The Deepfake Heist That Didn’t Need a Hacker

Quarter-end pressure, a short video call, and a request that sounded routine: move the funds today or lose terms. In 2024, staff at Arup in Hong Kong joined a call like this. The people on screen looked and sounded like senior executives. They weren’t. Over the next few minutes, fifteen transfers went out to new accounts which was about US$25 million. Police later said the meeting was a deepfake; Arup confirmed the loss. The unsettling part isn’t the technology. It’s how ordinary the moment felt.

Why It Works

Scammers strike when everyone’s busy, so a same-day request doesn’t seem crazy. They piece together details from public info, vendor names, quarter-end timing, even the boss’s tone, so the message feels normal and close to home. Authority makes it look legit; urgency pushes it through. If your only safeguard is to be careful, you’re asking a tired person to outsmart a well-rehearsed act.

Why Now

Two shifts made this bigger than 2019-style voice pranks: live cloning now passes on everyday calls, and losses are climbing fast (the FBI logged $16B in reported internet-crime losses in 2024, up ~33% year-over-year). Cheaper tools + more attempts = less time to verify, unless you build it in. 

The Playbook (only what stops impersonation)

Verify off-screen. For any new payee or account change, step out of the meeting and call the requester on a number from your internal directory.

Require two humans in software. Put the two-person rule inside the payment tool so a transfer halts until two distinct approvers confirm.

Ask one un-Googleable question. Before approvals on exec calls, use a shared insider check (a project codename or trivial internal detail).

Keep approvals in the system. Screenshared PDFs and chat confirmations don’t count; finalize only within the payment workflow with an audit trail.

This playbook works better than you’d expect, it’s already beaten real attacks. When scammers tried a voice-cloned CEO at WPP, the team verified off-screen and refused to approve anything inside the call, and the attempt died. And if Arup had paired a directory callback with a system-enforced second approver, those fifteen “new beneficiary” transfers would have stalled long enough for the real CFO to say no.

Conclusion

Impersonation scams win by racing you. Don’t chase pixels; change the pace. A call they can’t intercept, a second human they can’t impersonate, a question they can’t guess, and a rule your tools won’t bend—put that rhythm in place once, and most of these stories end quietly with a simple “no wire.”