In February 2024, an employee at the engineering firm Arup, in Hong Kong, wired around 25 million dollars to fraudsters. He had not been careless. He had been called into a video conference by his chief financial officer, based in London. On screen, he recognised several colleagues. The meeting was normal, and the urgent, confidential transfer order was given to him live, out loud.
None of the people on screen were real. Faces, voices, gestures, all of it had been generated by AI from earlier public video calls. The only human in that meeting was him.
This case should be pinned up in every boardroom, because it marks a turning point. The moment the eye and the ear stopped being sufficient proof.
This is not an isolated case, it is a trend
You could reassure yourself by saying Arup is a multinational, a prime target, and that no one is interested in a small company. That would be a misreading.
As early as 2019, well before generative AI reached the general public, fraudsters used a synthetic voice imitating the CEO of a German parent company to extract around 220,000 euros from its British subsidiary, as the Wall Street Journal reported. Back then, building a convincing fake voice took resources. Today the same thing is put together with accessible tools, from a few minutes of public recording, and the quality has exploded.
In other words, CEO fraud has not gone away, it has changed its face. Literally. And the cost of making it falls faster than companies raise their guard. The small company is not out of reach, it is just less prepared.
Why the old reflexes no longer protect you
For years, teams were taught to be wary of emails. A dodgy address, a spelling mistake, an odd link, you hang up. Those reflexes all rest on a detail that does not fit.
A well made deepfake has no detail that does not fit. It has your boss’s face, his voice, the way he tilts his head, and it answers your questions live. The whole chain of trust we instinctively grant to a face and a voice then turns against us. Our brains were wired over hundreds of thousands of years to trust what they see and hear from someone they recognise. The fraudsters do not attack your systems, they attack that wiring.
The real weak point is not technological
Here is the good news, and it matters to a leader who is not a security expert. The Arup case was not won on technology, it was won on a process. A large transfer, ordered in a meeting, with no independent check. The deepfake only exploited a procedural gap that already existed.
Which means the safeguard does not require being an engineer. It requires revisiting a few internal rules, and it fits on one page.
No exceptional transfer approved on the strength of a video call or a phone call alone, even if you recognise the person. A systematic check through a second independent channel, a callback to a known number, a message on another tool, for any amount above a threshold set in advance. A password or an agreed question between the right people for urgent and confidential requests. And above all, the explicit right, for any employee, to pause an operation long enough to verify, without fear of being overruled by their hierarchy.
That last rule is the most important, and the most neglected. Many frauds succeed because the employee does not dare keep a superior waiting who seems pressed and irritated. The sense of urgency is the fraudster’s main weapon. Taking that weapon away, by officially permitting doubt, is worth all the software in the world.
What this says about our age
There is a wider lesson, one that goes beyond fraud. We have built tools able to imitate perfectly the signals we trust by instinct. The face, the voice, the presence in a meeting. As long as we decide on the basis of those signals alone, we are exposed, and we will be more and more.
The answer is neither paranoia nor denial, it is method. Understand what the machine can now imitate, and rebuild our decisions around what it cannot get past: a second look, a separate channel, a written rule, a question it does not know the answer to. That is exactly what I teach leaders and what I study in my research on decision making. A deepfake does not hack your system, it hacks your trust. And trust is not repaired with an antivirus. It is rebuilt with a procedure, in one meeting, before you need it rather than after.