Malicious Digital Influence Operations Are a Significant Business Threat
Five minute read: Why the growing threat of digital disinformation is important to companies
For most of the last decade, disinformation was discussed as a problem of democracies: contested elections, polarised societies, foreign interference in the public square. That framing is now incomplete.
The same techniques developed to move populations are being directed, deliberately and at low cost, against individual companies, their executives, and their balance sheets. Disinformation is no longer only a feature of the environment an organisation operates in. It is increasingly a weapon pointed at the organisation itself.
This is the shift that ought to concern boards. A digital influence operation is more than a stray rumour or a bad review. It is the coordinated use of false or manipulated information to alter what a target audience believes and how it behaves. The target can just as easily be your investors, your customers, your regulators, or your own staff as it can be an electorate.
From political phenomenon to commercial weapon
The structural signals are unambiguous. For two consecutive years, the World Economic Forum's Global Risks Report has ranked misinformation and disinformation as the most severe short-term global risk - ahead of armed conflict and extreme weather. That is no longer a narrative about elections; it is a statement about the operating conditions for every internationally exposed business.
The market is repricing accordingly. Gartner forecasts that by 2027, half of all enterprises will be investing in disinformation-security products, services, or TrustOps strategies - up from fewer than five percent in 2024 - and that enterprise spending to counter mis- and disinformation will exceed thirty billion dollars by 2028, drawn in part from existing marketing and cybersecurity budgets. When a category moves from under five percent adoption to fifty percent inside three years, it has stopped being a horizon risk and become a line item.
Three developments explain the speed of that change. The cost of producing convincing synthetic content has collapsed; the tools to generate deepfaked audio, video, and text are now available to anyone with a laptop. The cost of distributing it at scale has collapsed too, through automated account networks that can manufacture the appearance of consensus overnight. And the people who once needed a state's resources to run an information operation no longer do - commercial rivals, activist networks, disgruntled insiders, and short-sellers can now commission the same capability.
What an influence operation against an organisation looks like
It helps to be precise about what is actually being attacked. An organisation's exposure to influence operations has three dimensions, and effective assessment addresses all of them.
The first is what is exploitable: the true but sensitive information already visible across open and semi-open sources - leadership movements, supply-chain dependencies, litigation, ESG commitments, financial calendar, executive digital footprints - that an adversary can weaponise without inventing anything.
The second is who might use it: not an abstract “bad actor,” but a specific class of adversary with a motive. A competitor seeking to disrupt a product launch. An activist network targeting a supply-chain relationship. A short-seller with a financial position in your decline. A hostile state with a grievance against your sector or your jurisdiction.
The third is how, and this is the dimension most often underestimated. Adversaries do not merely exploit what already exists; they fabricate. A forged press release, a synthetic executive statement, a manufactured grassroots backlash, a deepfaked video call. The absence of any real underlying vulnerability is no protection, because the operation does not depend on one being there.
These dimensions combine into a recognisable repertoire: fabricated allegations against named executives; coordinated, bot-amplified “outrage” engineered to look organic; forged corporate communications; and synthetic-media fraud that impersonates leadership to authorise transactions. None of these are hypothetical.
The pattern is no longer theoretical
In 2025, the automaker Xiaomi attributed a smear campaign in the days before a major product launch to a network of roughly ten thousand fabricated social-media accounts seeding negative content. The same year, the chief executive of the rapid-delivery firm Zepto publicly alleged a coordinated campaign orchestrated through a rival. These are manufactured reputational accidents; they are operations, with objectives and resourcing behind them.
The financial-fraud variant is now the most quantified. The engineering consultancy Arup lost the equivalent of roughly twenty-five million US dollars after a finance employee in Hong Kong was convinced to authorise a series of transfers during a video conference in which every other participant - including a supposed chief financial officer - was an AI-generated deepfake. Arup's own technology estate was never breached; firewalls, access controls, and multi-factor authentication all functioned correctly throughout. The attackers did not penetrate the network. They penetrated trust. Reported deepfake-enabled fraud losses against US corporate accounts reached an estimated 1.1 billion dollars across 2025, roughly triple the prior year.
The lesson Arup's own leadership drew is the one that matters: this was technology-enhanced social engineering, not a cyberattack in the conventional sense. A live video call can no longer be treated as proof of identity.
Why conventional defences leave a gap
Most organisations are defended against the wrong thing. Cybersecurity programmes are built to keep adversaries out of systems and data - and at Arup, they worked. They are not designed to address an attack that never touches the network, that operates entirely through perception, authority, and trust.
Public relations and communications functions, meanwhile, are built to respond once a story is already in the open. By the time a fabricated narrative is visible enough for the comms team to react, bot-amplified attacks have frequently already pushed the proportion of inauthentic conversation about a brand from a normal single-digit share toward forty percent - the threshold at which a narrative becomes self-sustaining and very difficult to reverse. A reactive posture cedes the initiative to the adversary by design.
The result is a structural gap. The threat sits between the cyber team's remit and the communications team's remit, and falls cleanly into neither. It is not a vulnerability to be patched, and it is not a message to be managed. It is an adversarial operation to be understood, anticipated, and countered.
What protection actually requires
Closing that gap is an intelligence problem before it is a communications or a security one. The discipline that works is adversary-focused and proceeds through a defined lifecycle rather than a one-off audit.
It begins with assessing exposure as an adversary would see it - mapping what is exploitable, who would have reason to exploit it, and how. It depends on monitoring the open and semi-open information environment continuously, so that a coordinated narrative is detected while it is still forming rather than after it has crossed into the mainstream. It requires the capability to evaluate what is detected - to distinguish organic criticism from a manufactured campaign, to assess coordination and inauthenticity, and to attribute intent - because the response to genuine grievance and the response to an engineered attack are not the same. It requires the ability to respond with measured, evidence-led action that contains a hostile narrative without amplifying it. And it requires building resilience, so that the organisation's people, processes, and verification controls are hard to manipulate in the first place - pre-agreed authentication for sensitive instructions, out-of-band confirmation for financial transfers, and staff who have been trained to recognise synthetic media rather than to trust a familiar face on a screen.
This is also, necessarily, a cross-functional undertaking. The stakeholders are no longer confined to IT and security; they now include communications, human resources, legal, finance, and operations. The threat is enterprise-wide, and the defence has to be as well.
How this differs from PR, comms, and conventional security
It is worth being explicit, because the distinction is routinely blurred. This work is not public relations: PR shapes and recovers reputation, but it is not built to detect coordinated inauthentic activity, attribute it to an adversary, or counter an operation before it surfaces. It is not generic cybersecurity: conventional security protects systems and data, but the operations described here deliberately leave the network untouched. And it is not generic consultancy: the capability required is operational intelligence tradecraft - the same analytical discipline used to study influence operations in the national-security context, applied to the commercial environment.
This is a new norm: treating malicious information not as a communications inconvenience but as the deliberate, attributable, counterable adversarial activity it has become.
FREQUENTLY ASKED QUESTIONS
What is a digital influence operation?
A digital influence operation is the coordinated, often covert, use of false, manipulated, or misleadingly framed information across digital channels to change what a target audience believes or how it behaves. When directed at a company, the objective is typically to damage reputation, manipulate markets, disrupt operations, or coerce a decision.
What is a narrative attack?
A narrative attack is an influence operation built around a specific harmful storyline about a person, organisation, product, or place. It is seeded, amplified, and sustained until it shapes perception. Unlike isolated criticism, it is coordinated and intended to cause financial, operational, reputational, or physical harm.
What is the difference between disinformation, misinformation, and malinformation?
Disinformation is false information spread deliberately to deceive. Misinformation is false information spread without intent to harm, often by people who believe it is true. Malinformation is genuine information shared maliciously and out of context to cause harm. For example, leaking real but sensitive material to damage a target.
Are influence operations a cybersecurity problem?
Only partly. Influence operations frequently leave an organisation's systems and data untouched, as the Arup deepfake fraud demonstrated. They exploit perception, trust, and authority rather than technical vulnerabilities, which is why they fall outside the remit of conventional cybersecurity and require a distinct, intelligence-led discipline.
How can an organisation protect itself against digital influence operations?
Effective protection is a continuous lifecycle rather than a one-off audit: assess the organisation's exposure as an adversary would, monitor the information environment for coordinated activity, evaluate and attribute what is detected, respond in a way that contains rather than amplifies a hostile narrative, and build resilience into people and verification processes. It is a cross-functional effort spanning security, communications, legal, finance, and HR.
Get in touch
