This article is based on verified public records, Hong Kong police reports, Arup’s confirmed public statements, and documented cybersecurity research. All figures are verified.

It started with an email. A routine message, apparently from the CFO, asking a finance employee to arrange some payments. The employee was skeptical the request felt unusual.

Then the video call happened. And the skepticism dissolved.

On screen: the CFO. Colleagues. Familiar faces in a familiar meeting format. The CFO confirmed the instructions directly. Everything looked right. Everything sounded right.

The employee made 15 transactions totaling $25 million to five local bank accounts. It was only later, when the employee checked with head office, that the fraud was identified.

Every person on that video call was fake. Every voice was synthesized. Every face was AI-generated in real time. And by the time anyone realized what had happened, $25 million was gone.

What Actually Happened

In January 2024, the Arup deepfake attack became one of the largest AI-powered financial frauds ever documented. Hong Kong police reported the attack in February 2024, though Arup a global engineering firm with 18,500 staff worldwide did not publicly identify itself as the victim until May 2024.

Attackers executed a highly convincing deepfake scam against Arup, leading to 15 fraudulent transfers totaling $25.6 million in a single day. A finance employee in Hong Kong received a phishing email impersonating the CFO, followed by a video call where every participant was an AI-generated executive. The employee authorized the transfers under perceived executive direction.

Initially, the staff member was hesitant about the legitimacy of the email. The supposed CFO confirmed the payment instructions via video conference which removed that hesitation entirely.

The attack worked precisely because it overcame the employee’s instinct that something was wrong. The video call wasn’t just a technical achievement. It was a social engineering masterpiece using deepfake technology to neutralize the one safeguard that might have stopped it: human judgment.

The fraud was discovered through standard post-transaction follow-up. The finance employee contacted Arup’s actual corporate headquarters to discuss the transaction — and executives immediately stated they had authorized no such meeting and had no knowledge of any video conference. This discrepancy immediately revealed the fraud.

The Money Is Still Missing

As of early 2025, none of the stolen funds have been recovered. The investigation remains ongoing with Hong Kong police. No arrests have been announced, and no perpetrator has been publicly identified.

That outcome $25.6 million stolen, zero recovered, zero arrested is the part of this story that the financial industry found most alarming. It wasn’t just that the attack succeeded. It was that success appeared to be permanent.

This Wasn’t an Isolated Incident

The Arup case is the most documented deepfake fraud on record but it sits inside a trend that is accelerating at a rate that should concern every organization that moves money.

Financial losses from deepfake-enabled fraud exceeded $200 million in the first quarter of 2025 alone. CEO fraud now targets at least 400 companies per day using deepfakes. More than 10% of companies have dealt with attempted or successful deepfake fraud, with damages from successful attacks reaching as high as 10% of annual profits.

In 2025, deepfakes were linked to 20% of all biometric fraud attempts a number expected to climb significantly in 2026. AI document forgery is up 1,600% since 2021, with fraudsters submitting AI-altered documents to open fake accounts.

Only 3 seconds of audio is required to generate an 85% accurate voice clone. Recorded video deepfakes climbed from 33% of organizations encountering them in 2024 to 46% in 2025. Live video manipulation increased from 30% to 41% year-over-year.

The technology required to replicate the Arup attack in 2026 is cheaper, faster, and more accessible than it was when the original attack occurred. The barrier to entry for this class of fraud has dropped dramatically in eighteen months.

Why Traditional Security Failed And Keeps Failing

The Arup attack succeeded despite the employee’s initial skepticism because it targeted the one verification method organizations had always trusted as unfakeable: seeing and hearing a known person in real time.

Traditional fraud detection is predictable and point-in-time. Deepfake scammers can anticipate and bypass each checkpoint. Deepfakes can be prevented by making biometric authentication persistent throughout a user’s entire session not just at a single verification point.

According to cybersecurity firm Proofpoint, 99% of organizations monitored in 2024 were targeted for account takeovers and of those, 62% experienced at least one successful takeover.

The average loss per financial sector company from deepfake fraud is more than $600,000, with 23% of financial services organizations reporting losses exceeding $1 million.

What Changed After In the Industry, Not Just at Arup

The Arup case forced a conversation that the financial and corporate security industry had been avoiding: video verification is no longer a reliable safeguard on its own.

Banks in 2026 are implementing deepfake detection technology, enhanced biometric authentication, and multi-modal verification systems. Systems will read depth, heat, and micro-motion to detect fake visuals. Voice authentication tools will sense breath and vibration patterns to identify voice clones.

A 2025 iProov study found that only 0.1% of participants correctly identified all deepfake content they were shown meaning human detection alone is effectively useless against modern deepfake quality.

The response that works isn’t training people to spot deepfakes better. It’s removing the possibility of any single person authorizing a large transfer based on a video call alone regardless of who appears to be on screen.

Deepfake attempts in the United Kingdom increased by 94% in 2025 alone. Fraud losses from generative AI are expected to rise from $12.3 billion in 2024 to $40 billion by 2027 growing at a 32% annual rate.

The Warning That Applies to Everyone

The Arup attack is a corporate story. But the mechanics voice cloning, video impersonation, social engineering layered on top of AI are now deployed against individuals too.

1 in 10 adults have been personally targeted by an AI voice scam. 77% of victims targeted by a voice clone who confirmed financial loss reported losing money.

The practical defense at every level individual, organizational, financial institution comes down to one principle the Arup case illustrates perfectly: never authorize a financial transaction based solely on a video or voice call, regardless of who appears to be asking.

The call that looks most legitimate is the one most worth verifying through a completely separate channel.

The $25 million is still missing. The lesson doesn’t have to cost that much.

Note: This article covers documented fraud cases for educational and awareness purposes. If you suspect deepfake fraud targeting your organization, contact your financial institution and relevant authorities immediately.

Read Also:

AIWala News