Arup’s Hong Kong finance team lost $25.6 million to a fabricated video call. The CFO was there. Colleagues were there. Every face was AI-generated.
The employee had flagged the initial phishing email as suspicious. The attackers anticipated that. They ran a live video conference with synthetic recreations of Arup’s CFO and multiple colleagues, constructed from publicly available earnings calls, conference presentations, and LinkedIn videos. He transferred $25.6 million across 15 transactions. Nobody at Arup’s UK headquarters knew a meeting had happened.
Arup CIO Rob Greig confirmed the firm has seen sharp increases in phishing and WhatsApp voice cloning attempts. What’s different here is scope: this wasn’t a single fake email or a cloned voice. The attackers built an entire fabricated environment and ran it in real time. Wire transfer controls built on visual confirmation and senior executive approval don’t survive attacks that simulate both.
Deepfake-enabled vishing attacks surged 1,600% in Q1 2025 vs. Q4 2024, per Keepnet Labs data. The FBI’s 2025 IC3 report logged 22,000+ AI fraud complaints totaling $893 million. Congressional researchers estimate fewer than 5% of voice clone victims ever file a report. A 45-minute session with free software is enough to generate convincing video deepfakes. Ferrari CEO Benedetto Vigna was targeted the same way; that call ended only when an executive asked a question only Vigna would know.
Standard wire authorization workflows assume a live video call is hard to fake. It isn’t anymore. If your finance team can release funds after seeing a face on screen, that’s your highest-risk control right now. Monday task: require a callback to a pre-registered phone number on every wire request above your threshold; video confirmation no longer counts.
Nathan Zakhary