In Southeast Asia, the cybersecurity landscape in 2025 has been marked by a dramatic escalation in AI-enabled scams and deepfake attacks, which have severely undermined public confidence in digital interactions.
A key trend is the explosive growth in deepfake-related fraud, which surged by 1,530% in the Asia-Pacific region between 2022 and 2023, exploiting human emotions and trust to facilitate sophisticated social engineering schemes.
This has led to widespread erosion of trust in media authenticity, as seen in incidents where fabricated videos impersonate public figures to promote fraudulent investments, fostering scepticism towards online content.
Another significant trend is the rising cost and frequency of data breaches and scams, with the average data breach in the region costing US$3.05 million in 2023 and cyber extortion incidents increasing by 42%, resulting in massive financial losses—such as SGD 651.8 million from scams in Singapore alone—and emotional trauma that diminishes faith in institutions and digital platforms.
For CISOs, these trends underscore the urgent need for AI-driven detection tools and robust verification systems to rebuild resilience in an increasingly deceptive digital environment.
Deepfake threat severity
Jasie Fon, regional vice president of Asia at Ping Identity, emphasises the profound risks posed by deepfakes across Asia in 2025.
"CSA's 2024 Cybersecurity Public Awareness Survey showed shocking statistics, only 1 in 4 could actually tell them apart from real videos, highlighting just how convincing these fakes have become," she notes.
Fon highlights the vulnerability of APAC due to rapid digital adoption, linguistic diversity, and high digital economy penetration. Deepfakes extend beyond financial harm, being weaponised to spread misinformation and discredit leaders, thus eroding institutional trust.
"Deepfakes are being weaponised to spread misinformation and discredit public figures. This undermines trust in institutions, leaders, and the democratic processes," Fon warns.
She points to real-world cases, such as a US$25 million executive fraud via impersonated video calls and 15% fraudulent hires using deepfakes in remote interviews.
"AI is real, and it is already happening today. Is happening more than what most companies realise in today's structure," she adds, urging AI countermeasures against these threats.
AI's cybersecurity impact
Fon discusses AI's dual role in reshaping cybersecurity for CISOs. "AI has accelerated the speed and sophistication of cyberattacks. Malicious actors use AI to create compelling phishing emails, fake websites, deepfake videos, and personalised social engineering attacks that evade traditional detection methods," she explains.
Yet, AI offers defensive advantages: "The emergence of AI also has its benefits and can be used to help combat deepfakes. Fighting bad AI with good AI is something that organisations or CISOs really need to start looking into right now," urges Fon.
At this crossroads, human identity is central. "We are at a critical societal crossroads of AI being used for both good and bad – and human identity is right in the centre of this technology tug-of-war," Fon states.
She stresses identifying non-human identities like agentic AI, integrating AI into IAM, zero trust, and security tools for scalable defences.
"As AI continue to shape the future of technology, its role in identity management will expand beyond just enhancing security. In fact, robust IDD systems will be essential to the success of deploying AI for business benefits." Jasie Fon
IAM roadmap gaps
Addressing Identity Access Management (IAM) strategies, Fon reveals deficiencies in countering deepfake-enabled threats. "In the APAC region, IAM faces significant challenges in mitigating deepfake takeovers and combating AI-driven identity fraud threats," she says, citing account takeovers and new account fraud.
Varying regulations across APAC complicate compliance. Decentralised identity (DCI) is undervalued: "Decentralised identity solutions are also seen as valuable, but at this moment, it's quite underutilised, when 99% in the survey that we have done believe that DCI is valuable, only 37% of them have implemented it to protect against fraud."
Ping's approach includes behavioural analytics, device telemetry, risk signals, and liveness detection.
"We leverage on behavioural analytics, device telemetry, Risk signals, identity proofing, including live selfies and government ID verification, combined with liveness detection to confirm the user's physical presence to identity, and this will help to catch the AI-generated fake deep fakes." Jasie Fon
Incident response shortfalls
Fon critiques current incident response plans for overlooking deepfake risks.
"APAC is increasing their investment in advanced identity verification layers and fraud prevention to manage and strengthen the security of new AI technologies, but it is a constant cat and mouse game to keep pace with bad actors and advancing tools used for bad motives," she observes.
Such insights highlight the need for proactive measures to rebuild eroded trust.
Strategy revision needs
As 2026 approaches, Fon advocates revising strategies to combat the rise of deepfakes.
"McKinsey finds that vulnerability in cybersecurity is one of the top three most cited risks of AI adoption, and many companies are prioritising the safety of new systems, so CISOs will need to revise their cybersecurity strategies to ensure continuous verification at every step and not again," advises Fon.
Regulatory mandates emerge
Fon outlines evolving regulations in ASEAN and Hong Kong. "Much government has already been looking into this. ASEAN has launched an expanded guide on governance and ethics for generative AI, including voluntary policy recommendations on risks and responsible use," she says.
Singapore's Online Harms Act and Cybersecurity Act target scams; the Philippines and Indonesia have dedicated agencies. "ASEAN nations broadly review data protections and privacy laws to integrate measures against AI-enabled threats."
Overall, emphasis is on self-regulation, education, and innovation, calls out Fon: "ASEAN and Hong Kong basically stress a lot on industry, self-regulations, public education, which in many countries actually is still very lacking, as well as technological innovations alongside legal measures as essential for effective deep fake mitigation."
Measuring ROI effectively
Fon reframes ROI beyond finances. "The ROI and efficiency efficacy of deep fake detection investment should not be thought of only in monetary terms, right, if you ask me, but for the bigger picture of how they help to prevent a successful attack," she argues.
Attacks cause disruptions, fines, and reputational damage: "Successful attacks on any company can result in operational disruptions, monetary loss, regulatory fines, implication to customer stress, loss of business, and a lot of it is really because of reputational damages that could cause, you know, so the company continue to operate itself could also be at stake."
This elevates discussions to board level: "So, viewed from this perspective, I think it is not just about the ROI or the efficacy, but more so in identifying the potential of being able to prevent deep fake, which is really a way of ensuring that deep fake doesn't penetrate your organisation."
2026 cybersecurity expectations
Looking to 2026, Fon anticipates a focus on agentic AI security. "I think in 2026, there will be a lot of discussion about the security of agentic AI. This emerges from many conversations regarding the growth of agentic AI: what are we going to do to identify and mitigate the risk of these agent bots or AI agents?" she predicts.
Distinguishing good from bad bots is key: "I think what we're going to see in 2026 is much focus on how we are going to help businesses manage the agentic AI for them to make more money with the good boss, but at the same time to prevent any breaches."
As a recommendation for 2026, CISOs should pioneer "AI agent passports"—digital credentials verifying AI entities' origins and intents, integrating blockchain for immutable trust chains to counter deceptive autonomous systems pre-emptively. This could restore confidence in an era where deception blurs the boundaries between humans and AI.
Click on the PodChats player to listen to details of Fon's cybersecurity observations and recommendations for CISOs in 2025 and 2026.
- Briefly, what is Ping Identity?
- How severe is deepfake as a threat to businesses, governments and individuals in Asia in 2025? Should AI take credit for the rise of deepfakes in the region?
- How has AI impacted the cybersecurity function at organisations?
- In your view, is the (identity and access management) IAM roadmap of most organisations in Asia sufficiently aggressive in deploying phishing-resistant (FIDO2/Passkeys) and continuous authentication to mitigate deepfake-enabled account takeover? (DCI?)
- In your opinion, do current incident response plans explicitly include procedures for addressing deepfake-based fraud, extortion, or reputational attacks?
- As 2026 approaches, does the rise in deepfake threats require CISOs to revise their cybersecurity strategies? Will this necessitate revising the cybersecurity budget priority and allocation?
- How will emerging regulations across ASEAN and Hong Kong specifically mandate the detection and mitigation of deepfakes for customer interactions and internal communications?
- How can CISOs, CIOs, and CFOs effectively measure the ROI and efficacy of their deepfake detection investments across various communication channels?
- What is your expectation around cybersecurity in 2026? Do you have any recommendations for CISOs and CIOs in the coming year?
