered a proper wake-up call. Fresh data out this week from identity-management firm Shufti pegs deepfake identity fraud on track for a 495 percent increase in 2026 versus 2025. Document deepfakes alone are projected to grow 3,892 percent, roughly a 40-fold jump. Meanwhile, the EU's Digital Operational Resilience Act (DORA) supervisory cycle formally shifted this quarter from help firms remediate to enforce with fines, and the European Digital Identity Wallet moved from theoretical to unavoidable, with a hard end-2026 rollout deadline now looming.


Put simply: the attackers scaled faster than most banks' fraud stacks did. Here's the state of play.


The deepfake surge is not a forecast, it's already the norm


The Identity Fraud Index report from Shufti, cited widely across the security press this week, describes a fraud environment fundamentally reshaped by generative AI. Deepfakes now account for 11% of all global fraudulent activity, per data compiled by Vectra AI. Losses in the first half of 2025 alone already exceeded $410 million, with individual incidents topping $680,000 per event, according to industry data referenced by Fourthline. Bloomberg-cited projections put generative-AI-enabled fraud in financial services on track for ~$40 billion annually by 2027.


Banks are lending to people who don't exist

The most under-reported line in this week's news came from PYMNTS: banks are increasingly extending credit to deepfake borrowers. Synthetic-identity fraud, once a laborious craft, now takes one image or a text prompt in an AI tool, in the phrasing of the report. Mitek and Datos Insights reinforced the point on June 10, calling synthetic identity fraud the defining fraud threat of 2026 and warning that generative AI is forcing institutions to rethink identity verification at enrollment, not periodically, but as a continuous process.


The Experian forecast: agentic AI and deepfake job candidates

Even the workforce side of the risk register is getting louder. Experian's 2026 fraud forecast flagged agentic AI, deepfake job candidates and cyber break-ins as the year's top threats. Deepfake job candidates matter because remote hiring in FS has become an infiltration vector: attackers get inside the perimeter as employees, not as external actors.


DORA moves from paper to penalty


Financial institutions across the EU have known DORA was coming since it applied on January 17, 2025. What changed this quarter is that supervisors have signalled the 2026 cycle will be enforcement-oriented, not remediation-oriented. The stakes are real: fines of up to 10% of annual global turnover or €10 million, whichever is higher, for serious breaches, plus up to €1 million in personal liability for senior managers. That's a governance conversation, not an IT-department conversation.


DORA Article 28 has quietly become the operational core of the regulation. Article 28(4) requires pre-contractual assessment covering substitutability, insolvency risk, data protection compliance and subcontracting chains. Article 28(6) mandates continuous ongoing monitoring, meaning point-in-time due diligence is no longer sufficient. Article 11 requires operational continuity even during ICT disruptions, effectively pushing ransomware resilience from a nice-to-have into a licensing prerequisite. The register-of-information requirements, which many firms have flagged as their weakest area, will be a specific enforcement focus this cycle, per EIOPA guidance.


The bill for third-party failure just came due, again


The Marquis Software Solutions breach, which regulatory filings in March 2026 confirmed exposed data on between 672,000 and 1.35 million individuals across 74+ US financial institutions, remains the poster child. Fox News reported the vendor was hit via a SonicWall vulnerability in August 2025, but the downstream impact is still cascading through 2026.


The Korean Leaks campaign, meanwhile, exemplifies the modern MSP-as-attack-vector pattern: the Qilin ransomware group compromised a single managed service provider, GJTec, and pivoted into 32 South Korean financial institutions, extracting more than 1 million files and 2+ terabytes of data without breaching each institution independently. That is the definition of a supply-chain event, and precisely what DORA Article 28 was written to prevent.


Broader Black Kite data suggests 65 finance-sector cyber incidents were recorded in Q1 2026 alone, a 76% year-on-year increase. The top threats: ransomware and data extortion, identity compromise, third-party and supply-chain attacks, AI-enabled fraud, hacktivist DDoS, customer account takeover and state-aligned activity.


Europe's identity gambit: EUDI Wallet arrives, with a biometric spoofing problem


Also converging this quarter: the European Digital Identity Wallet (EUDI Wallet). Under the eIDAS 2 regulation, every EU Member State must offer citizens an EUDI Wallet by the end of 2026. That is a very large clock ticking very loudly.


The wallet is designed to be the trust layer that finally makes online identity provable across borders. It relies heavily on face biometrics, and therefore inherits the entire deepfake problem discussed above. The EU's response has been to pioneer CEN/TS 18099, a new standard defining requirements for detecting biometric data injection attacks. LoA High-tier wallets will require both Presentation Attack Detection (PAD) and Injection Attack Detection (IAD). ETSI is publishing additional wallet-ecosystem trust specifications throughout 2026 and 2027, integrating feedback from the ongoing Large-scale Pilots.


The startup and funding picture

Investors are pricing the opportunity. ENISA signed a €1.6 million ($1.8 million) two-year agreement to support national EUDI Wallet certification schemes, and identity-verification firm Authologic raised $8.2 million in Series A from European and American investors. Expect more.


What CISOs should do about it, this quarter


Three action items are clearly emerging from this week's news. Refit identity verification for AI, not paper. If your enrollment pipeline still leans primarily on document capture and a selfie liveness check calibrated to 2023 threats, you are exposed. Look at PAD, IAD, injection detection and continuous authentication, not just at onboarding, but at every high-risk transaction. The 495% fraud growth number is not going to be soaked up by better rules on a legacy stack.


Turn DORA compliance into an operational habit, not a documentation exercise. Register-of-information gaps and pre-contractual assessments under Article 28 are exactly the areas supervisors are scrutinising. If your third-party monitoring is still an annual PDF exchange, expect a visit.


Assume your MSP is your attack surface. Marquis and GJTec are not outliers, they are the model. If a single vendor sits between you and a compromise of 30+ peer institutions, you don't have a vendor risk problem, you have a systemic-risk problem. Treat it accordingly.


The uncomfortable truth


This week's confluence, a documented explosion in AI-enabled fraud, a regulator publicly done with warnings, and an identity infrastructure being built in real time to counter both, is the picture of a market being repriced. Cybersecurity is no longer the department that flags risk; it is increasingly the department that determines whether new products, new geographies and new partnerships are allowed to launch at all. For financial institutions still treating cyber as a downstream function, this was the week the ground moved.

 
 
bottom of page