The $25 Million Deepfake Heist — And What It Means for Your Business

The attack that changed everything

In early 2024, a finance employee at engineering firm Arup transferred roughly $25 million USD across fifteen separate wires. The order came from his CFO during a routine video call with several colleagues. He had hesitated at first — the initial email request had felt off — but the live call put him at ease. He recognized the faces. He recognized the voices.

Every single person on that call, except him, was a deepfake.

Why this matters beyond Arup

The Arup case is now the textbook example of multi-party deepfake fraud, and it broke a piece of received wisdom that companies had relied on for years: asking for a video call to confirm an unusual request is no longer a safety check. The video call itself has become an attack surface.

Three factors made this possible at scale in 2024 and have only intensified since:

• Realtime face and voice cloning now runs on consumer hardware.
• Public executive footage — earnings calls, conference talks, LinkedIn videos — gives attackers all the training data they need.
• Process gaps in finance and HR teams still rely on visual or auditory recognition as proof of identity.

What to put in place this quarter

The defenses are procedural more than technical. Three to prioritize:

1. Out-of-band confirmation for every wire over a threshold. Set a number (e.g. $50K) and require a phone call to a known number — not the one that initiated the request — for anything above it.
2. Code words for executive teams. A shared rotating phrase that only real members would know. Costs nothing. Stops realtime deepfakes cold.
3. Train finance and assistants for the new attack pattern. Update your fraud training so the lesson is not just 'spot the typo' but 'distrust urgency on a video call.'

Bottom line

Deepfake fraud has moved from possibility to playbook. The companies that adjust process — not the ones that buy detection tools — will be the ones still standing.