In early 2024, a finance employee at the Hong Kong office of global engineering firm Arup joined what looked like a routine video call. On screen were his chief financial officer and other senior colleagues, urgently instructing him to wire funds for a confidential transaction. Everyone looked and sounded exactly like the people he worked with every day.

They were all fake.

Scammers had built convincing deepfake video and audio clones of multiple executives and used them to social-engineer the employee into sending the equivalent of about $25.6 million across 15 transactions to fraudulent accounts, according to Hong Kong police and subsequent reporting by outlets including the South China Morning Post and CNN.Everyone looked real

If that sounds like a one-off, you are underestimating the speed at which fraudsters are industrializing generative AI. Deepfake fraud is no longer just a consumer scam targeting grandparents; it is quickly becoming a board-level business risk.

This post walks through how deepfake fraud in business works today, why it is getting worse, and what you can realistically do about it without grinding operations to a halt.

What exactly is deepfake fraud in a business context?

A deepfake is synthetic audio, video, or imagery generated or manipulated using AI models (typically deep neural networks) to make someone appear to say or do something they never did. For fraud, the goal is simple: impersonate a trusted person well enough that you or your systems do something you should not.

In a corporate setting, deepfakes are typically used to:

  • Impersonate executives (CEO, CFO, GM) to approve payments or change banking details.
  • Mimic vendors, partners, or lawyers to alter invoices or contractual terms.
  • Target employees in finance, HR, procurement, and IT where access and approvals are concentrated.

Europol has explicitly warned that deepfakes can supercharge CEO fraud and business email compromise by adding realistic video and audio on top of traditional phishing and spoofed messages.Facing Reality? Law enforcement and the challenge of deepfakes

You should think of deepfake fraud as BEC 2.0: same social-engineering playbook, far more convincing packaging.

Why deepfake fraud is exploding right now

Until recently, creating a convincing deepfake required time, lots of training data, and serious GPU power. That barrier has largely disappeared.

A few converging trends:

  • Easy access to training data: Executives give conference talks, appear in marketing videos, join recorded town halls, post on YouTube and LinkedIn. That is a goldmine of high-quality reference audio and video for attackers.
  • Commodity AI tooling: There are now numerous consumer-grade and enterprise-grade tools that can clone a voice from just a few seconds of audio and map it onto a video in minutes. You do not need insider access to OpenAI, Anthropic, or Google; underground and grey-market tools are widely advertised.
  • Fraud-as-a-service ecosystems: Europol’s recent Internet Organised Crime Threat Assessment notes that AI-generated deepfakes are becoming a standard part of a broader cybercrime toolkit, alongside phishing kits, malware, and data-broker services.Europol cybercrime threat assessment
  • Speed and scale: One industry analysis cited by TechRadar estimates generative AI has cut the time to execute sophisticated fraud schemes from “16 hours to under 5 minutes,” contributing to what it describes as a $400B+ global fraud industry and a steep rise in executive impersonation and recruitment scams.How Gen AI is turning fraud into a $400B+ global industry

At the same time, mainstream AI assistants like ChatGPT, Claude, and Gemini make it trivial to generate believable emails, scripts, and fake documentation that wrap around the deepfake video or audio. The scam does not look like a badly written Nigerian prince email anymore; it looks like your boss, speaking in their usual style, on a live Zoom.

Real-world deepfake fraud: beyond the Hong Kong heist

The Arup/Hong Kong incident is the most widely reported big-ticket corporate deepfake heist so far, but it is part of a broader pattern:

  • In May 2024, fraudsters used a deepfake of the CEO of WPP, the world’s largest advertising company, combining a fake WhatsApp account, voice clone, and video to try to coax an agency leader into setting up a new “business” and moving funds. The attempt failed, but only because the target became suspicious and verified independently.CEO of world’s biggest ad firm targeted by deepfake scam
  • Voice-clone scams are proliferating. A 2024 survey reported by TechRadar found that 1 in 4 Americans say they have received a deepfake voice call in the previous 12 months, with older adults losing an average of $1,298 per incident.Deepfake worries hit a new high
  • The FBI has issued multiple public service announcements warning about AI-generated “proof of life” kidnapping scams and AI-assisted extortion, stressing that generative AI is lowering the bar for sophisticated social-engineering campaigns.FBI warns of AI kidnapping scams

If executives and employees in your organization still assume “I would be able to tell if it was fake,” they are overestimating human perception and underestimating how fast the tech is improving.

Common deepfake attack patterns against organizations

Most deepfake fraud against businesses currently follows a handful of patterns. Knowing them lets you design specific defenses rather than generic, hand-wavy “awareness.”

1. Executive impersonation for payments

This is the Arup scenario: a scammer pretends to be your CEO or CFO (by email, chat, voice, or video) and pushes for an urgent transfer, often with secrecy and time pressure.

Telltale characteristics:

  • Out-of-band request that bypasses normal workflow (e.g., direct WhatsApp or personal email).
  • Confidential tone: “This is sensitive; do not loop in X or Y.”
  • Tight deadlines and emotional pressure: “We will lose the deal,” “The board is expecting this.”

2. Vendor and bank detail manipulation

The attacker deepfakes a known vendor contact or bank representative to “confirm” new payment details or a changed account number. They may:

  • Reference real invoices or purchase orders scraped from compromised email.
  • Use a convincing mix of ChatGPT-generated emails plus a short deepfake video “explaining” the change.

3. Deepfake-supported phishing and account takeovers

Here, the deepfake is not used directly on your finance team but to compromise credentials:

  • HR receives a video “from” a senior leader pushing staff to log into a new “benefits portal.”
  • IT support gets a call from a “VP” whose account is locked and urgently needs a password reset.

Once the attacker has an account, they can move laterally towards systems that matter.

4. Reputation and extortion attacks

Generative AI can fabricate compromising videos of executives or staff. Attackers then:

  • Threaten to release the material unless paid.
  • Use the fake content as leverage in business negotiations or to discredit whistleblowers.

Even if the video is fake, your organization still has to deal with reputational fallout, legal risk, and internal trust damage.

Your first line of defense: governance and culture, not gadgets

It is tempting to look for a magical “deepfake detector” and be done. Detection tools are improving, but they are imperfect, and attackers will adapt. Start with governance and culture:

  • Codify verification rules: For example, “No single person may authorize or execute wire transfers over $10,000 based solely on instructions delivered via voice, video conference, or chat. A secondary verification via an established channel is required.”
  • Normalize pushback: Train and empower staff to say, “I know this is urgent, but policy requires a callback on your known number before I can proceed.” Make it clear that following policy will never get them punished, even if it slows a deal.
  • Reduce exposure of executive biometrics: You cannot scrub the internet, but you can limit unnecessary public video, tighten privacy on recorded town halls, and be thoughtful about where high-res executive content is posted.

Think of this as “zero trust” for human instructions: never trust, always verify, no matter how real the video looks.

Practical controls you can put in place this quarter

You do not need a seven-figure AI budget to reduce your risk meaningfully. Focus on layered, realistic controls.

Strengthen high-risk processes

Target the workflows with the most attractive payoff:

  • Wire transfers and treasury operations.
  • Vendor onboarding and bank detail changes.
  • Payroll changes and executive compensation.
  • Access to critical systems (ERP, CRM, cloud admin consoles).

For each, implement:

  1. Multi-person approval for large or unusual transactions.
  2. Out-of-band verification:
    • Call back using a phone number from your internal directory, not from the email or message.
    • Use a previously agreed phrase or codeword for very high-value instructions.
  3. Transaction anomaly checks:
    • Does this match prior behavior (amounts, counterparties, timing)?
    • Require a short written business justification stored in your ERP, not just in chat.

Update your training to include deepfakes explicitly

Most security awareness content is still stuck on “do not click suspicious links.” You need to add concrete deepfake scenarios:

  • Show employees examples of both obvious and subtle deepfakes.
  • Explain that “it sounded exactly like my boss” is no longer enough.
  • Walk through the Arup case and similar incidents and ask, “At what point could this have been stopped?”

Use modern AI tools like ChatGPT, Claude, or Gemini to help your security team quickly create realistic sample emails, call scripts, and fake videos for tabletop exercises—just be sure you do this in a safe, controlled environment and do not upload sensitive internal data to tools that are not approved by your legal and security teams.

Deploy technical tools where they make sense

You cannot solve deepfakes purely with tools, but some technologies help:

  • Strong identity and access management (MFA everywhere, hardware keys for admins).
  • Payment controls in your banking portals and ERP (whitelists, dual control, limits).
  • Communication hygiene:
    • Prefer corporate channels (corporate email, Teams, Slack) over random consumer apps for business instructions.
    • Use meeting invites generated from corporate calendars so it is harder to inject rogue “urgent” calls unnoticed.
  • Detection and monitoring:
    • Some security vendors now offer deepfake detection and brand-protection services that scan the web for fake domains, cloned sites, and suspicious media mentioning your organization.
    • Be realistic: treat these as signal boosters, not truth oracles.

Deepfake fraud touches multiple risk domains:

  • Regulatory exposure: If you are in a regulated sector (financial services, healthcare, critical infrastructure), a major fraud incident may trigger regulatory scrutiny around your controls and training.
  • Data protection and privacy: If attackers use breached data (customer records, internal videos) to build deepfakes, you may have notification obligations under GDPR, state privacy laws, or sector-specific rules.
  • Contracts and SLAs: Review key agreements to clarify responsibility for fraud (e.g., if a vendor pays a fake invoice “from” you, who eats the loss?).
  • Cyber insurance: Talk to your broker about how your policy treats AI-enabled fraud, especially social engineering and funds transfer fraud. Some carriers are already asking about deepfake-related controls when underwriting.Deepfake scammers steal $25 million: 5 ways to avoid it

Involve legal, compliance, and risk early—do not leave this as a purely “IT problem.”

Bringing it all together: what you should do next

Deepfake fraud is not a theoretical future risk. It is here, it has already cost at least one multinational $25 million in a single incident, and law enforcement and industry watchers are tracking a sharp rise in AI-driven executive impersonation and voice scams.

To move from awareness to action, you can:

  1. Run a focused tabletop exercise: Within the next 30 days, convene finance, IT, legal, and HR and walk through a realistic deepfake fraud scenario (for example, a fake CFO video call instructing a wire transfer). Identify where your current processes would fail and document specific fixes.
  2. Harden your payment and approval workflows: Implement at least one new control—such as dual approval plus callback verification for high-value transfers—within the next quarter. Make it a written policy and communicate it clearly to all affected staff.
  3. Modernize your security awareness program: Update training materials to include deepfake examples, clear “pause and verify” rules, and the explicit message that voice or video is no longer a sufficient authenticator.

You do not need to out-innovate every fraudster. You just need to make your organization a much harder and slower target than the one next door. In a world where anyone can clone your CFO’s voice in minutes, your best defense is not trusting what you see and hear until it has been properly verified.