$25.6 million. One video call. Zero suspects.
Share
A finance employee in the Hong Kong office of a British engineering company sits down at his desk and joins a video conference. The chief financial officer is on the call from London. Two senior colleagues he recognizes are on screen as well. The CFO walks him through a confidential acquisition. He needs a series of wire transfers approved quickly, and he needs them today. The employee asks a few questions. The CFO answers in the cadence and accent he has heard in meetings for years. The colleagues nod along.
Over the next several hours, the employee authorizes fifteen wire transfers totaling roughly $25.6 million. Every face on that call was generated by AI. The CFO never made the request. None of the colleagues were ever in the meeting. The only real person in the room was the man writing the wire instructions.
What actually happened
The case is the now-famous Arup deepfake fraud, and it broke into public view in early 2024 after the Hong Kong police disclosed the loss. Arup is a real firm — the engineering consultancy behind the Sydney Opera House and parts of the Channel Tunnel. Its Hong Kong office was the target. No suspects have been publicly identified. No money has been publicly recovered.
What makes the case unusual is not the amount, although $25.6 million is large by any standard. It is the method. Until that point, the working assumption inside corporate finance teams and inside most family kitchens was the same: if you are unsure about a phone call or a text, ask for a video call. See the person's face. Hear them answer a follow-up question. That was, for almost a decade, a reliable check on impersonation fraud.
The Arup case ended that assumption.
How a real-time deepfake works in 2024 — and now
A real-time deepfake video call is not a pre-recorded clip. It is a live composite. A scammer feeds a single high-resolution photograph — often pulled from a corporate website or a LinkedIn profile — into a model that can map that face onto whoever is sitting in front of the camera. The mouth tracks the words. The eyes blink. The head turns. A second model, trained on a few minutes of public audio, supplies the voice. With a decent GPU and software that was not commercially viable in 2022, a small team can stage a multi-person board meeting where everyone except the victim is synthetic.
The Hong Kong operation almost certainly used recordings from public earnings calls, conference appearances, and corporate videos to build the CFO's face and voice. None of the source material was stolen. All of it was public.
Why "video chat to verify" stopped working
For years, the standard advice from consumer-protection researchers was straightforward: when in doubt, switch to video. A scammer can fake a voice; he cannot fake a face on camera in real time. That advice was correct in 2018. It was probably still correct in 2022. By January 2024, in at least one boardroom, it was wrong by $25.6 million.
Real-time multi-person deepfakes are still expensive and still take preparation. They are used against high-value corporate targets, against political figures, and against the occasional wealthy retiree whose public footprint includes hours of clear video. They are not yet, in early 2026, the standard tool of a $5,000 grandparent scam — but an industry watchdog tracking AI-enabled fraud logged 22,364 complaints in 2025, up sharply from the year before.
What still works
Three defenses survive the Arup case more or less intact.
A 30-minute pause. Real institutions, including any real CFO, will tolerate thirty minutes of silence while you verify on a different channel. Fake ones will not. The Arup employee was hurried for a reason.
A verified callback. Hang up. Open the company directory you already trust — not the one in the meeting invite — and call the CFO's published office number. If he did not just ask for a wire, you will know within ninety seconds.
A private question. Ask something that is not on LinkedIn, not in the annual report, and not in any podcast appearance. The dog's name. The conference room nicknamed after a former partner. A scheduling detail from last week. A deepfake does not know what is not in its training data.
None of these requires new technology. None of them requires you to be able to spot a synthetic face — a task that is, increasingly, beyond what the human eye can do at video-call resolution.
The takeaway
The lesson of the Arup case is not that video calls are now dangerous. It is that no single channel — voice, video, email, text — is, by itself, proof of identity any longer. Identity now has to be verified across two channels you control. That sounds like a lot. In practice it is one extra phone call to a number you already had.
Twenty-five million dollars moved because nobody made that call.
---
"Don't Fall For It: 50 Scams Targeting Americans Over 50" lays out the small set of verification habits that hold up against deepfakes, voice clones, and the scams that have not yet been invented. Use code at checkout for 30% off.