The 900% Rise in Deepfakes: What Every Nonprofit Communicator Should Know

The term "deepfake" covers a wide range of AI-generated or AI-manipulated content. For nonprofit communicators, the most relevant categories are face-swap video deepfakes, voice cloning audio deepfakes, and synthetic identity creation (entirely AI-generated people who do not exist). Each poses distinct risks, and each requires different protective measures.

Voice cloning has become particularly accessible and dangerous. Modern voice cloning tools can synthesize a convincing replica of someone's voice using as little as three seconds of recorded audio, according to McAfee research. Given that most nonprofit executive directors have recorded webinars, podcast interviews, or YouTube videos freely available online, the barrier to cloning their voice is effectively zero for a motivated attacker. Voice cloning fraud rose an estimated 680% in the past year, driven largely by this accessibility.

Face-swap video deepfakes require more processing power but are still achievable with consumer-grade hardware and freely available tools. The Arup attack demonstrated that real-time deepfake video on a standard business video call is no longer theoretical. For nonprofits, this means that a video call from your "executive director" requesting an urgent transfer, or from a "board member" asking for sensitive information, cannot be assumed to be authentic based on visual appearance alone.

Perhaps most concerning for nonprofit communicators is the fraudulent fundraising category. The FBI's Internet Crime Complaint Center documented approximately $96 million in losses from fraudulent charity campaigns in 2024. These scams often use AI-generated imagery and video to create convincing fake social media accounts mimicking real, known organizations, particularly in the aftermath of natural disasters or humanitarian crises when donor urgency is high.

Despite the limitations of detection technology, having access to the right tools adds a meaningful layer of protection, particularly for verifying suspicious content before acting on it or sharing it publicly. Several tools are free or accessible at nonprofit-friendly price points.

TrueMedia.org was a nonprofit initiative providing free deepfake detection that achieved approximately 90% accuracy during the 2024 U.S. election cycle. After going offline for a relaunch, it returned to service in late 2025 and remains one of the strongest free options available, specifically designed for organizations rather than enterprise security teams. Reality Defender offers 50 free detections per month and is designed with journalists and smaller organizations in mind.

Adobe's Content Authenticity web app, launched in early 2025, provides a free tool that allows creators to attach Content Credentials to their own published material, creating a cryptographic record of provenance. The companion verification site at contentcredentials.org lets anyone upload media to check for this provenance metadata. This is the authentication standard, not detection after the fact: your organization proactively marks genuine content so that recipients can verify its origin.

For enterprise-level detection, Sensity AI and Reality Defender's paid tiers provide comprehensive video, audio, and image analysis. These are appropriate for larger organizations with significant public communications activity or those operating in particularly high-risk environments. Microsoft's free Content Integrity Check browser extension can also verify provenance information on media encountered while browsing.

Staff training for deepfake threats needs to be framed carefully. If you tell people they need to detect deepfakes, you set an impossible standard: human detection accuracy sits at 55-60%, barely better than guessing. The goal of training is not to turn staff into reliable deepfake detectors but to build behavioral habits that reduce vulnerability even when content appears completely convincing.

The most effective training reframes the challenge as a verification process rather than a detection task. Instead of "can you tell if this is fake?", the question becomes "what is the verification process for this type of request?" This framing removes the burden of detection from the individual and places it on the organizational process, which is where the control actually lives.

Scenario-based simulations are the most effective training format. These are the equivalent of phishing simulations that have become standard in cybersecurity: run a simulated deepfake attack against your own staff, then debrief on how the experience felt and what the correct response would have been. A simulated voice call from a fake "executive director" requesting gift cards, followed by a staff debrief, builds muscle memory for the appropriate verification response in a way that a policy document cannot.

Training content also needs to cover the specific warning signs that remain relevant even as deepfake quality improves. Urgency is the most reliable indicator: legitimate requests for wire transfers, sensitive information, or unusual actions are almost never genuinely urgent in a way that precludes a 24-hour verification delay. The pressure to act immediately is itself the primary manipulation technique, and staff who recognize urgency as a manipulation signal are far better protected than those who are trying to evaluate the visual authenticity of a video call.

Approximately half of nonprofits lack any formal crisis communication plan, and an even smaller fraction have plans that specifically address AI-generated misinformation or deepfake attacks. This means that most organizations are improvising their response during the highest-stress, highest-visibility moment of a crisis, when improvisation is most likely to compound the original damage.

The most important pre-crisis action is drafting template response communications now, before an incident occurs. One template for a financial fraud attempt (where your organization's brand was used to steal from donors), one for a reputational deepfake (a fake video of your leadership), and one for a fake fundraising campaign. These templates should be written, approved by leadership and legal counsel, and stored in an accessible location so that response time is measured in minutes rather than hours.

When a deepfake incident occurs, the guiding principle from crisis communications research is: respond quickly, with transparency, and across all owned channels simultaneously. The gap between a deepfake going viral and your public response is the window during which the most reputational damage accumulates. Silence reads as confirmation in the absence of information.

For donor-specific response, direct personal communication is more effective than broadcast channels. Major donors should receive personal calls from the executive director, not emails or social media posts, for significant incidents. This personal outreach demonstrates the organizational integrity that deepfakes are designed to undermine, and it gives donors a direct opportunity to ask questions and receive reassurance before they make decisions about their giving relationship with your organization.