The finance manager at Arup, a global engineering firm, joined what appeared to be a routine video conference in September 2025.

The CFO was on the call. So were several colleagues from the London office. The video quality was perfect. The audio was crisp. Everyone looked and sounded exactly right.

The CFO explained that the company needed to execute several urgent wire transfers for a confidential acquisition. The amounts were large but not unprecedented for a firm of Arup's size. The colleagues confirmed the details. Everything followed proper procedures.

The finance manager, following what seemed like clear instructions from verified executives on a video call, authorized multiple wire transfers totaling $25 million.

Every single person on that call was an AI-generated deepfake.

Not one human. Not one real executive. Not one legitimate instruction.

$25 million gone because "I could see them on video" no longer means "they're real."

After building authentication systems for a CIAM platform that verified over a billion user identities, I thought I understood the fundamentals of identity verification. Something you know (password). Something you have (token). Something you are (biometric).

But here's what the Arup case proved: "something you are" is no longer something you are. Your face can be generated. Your voice can be cloned. Your video presence can be synthesized in real-time.

The foundation of identity verification just collapsed. And most organizations haven't noticed yet.

Let me show you why this isn't just about deepfakes, it's about the fundamental breakdown of how we verify identity in the modern enterprise. And what needs to change before your organization becomes the next $25 million lesson.

How the Arup Attack Actually Worked

The details of the Arup fraud matter because they reveal how sophisticated these attacks have become.

Here's what we know happened:

Phase 1: Intelligence Gathering

Before the attack began, someone did extensive research on Arup:

• Organizational structure (who reports to whom)
• Key personnel (names, roles, responsibilities)
• Communication patterns (how does the finance team interact with executives)
• Previous transactions (what kinds of transfers are normal)
• Visual and audio profiles (what do these people look and sound like)

Sources for this intelligence:

• LinkedIn profiles (organizational hierarchy, recent posts)
• Corporate website (executive bios, photos)
• Conference videos (speaking style, mannerisms, voice patterns)
• Publicly available annual reports (business operations, deal patterns)
• Social media (personal accounts revealing additional context)

None of this required hacking. It was all publicly available.

When building the CIAM platform, I always told clients: assume attackers know everything that's public. The Arup case shows they're now using that information to generate perfect replicas.

Phase 2: Deepfake Generation

Using the gathered intelligence, attackers created deepfakes of:

• The CFO (video and audio)
• Multiple colleagues (video and audio)
• Realistic background environments (office settings)

The technology isn't science fiction anymore:

• Real-time video synthesis (ElevenLabs, Synthesia, HeyGen)
• Voice cloning from minutes of audio samples
• Facial animation that matches speech perfectly
• Background generation that looks like real offices

The cost? A few hundred dollars worth of commercial AI services.

The skill required? Moderate technical knowledge, not expert-level.

The time investment? Days, not months.

This isn't nation-state capability. This is accessible to organized crime.

The attackers didn't start with "$25 million wire transfer."

They built credibility first:

• Initial "meeting" was about routine business review
• Early requests were for information, not action
• Communication style matched known executive patterns
• Topics referenced real company initiatives

This is sophisticated social engineering:

• Establish normalcy before making unusual requests
• Build trust through familiar interactions
• Reference real context to appear legitimate
• Escalate requests gradually

The finance manager wasn't stupid. The finance manager was experiencing a perfectly executed attack that exploited every assumption about identity verification.

Phase 4: The Kill Chain

Once credibility was established, the attack executed:

Request 1: "We need to move funds for the acquisition we discussed."

• Context established (previous meetings mentioned acquisition)
• Authority confirmed (CFO giving instruction)
• Urgency implied (time-sensitive deal)

Request 2: "Execute transfers to these accounts."

• Account details provided (looked like legitimate intermediaries)
• Amounts specified (large but plausible for acquisition)
• Colleagues confirm (multiple people validate instruction)

Request 3: "Process these immediately. This is confidential."

• Time pressure (need to move fast)
• Secrecy (don't verify through normal channels)
• Implicit threat (challenging CFO's instruction seems insubordinate)

The finance manager followed procedure. Verified identities through video. Confirmed with multiple participants. Executed authorized instructions.

Everything was wrong. Everything looked right.

Phase 5: Discovery and Aftermath

The fraud was discovered when:

• Actual CFO inquired about unusual account balances
• Finance team mentioned the "acquisition transfers"
• Real CFO: "What acquisition? What transfers?"

By then, $25 million had been transferred across multiple jurisdictions, making recovery extremely difficult.

The investigation revealed:

• No systems were hacked
• No credentials were stolen
• No malware was installed
• Security infrastructure worked perfectly

The attack bypassed all technical controls by exploiting human identity verification.

Why "Seeing Is Believing" No Longer Works

For all of human history until approximately 2023, seeing someone's face and hearing their voice was reliable proof of identity.

That assumption is now broken.

Here's why:

Generative AI Achieved Real-Time Fidelity

The deepfakes in the Arup attack weren't static videos. They were real-time interactive participants in a video conference.

What that means:

• Deepfakes responded to questions in real-time
• Facial expressions matched speech naturally
• Body language appeared authentic
• Multiple participants interacted with each other convincingly

This requires:

• Real-time video generation (no lag between audio and facial movement)
• Contextual understanding (responses relevant to conversation)
• Multiple simultaneous deepfakes (several people on same call)
• Environmental consistency (all in appropriate office settings)

This wasn't possible two years ago. It's routine in 2026.

The technology curve on deepfakes followed the same trajectory as large language models: long period of "not quite there" followed by sudden achievement of human-indistinguishable quality.

We're past the inflection point. Deepfakes are now perfect.

Voice Cloning Became Trivial

Voice authentication, once considered secure, is now completely compromised.

What it takes to clone a voice:

• 3-5 minutes of target audio (obtained from conference videos, podcasts, earnings calls)
• Commercial voice cloning service (ElevenLabs, PlayHT, many others)
• $20-100 in API costs
• Result: Perfect voice replica that can speak any text in target's voice

When building the CIAM platform, I evaluated voice biometrics for multi-factor authentication. We didn't deploy it because we knew voice could eventually be cloned.

What we didn't predict was how quickly "eventually" would arrive.

Voice authentication is not just vulnerable. It's actively counterproductive because it creates false confidence in identity verification.

Video Verification Creates False Security

Here's what makes the Arup case especially dangerous: the victim did everything right according to conventional security training.

Conventional wisdom says:

• Verify requests through multiple channels ✓ (video call with multiple people)
• Confirm identity before executing high-value transactions ✓ (saw and heard executives)
• Follow approval procedures ✓ (got authorization from proper authority)

All of that happened. All of it was useless.

Video verification created a false sense of security. "I can see them" felt like proof. It wasn't.

This is why I'm worried about organizations rushing to implement video-based authentication for sensitive operations. They're building security controls that attackers have already defeated.

The Uncanny Valley Is Behind Us

Older deepfakes had tells:

• Unnatural blinking patterns
• Lip sync slightly off
• Facial expressions didn't match emotion
• Lighting inconsistencies
• Audio artifacts

Skilled observers could detect fakes.

Modern deepfakes don't have those tells. The "uncanny valley" (the uncomfortable feeling when something is almost-but-not-quite human) has been crossed.

Current deepfakes are indistinguishable from real people to human perception.

This means:

• Training employees to "spot deepfakes" is like training them to spot perfect forgeries—impossible
• Visual inspection is no longer a viable verification method
• Trusting your eyes and ears is now a vulnerability

When building the CIAM platform, I assumed biometric data (what you are) was harder to compromise than passwords (what you know).

That assumption is now backwards. Passwords can be changed. Your face and voice cannot.

The Economic Reality That Makes This Worse

The Arup attack cost $25 million. But here's what should terrify CFOs: the attack probably cost less than $10,000 to execute.

Cost-Benefit Analysis for Attackers

Attacker investment:

• Deepfake technology: $500-2,000 (commercial AI services)
• Voice cloning: $100-500 (audio samples and processing)
• Research time: 40-80 hours (gathering intelligence on target)
• Technical execution: 20-40 hours (creating deepfakes, orchestrating call)

Total cost: $5,000-10,000 (including time at black market rates)

Return: $25,000,000

ROI: 2,500x to 5,000x

The economics are absurd. Even if only 1 in 100 attempts succeeds, the math works overwhelmingly in attackers' favor.

This is why deepfake fraud will explode in 2026. It's not just technically possible. It's economically inevitable.

Why Targets Can't Outspend Attackers

Traditional security followed an economic principle: make attacks expensive enough that they're not worth executing.

Deepfake fraud breaks that principle.

Defense costs:

• Implementing multi-channel verification: $50,000-500,000
• Training all employees on deepfake awareness: $100,000-1,000,000
• Deploying deepfake detection technology: $200,000-2,000,000
• Creating verification procedures: Ongoing operational cost

Attack costs: $5,000-10,000

Defenders must protect against all attacks. Attackers only need one success.

The economic asymmetry is crushing.

When building the CIAM platform, I secured systems by making unauthorized access expensive (technically difficult). We can't make deepfakes expensive. The technology is commoditized.

This requires a different defense strategy entirely.

The Identity Verification Crisis Across Industries

Arup isn't alone. Deepfake fraud is hitting every sector that relies on voice or video identity verification.

Finance and Banking

Current vulnerability:

• Wire transfer approvals often use phone verification
• Large transactions require executive authorization
• Multi-signature processes assume you can verify signers

Real incidents (2025-2026):

• Hong Kong-based company lost $26 million (employee fooled by deepfake video conference)
• Bank executive authorized fraudulent loan based on cloned CEO voice
• Investment firm manipulated by deepfake board member in virtual meeting

Why it's getting worse:

• Remote work means video calls replace in-person verification
• International transactions make callback verification complicated
• Time-sensitive deals create pressure to "trust but verify quickly"

Corporate Executives

The CEO doppelgänger problem:

• Executives are high-value deepfake targets (lots of public footage)
• Their voices carry authority for financial decisions
• They travel frequently (making "I'm in a meeting, use video" plausible)

Attack scenarios:

• CFO instructs controller to execute transfers
• CEO approves emergency expenditure
• Board member votes on virtual acquisition approval

This isn't hypothetical. Security researchers estimate 60-80% of Fortune 500 CEOs have enough public footage for high-quality deepfake generation.

Legal and Compliance

Emerging problem:

• Video depositions becoming unreliable
• Remote notarization vulnerable to deepfake impersonation
• Legal agreements via video call losing evidentiary value

The legal system hasn't caught up:

• What constitutes proof of identity in video format?
• How do you authenticate video evidence when deepfakes are perfect?
• Can contracts signed via video conference be enforced?

These are questions courts will face in 2026 and beyond.

Political and Regulatory

Beyond fraud:

• Deepfake political figures making false statements
• Fabricated emergency announcements causing market panic
• Synthetic "official" communications triggering policy responses

The trust crisis: When citizens can't distinguish real officials from deepfakes, governance itself becomes unstable.

The Arup case is about money. The broader crisis is about trust.

What Actually Works (And What Doesn't)

Security vendors are rushing to sell "deepfake detection" solutions. Most won't work at scale.

Here's what actually works:

What Doesn't Work

❌ Training employees to spot deepfakes

The tells that used to identify deepfakes don't exist anymore. Training people to look for artifacts that aren't there is security theater.

❌ Voice biometric authentication

Voice can be cloned perfectly. Using voice as authentication factor is worse than useless—it creates false confidence.

❌ Video-only verification for high-value transactions

The Arup case proved this. Seeing someone on video is not proof of identity.

❌ Relying on "trusted" video platforms

Deepfakes work on Zoom, Teams, Google Meet—any platform. The platform isn't the vulnerability. The human perception is.

❌ Deepfake detection software

Current detection has high false positive/negative rates. As deepfakes improve, detection becomes harder. This is an arms race defenders will lose.

What Does Work

✓ Multi-channel verification

If someone makes a high-value request via video, verify through a completely different channel.

Example:

• Request comes via video call
• Callback to known phone number (not number provided in call)
• Verify request details through email to known address
• Use previously established code word or verification phrase

The principle: Deepfakes excel in single channel. They fail when you verify through independent channels.

When building the CIAM platform, I implemented this as "multi-factor authentication" for users. The same principle applies to verifying humans making requests.

✓ Pre-established verification protocols

Before high-stakes situations arise, establish verification procedures:

For financial transactions:

• Code words known only to authorized parties
• Out-of-band confirmation required for amounts over threshold
• Time delays between authorization and execution (giving time to detect fraud)

For executive communications:

• Verified phone numbers for callback (updated regularly)
• Secondary confirmation via different medium (video → email with digital signature)
• Predetermined questions only real executive would know

✓ Physical tokens for critical operations

For the highest-stakes transactions, require physical token possession:

• Hardware security keys (YubiKey, Titan)
• Smart cards with PIN
• Biometric device in person (not over video)

This is the "something you have" factor that deepfakes can't fake remotely.

✓ Time delays and review periods

Most fraud relies on urgency. Removing urgency defeats the attack.

Implementation:

• All transactions over $X have mandatory 24-hour delay
• During delay, multiple verification channels used
• Any discrepancy halts transaction immediately

The attacker's nightmare: Time for victim to verify through multiple channels.

✓ Behavioral analysis and anomaly detection

Technology can't detect deepfakes reliably, but it can detect anomalous requests:

• Is this transaction pattern unusual for this executive?
• Is the requested amount outside normal parameters?
• Is the urgency level inconsistent with typical behavior?
• Are account destinations new or unfamiliar?

Example from Arup case: A behavioral system might have flagged:

• Multiple large transfers to new accounts
• Urgency combined with confidentiality (red flag combo)
• Request coming through video call rather than written authorization

This doesn't detect the deepfake. It detects the unusual request pattern.

When building the CIAM platform, I used anomaly detection to flag unusual authentication patterns. The same approach works for detecting deepfake-enabled fraud attempts.

The New Security Model: Never Trust Audio/Video Alone

Organizations need to rebuild identity verification with a fundamental assumption: audio and video are never, by themselves, proof of identity.

Here's what that means in practice:

For Financial Operations

Old model:

• CFO calls → controller executes transfer
• Video conference with executives → approve transaction
• Phone verification → process high-value request

New model:

• ANY request (phone, video, email, in-person) → multi-channel verification
• High-value transactions → mandatory delay + callback + written confirmation
• Critical operations → physical token requirement

The shift: Audio/video are claim of identity, not proof of identity.

For Executive Communications

Old model:

• Recognize voice → trust instruction
• See face on video → accept authorization
• Email from executive address → follow directive

New model:

• Voice/video establishes who is claiming to be on call
• Verification protocol confirms who actually is making request
• Written confirmation with digital signature provides audit trail

The shift: Seeing and hearing someone is start of verification, not end of verification.

For Legal and Compliance

Old model:

• Video deposition → legally binding testimony
• Remote notarization via video → official document
• Video signature → enforceable contract

New model:

• Video deposition → supplemented with in-person verification or physical token
• Remote notarization → requires multiple verification factors
• Video signature → paired with blockchain timestamping and out-of-band confirmation

The shift: Video alone has no evidentiary value without additional verification.

For Customer Service and Support

Old model:

• Customer calls → verify with personal info → authorize account changes
• Video chat for sensitive requests → accept if ID shown on video

New model:

• Voice/video → establishes session, not identity
• Multi-factor authentication required for any account modification
• Out-of-band confirmation (email, SMS to verified address) before changes execute

The shift: Customer identity is continuous verification, not one-time confirmation.

This is fundamentally different from traditional customer identity and access management. We're not just securing access. We're assuming the entire audio/visual channel is compromised.

What Organizations Must Do Right Now

If you're responsible for security, compliance, or risk management, here's your action plan:

Immediate (This Week)

1. Identify high-value audio/video verification points

Where does your organization currently accept audio or video as proof of identity?

• Wire transfer approvals
• Vendor payment authorizations
• Contract signatures
• Executive instructions
• Password resets
• Account modifications

Map every instance. That's your immediate vulnerability.

2. Implement emergency verification protocols

For highest-risk operations:

• Callback to verified numbers (in phone directory, not caller ID)
• Email confirmation to known addresses
• Require 24-hour delay on large transactions

This is a bandaid, not a solution. But it reduces immediate risk.

3. Alert high-risk employees

Finance teams, executive assistants, controllers, anyone with authority to execute high-value transactions.

Key message:

• Video calls can be perfect deepfakes
• Voice calls can be cloned executives
• Never trust audio/video alone for financial decisions
• Always verify through second channel

Make this a standing security briefing topic.

Short-term (This Month)

4. Develop formal verification procedures

Document specific protocols:

For financial transactions over $X:

1. Request received (any channel)
2. Callback to verified number
3. Email confirmation with details
4. 24-hour hold period
5. Secondary approval from different executive
6. Execute with audit trail

For executive communications:

1. Note claimed identity from audio/video
2. Verify through out-of-band communication
3. Use pre-established code words
4. Written confirmation before action
5. Escalation path if verification fails

For customer service:

1. Multi-factor authentication required
2. Sensitive changes require callback
3. Video ID verification supplemented with additional factors
4. All changes have reversal window

Publish these protocols. Train teams. Enforce compliance.

5. Audit current authentication methods

Where are you using voice or video as authentication factor?

• Phone banking systems
• Remote notarization
• Customer verification
• Internal approvals

Replace pure voice/video authentication with multi-factor requirements.

6. Review insurance coverage

Does your cyber insurance cover deepfake fraud?

• Most policies written before deepfakes were viable threat
• Coverage may exclude social engineering
• Limits may be insufficient for large-scale fraud

Update policies to explicitly cover deepfake scenarios.

Medium-term (This Quarter)

7. Implement behavioral analysis

Deploy systems that flag anomalous requests:

• Unusual transaction patterns
• Out-of-normal-hours requests
• Urgency combined with confidentiality
• New accounts or vendors
• Requests that bypass normal approval chains

This won't detect deepfakes. It will detect the fraud attempts that use deepfakes.

8. Establish physical token requirements

For highest-stakes operations:

• Hardware security keys for executive authorizations
• Smart cards for financial controllers
• In-person verification for critical contracts

Yes, this reduces efficiency. That's the point.

The Arup case happened because efficiency was prioritized over verification. Sometimes friction is security.

9. Create escalation and response procedures

What happens when suspected deepfake detected?

• Who gets notified?
• How is transaction halted?
• What investigation begins?
• How is incident communicated?

Have this documented before the incident occurs.

Long-term (Next 6-12 Months)

10. Rebuild identity verification architecture

This is the fundamental fix:

• Audio/video never sufficient for identity proof
• Multi-channel verification required for high-value operations
• Behavioral anomaly detection integrated
• Physical tokens for critical functions
• Zero-trust principle: verify every request, regardless of channel

When we implemented zero-trust architecture for the CIAM platform, it wasn't a quick project. It was fundamental rethinking of how identity works.

Organizations need the same rethink for audio/video identity verification.

11. Partner with industry on standards

Individual organizations can't solve this alone.

Needed:

• Industry standards for identity verification in deepfake era
• Cross-organization verification protocols
• Shared threat intelligence on deepfake attacks
• Regulatory guidance on legal standards for video evidence

This is infrastructure problem, not individual company problem.

12. Prepare for regulatory changes

Regulations will come (probably after high-profile fraud makes headlines).

Likely requirements:

• Mandatory multi-channel verification for financial transactions
• Disclosure of deepfake fraud incidents
• Minimum security standards for remote identity verification
• Liability frameworks for institutions that fail to verify identity

Organizations that prepare now will comply easily. Those that wait will scramble.

The Broader Implications: When Trust Itself Fails

The Arup case is about $25 million. But the implications go far beyond one fraud.

We're entering an era where:

• Seeing someone's face doesn't prove they're real
• Hearing someone's voice doesn't prove it's them
• Video calls create false confidence in identity
• "Trust your eyes and ears" is now bad security advice

This breaks fundamental human communication assumptions.

For all of human history, if you saw someone's face and heard their voice, you could be reasonably confident it was them. That certainty is gone.

Beyond corporate fraud:

• Can you trust video calls with family members?
• Is that really your friend calling for emergency money?
• Did that politician actually say what's in the video?
• Is the breaking news anchor real or synthetic?

The erosion of trust in audio/visual communication has societal consequences beyond security.

The Legal Impact

Courts rely on:

• Video depositions
• Recorded testimony
• Security camera footage
• Authentication of speakers in recordings

All of this becomes problematic when deepfakes are perfect.

Legal systems will need to establish new standards for evidence authentication in the deepfake era.

The Political Impact

Imagine:

• Deepfake president declaring war
• Synthetic CEO announcing fake acquisition (stock manipulation)
• Fabricated testimony in high-profile trial
• Generated "leaked" executive conversation

The potential for market manipulation, political chaos, and social disruption is enormous.

The Arup $25 million fraud is a preview. The real crisis is when trust in media itself becomes impossible.

The Uncomfortable Truth

Organizations want a technology solution to the deepfake problem. "Install detection software. Train the AI. Filter the fakes."

That's not going to work.

Deepfake generation and deepfake detection are in an arms race. Generators are winning. Every improvement in detection gets incorporated into better generation.

The only sustainable solution is to stop relying on audio and video as proof of identity.

This means:

• More friction in high-value transactions (verification takes time)
• More procedural overhead (multiple channels, physical tokens)
• Less efficiency (delays, approvals, reviews)
• More cost (infrastructure, training, compliance)

Nobody wants this. Organizations optimized for efficiency, not security friction.

But the alternative is Arup-scale fraud becoming routine.

The choice:

• Accept friction and overhead to verify identity properly
• Accept risk of deepfake fraud and plan for eventual breach

There's no third option where you get efficiency, low overhead, AND protection from deepfakes.

When building the CIAM platform, I learned that security and convenience are often inversely correlated. The most secure systems have the most friction.

In the deepfake era, that friction is non-negotiable for high-value operations.

The Bottom Line

An employee at Arup saw executives on video. Heard them speaking. Verified the request through what appeared to be proper channels. Authorized $25 million in transfers.

Every executive was an AI-generated deepfake.

This wasn't a failure of the employee. It was a failure of assumptions. The assumption that video calls prove identity. The assumption that seeing and hearing someone means they're real.

Those assumptions are now liabilities.

For organizations:

• Implement multi-channel verification immediately
• Never trust audio/video alone for high-value requests
• Establish physical token requirements for critical operations
• Build behavioral anomaly detection
• Prepare for regulatory requirements

For individuals:

• Be skeptical of urgent requests via audio/video
• Verify through independent channels before taking action
• Use code words or verification phrases with family
• Understand that perfect deepfakes exist and are accessible

For society:

• Rebuild trust frameworks for digital communication
• Establish legal standards for authenticated video
• Create verification infrastructure that works at scale
• Accept that "trust your eyes" is outdated advice

The deepfake era is here. The technology that enables $25 million fraud is commercially available for a few hundred dollars.

The question isn't whether deepfake fraud will become common. The question is whether organizations will adapt their identity verification before or after they become victims.

Arup learned at $25 million cost. Your organization can learn from them instead.

Identity verification is broken. Seeing is no longer believing. The sooner we accept that, the sooner we can build systems that actually work.

---

Key Takeaways

• Arup lost $25M to perfect deepfake video conference – every "executive" was AI-generated
• Attack cost attackers ~$10K, return $25M (2,500x ROI) – economically inevitable
• Modern deepfakes are real-time, interactive, and indistinguishable from real people
• Voice cloning requires just 3-5 minutes of audio, costs $20-100
• "Seeing is believing" is now a security vulnerability, not verification method
• Training employees to "spot deepfakes" is useless – no reliable tells exist
• Video/voice authentication creates false confidence – actively dangerous
• Multi-channel verification REQUIRED: video request → callback to known number + email confirmation
• High-value operations need physical tokens (hardware keys, smart cards)
• Behavioral anomaly detection can flag unusual requests (urgency + new accounts + large amounts)
• Organizations must rebuild identity verification assuming audio/video can always be faked
• Immediate actions: map audio/video verification points, implement callback procedures, alert high-risk employees
• Long-term: zero-trust for identity verification, never accept single-channel proof
• Broader crisis: trust in audio/visual communication eroding across society, not just corporate fraud

---

Building authentication systems that resist deepfakes? My Customer Identity Hub covers multi-factor authentication, zero-trust principles, and modern CIAM architecture that assumes all biometric channels are compromised.

Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.

*** This is a Security Bloggers Network syndicated blog from Deepak Gupta | AI & Cybersecurity Innovation Leader | Founder's Journey from Code to Scale authored by Deepak Gupta - Tech Entrepreneur, Cybersecurity Author. Read the original post at: https://guptadeepak.com/the-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted/