How the Attack Was Executed

It all started with an email. The finance worker at Arup's Hong Kong office received a message from what appeared to be the company's CFO, instructing them to process a confidential financial transaction.

Skeptical at first, the employee hesitated. But what happened next changed everything.

The fraudsters arranged a video call, and on the screen, the finance worker saw and heard the company's CFO—alongside what appeared to be other senior executives. The conversation was fluid, professional, and completely convincing.

What the finance worker didn't know was that every person in that meeting was fake. The criminals had used deepfake technology to generate lifelike AI replicas of Arup's executives, tricking the employee into thinking the request was legitimate.

Believing the CFO's request was real, the finance worker transferred $25.6 million to five bank accounts. By the time Arup's headquarters realized the fraud, the money was gone.

Why Are Deepfake Scams on the Rise?

Deepfake technology isn't just a futuristic concept—it's here, and it's getting dangerously sophisticated.

High accessibility to AI tools makes it easy for anyone to create highly realistic deepfake videos. Open-source AI models and applications allow cybercriminals to replicate faces and voices with increasing accuracy.

AI-powered social engineering enables attackers to use generative adversarial networks to clone voices and faces from publicly available footage. By manipulating this data, they can produce fake but convincing interactions that deceive employees into taking harmful actions.

Business email compromise techniques are evolving. Traditional phishing and email fraud are being replaced with AI-enhanced deception methods. Attackers no longer rely on fake emails alone—they can now create realistic, interactive video calls to manipulate victims.

Deepfake scams like this prove that cybercriminals no longer need to just send emails—they can impersonate real people in live meetings.

The Business Impact of the Attack

The consequences of this AI-powered scam were severe:

• The company lost $25.6 million in one of the largest known deepfake-related financial frauds.
• Arup's internal security protocols came under scrutiny, affecting trust in their cybersecurity measures.
• Regulatory concerns grew as authorities investigated how such a breach could occur.
• Businesses worldwide took this as a wake-up call, leading to increased investments in security and awareness training.

This wasn't just a financial loss—it was a new milestone in the evolution of cybercrime.

How to Defend Against Deepfake Fraud

Defending against AI-driven deception is not just a technology problem—it requires strong policies, employee training, and advanced detection tools.

Here's what businesses can do right now:

• 
  Train employees to identify deepfake scams. Cybercriminals prey on trust. Employees need regular training on how to recognize deepfake manipulation, suspicious requests, and AI-driven fraud techniques.
• 
  Enhance cybersecurity with AI-detection tools. Security teams must invest in AI-powered threat detection that can spot deepfake-generated content, audio impersonation, and phishing emails.
• 
  Adopt a zero-trust approach. Organizations should enforce multi-factor authentication, access control policies, and privileged identity management to limit exposure to fraud.

How ZiSoft Can Help Businesses Fight Deepfake Scams

One of the biggest weaknesses in cybersecurity is human error. That's why security awareness training is crucial. ZiSoft is a cutting-edge security awareness platform that helps companies train employees to recognize, avoid, and report advanced cyber threats like deepfake fraud.

• 
  Simulated phishing and deepfake attack training. ZiSoft allows businesses to test employees with realistic attack scenarios, helping them build instinctive detection skills.
• 
  AI-driven security education. Employees get up-to-date training on how deepfake scams work, using engaging interactive lessons.
• 
  Customizable security awareness programs. ZiSoft helps organizations tailor security awareness strategies based on industry threats—whether it's BEC fraud, deepfakes, or AI-generated phishing attacks.
• 
  Advanced behavioral tracking and reporting. HR and IT teams can monitor employee awareness progress, helping them identify vulnerabilities and strengthen security culture.