It started with a Zoom call. The CFO of a Kingston firm joined a routine finance meeting with the CEO and an external partner. Forty minutes later, J$3.2 million had been wired to an offshore account. The CEO had never been on the call. Neither had the partner. Both were AI-generated deepfakes — and this story is no longer hypothetical for Jamaica.
The Anatomy of a 2026 Deepfake Attack on a Jamaica Business
Step 1 — Reconnaissance. Attackers scrape LinkedIn, your company website, press releases in the Gleaner / Observer, and YouTube for executive footage and organisational charts.
Step 2 — Synthesis. They feed the audio and video into off-the-shelf generative models. Within hours, they have a workable voice clone and a usable real-time deepfake avatar.
Step 3 — Pretext. A finance team member receives an email — perfectly worded, perfectly branded — inviting them to an urgent call to authorise a confidential acquisition payment.
Step 4 — Execution. On the call, the deepfaked CEO instructs the wire. Process is bypassed under the guise of urgency or secrecy. The funds move. By the time the real CEO is reached, the money is gone.
Why AI Has Changed Everything
In 2022, producing a convincing deepfake required a skilled operator, hours of source material, and serious compute. In 2026, it requires a credit card. Open-source models such as Wav2Lip, SadTalker, and various voice-cloning tools have made the attack accessible to organised criminal groups operating globally — and Jamaica is not exempt.
The World Economic Forum's Global Cybersecurity Outlook 2025 ranks AI-enabled social engineering as the fastest-growing cyber threat. Deloitte's Center for Financial Services forecast that generative-AI-enabled fraud could reach US$40 billion in losses by 2027, up from US$12.3 billion in 2023 — a 32% compound annual growth rate.
73% of Jamaican SMEs surveyed by the JCC reported at least one cyber incident in the past 12 months.
The Jamaica Threat Landscape
Reports to Ja-CIRT (Jamaica Cyber Incident Response Team) of business email compromise (BEC) and deepfake-assisted fraud reached record levels in 2025, with documented losses of J$2.4 billion — and security professionals widely accept that under-reporting means the true figure is significantly higher.
Over J$1.2 billion lost to lottery and online scams in 2024 according to the Major Organised Crime and Anti-Corruption Agency (MOCA).
The Caribbean's tightly networked business community is a double-edged sword: trust accelerates legitimate commerce, but it also lowers natural scepticism. A 'call from a Kingston colleague' is harder to refuse than a cold email — which is precisely why deepfake operators target our region.
Five Controls Every Jamaica SME Should Implement This Month
1. The Callback Rule. Any new payment instruction, change of bank details, or unusual transfer must be confirmed by calling a phone number on file — never a number contained in the request. This single control defeats the majority of BEC and deepfake attacks.
2. The Safe Word. Agree a non-public phrase that any executive must use when authorising a payment over voice or video. Voice clones cannot guess what the human never publicly said.
3. Multi-Person Authorisation. No single individual should be able to release funds above a defined threshold. Wire-out controls in your online banking are free to enable — use them.
4. Email Authentication. Enforce SPF, DKIM, and DMARC on your domain. This stops attackers from spoofing your own email address back at your team.
5. AI-Aware Training. Update your security awareness training to cover voice clones, deepfake video, and AI-generated phishing.
Sector-Specific Notes for Jamaica
Financial services. NCB, Scotiabank Jamaica, JN Bank, Sagicor Bank have all rolled out enhanced fraud-monitoring AI, but customer-side compromise remains the dominant attack path.
Tourism and hospitality. Hotels, villas, and tour operators in Jamaica are heavily targeted via fake-booking and refund-fraud schemes.
BPO and shared services. Customer-facing voice operations are highly exposed to voice-clone impersonation of customers attempting to socially-engineer account changes.
Public sector. Procurement and vendor-payment workflows in ministries and statutory bodies are prime targets.
How to Respond If You Are Hit
Hour 1. Call your bank's fraud line and request an immediate recall. Speed is everything.
Day 1. File a report with the Jamaica Constabulary Force (JCF) Cybercrime and Digital Forensics Unit and notify Ja-CIRT. Preserve all logs, recordings, and emails.
Week 1. Engage an external incident-response provider. Audit how the attacker got in. Reset all credentials for exposed staff.
Month 1. Conduct a formal post-incident review. Update controls, policies, and training. Brief the board.
Frequently Asked Questions
What exactly is a deepfake and how is it being used against Jamaica businesses?
A deepfake is AI-generated synthetic audio, image, or video that imitates a real person. In Jamaica, deepfakes are being used to impersonate CEOs, CFOs, suppliers, and bank officers on phone and video calls to authorise fraudulent payments and credential resets.
How can a small Kingston business defend against attacks that cost millions globally?
The controls are inexpensive. A written callback rule, a verbal safe word, multi-person authorisation in online banking, MFA on all accounts, and updated staff training will block the vast majority of AI-enabled fraud.
What does Jamaica's Data Protection Act, 2020 require us to do after a breach?
Organisations are generally expected to notify affected individuals and the regulator within a reasonable time-frame, mitigate harm, and document the incident.
Are AI tools themselves dangerous to use in our business?
AI tools are not the threat — uncontrolled use is. Establish a written AI usage policy.
How do I report a cybercrime in Jamaica?
Contact the Jamaica Constabulary Force (JCF) Cybercrime and Digital Forensics Unit for criminal investigation and Ja-CIRT for incident-response coordination. If money is in motion, your bank's fraud line is the first call.
Will cyber insurance pay out on a deepfake-driven loss?
Sometimes. Many policies exclude losses arising from authorised-but-deceived payment instructions. Review your wording with your broker.
Need help locking down your Jamaica business against AI-enabled fraud?
StarApple AI works with Caribbean organisations to design AI security policies, train staff on deepfake threats, and implement practical controls.
Talk to StarApple AIAbout AI Jamaica
AI Jamaica is the leading platform for artificial intelligence news, education, and community in Jamaica and the wider Caribbean. Powered by StarApple AI, the first Caribbean AI company, founded by Caribbean AI Expert Adrian Dunkley.