A Deepfake of Your CEO Just Approved a Wire Transfer

A Deepfake of Your CEO Just Approved a Wire Transfer
The face on the video call is real.
The voice is perfect.
Your finance lead has no reason to doubt it.
That's exactly the problem — and why "seeing is believing" just became the most dangerous assumption in your company.

Picture a Friday afternoon.
Your finance manager joins a video call.
The CFO is there, and so are two colleagues she recognizes — same faces, same voices, same slightly-too-fast way the CFO always talks when a deal is hot.

There's an acquisition in motion, it's confidential, and it needs a series of payments made before the weekend closes the window.
Everything about the call checks out. So she makes the transfers.

Every person on that call except her was a fake.

This is not a hypothetical.
It is almost exactly what happened to the global engineering firm Arup, in a case first reported in early 2024 and now the most-studied corporate deepfake fraud on record.
A finance employee in the Hong Kong office was walked through fifteen separate wire transfers totaling around $25.6 million — on a video call where the CFO and every other "colleague" was an AI-generated deepfake.
She recognized the faces. She recognized the voices.
That recognition is precisely what the attackers were counting on.

If your reaction is "our people are smarter than that," sit with this article for a few minutes. Because the entire premise of the attack is that intelligence and vigilance are no longer enough.

Seeing is no longer believing

For your whole life, a familiar face and a familiar voice have functioned as proof. Your brain treats them as a password it never bothers to check — recognition is the authentication.
Attackers have now learned to forge that password, and the forgery is good enough that humans cannot reliably catch it.

The identity-verification firm iProov ran the test directly: shown a mix of real and deepfaked content, only about 0.1% of people could consistently tell the difference.

Not one in ten. One in a thousand.

Your most skeptical, most detail-obsessed employee is, statistically, going to be fooled by a competent fake — because the unaided human eye and ear are simply no longer adequate instruments for this task.
Telling staff to "look for the glitches" is, at this point, security theater.

And the production cost has collapsed.
Cloning a voice convincingly now takes a few seconds of reference audio — the kind anyone can lift from a conference talk, a podcast appearance, an earnings call, or a LinkedIn video.
Generating a passable video likeness no longer requires a studio or specialist skills. Europol has projected the number of deepfakes circulating online jumped from roughly half a million in 2023 toward the order of millions by 2025.
When something is trivial to produce and nearly impossible to detect by sight, it stops being a novelty and becomes an industry.

This is already happening at scale

The numbers have moved out of "emerging threat" territory and into "this quarter's problem":

  • The FBI attributes roughly $2.77 billion in losses to AI-assisted business email compromise across more than 21,000 incidents in a single year — with deepfake audio and video increasingly bolted onto what used to be text-only scams.
  • Deepfake-enabled voice-phishing ("vishing") calls surged by more than 1,600% in early 2025 versus the prior quarter.
  • In one 2025 survey of 500 security professionals, 85% of organizations reported at least one deepfake-related incident in the previous twelve months. Among those that lost money, the majority lost over $100,000, and nearly a fifth lost $500,000 or more.
  • Group-IB estimates that over 10% of banks have already suffered deepfake vishing losses exceeding $1 million, with an average hit around $600,000.
  • Deloitte's Center for Financial Services projects generative-AI-enabled fraud losses in the US could climb from about $12 billion in 2023 to $40 billion by 2027.

This is not a story confined to giant corporations, either — though they get the headlines.
Arup is a household name in engineering.
Ferrari's CEO Benedetto Vigna was targeted in 2024 by a voice clone over WhatsApp.

WPP, the world's largest advertising group, saw fraudsters attempt a deepfake-video impersonation of its chief executive.
These are the cases we hear about precisely because they involve famous companies.
The thousands of mid-sized firms hit every week don't make the news.
By some estimates, CEO-impersonation fraud now targets hundreds of companies per day.

Why this hunts small and mid-sized businesses

A multinational has a treasury department, layered approvals, and a security team that runs drills.
A 30-person company has a founder, one finance person, and a culture of moving fast and trusting each other — which is wonderful for building a business and catastrophic for resisting this particular attack.

The con doesn't rely on hacking anything.
It runs on three human levers, and smaller teams are exposed to all three:

Authority. The request appears to come from the top.
Junior or solo finance staff are conditioned to act on the boss's word, and questioning it feels socially expensive.

Urgency. "This has to happen in the next hour or the deal collapses."
Pressure compresses the time a person would otherwise use to think — which is the entire point.

Secrecy. "Keep this between us, it's confidential."
This isolates the target from the one thing that would break the spell: a second opinion.

There's no committee to slow things down, the "CEO" plausibly might message you directly about something urgent, and the whole environment is built for speed.
The attackers aren't breaking your technology.
They're exploiting your trust, your hierarchy, and your velocity.

There's a quieter reason, too.
Most companies have spent a decade training employees to spot email phishing — bad grammar, dodgy links, mismatched sender addresses.
Almost none have trained anyone for a phone call or video meeting where the boss looks and sounds exactly right.
Attackers moved to voice and video; defenses mostly stayed in the inbox.
That gap is the whole story.

The recon you're handing them for free

The fraudulent call is the finale, not the beginning.
The preparation runs for weeks, and it relies almost entirely on information companies publish about themselves without a second thought: the org chart on the website, the "meet the team" page, executives' conference talks and podcast clips, recorded webinars, LinkedIn posts naming who reports to whom, and the vendor logos that reveal who you pay.

From that, an attacker assembles everything needed for a convincing performance — who can authorize a payment, who they'd plausibly take orders from, what a real internal request sounds like, and which supplier relationship to impersonate.
None of this requires a breach.
You're the unwitting source.

That's not an argument for going dark; visibility has real marketing value.
It's an argument for assuming the raw materials for an impersonation of your leadership already exist — and defending accordingly.

The defense isn't better eyes. It's a better process.

Here's the genuinely reassuring part: since humans can't reliably detect a deepfake, the fix is to design a process where detection is never required.
Almost none of it costs money.

1. Mandate second-channel verification for money and access.
Any request to move funds, change payment or bank details, or reset credentials — arriving by call, video, email, or chat — must be confirmed through a different, pre-agreed channel before anything happens.
The CFO "called"?
You hang up and call back on their known internal number.
The rule is absolute and applies to everyone, including the founder, no matter how urgent.
A real executive will respect it.
A fake one cannot survive it.

2. Use a verbal challenge or safe word.
This is the move that actually saved Ferrari: the targeted executive asked the "CEO" a personal question only the real person could answer.
The attacker couldn't, and the call ended.
Agree in advance on a challenge question or passphrase for high-stakes requests.
It is the cheapest, most effective control you can deploy this week.

3. Treat urgency + secrecy as the alarm itself.
Train everyone that the combination of "do it now" and "tell no one" is not a sign of importance — it is the signature of the attack.
That pairing should increase scrutiny, not suppress it.

4. Harden the payment workflow.
Require dual authorization above a threshold.
Mandate out-of-band confirmation for any new payee or changed bank account — the most common payload of these scams is a quietly altered set of account details. Set limits that force a human pause for large or unusual transfers.

5. Build a no-blame verification culture.
This is the one that decides everything.
An employee who slows a payment to verify — even when the request turns out to be genuine, even when it's the boss asking — did exactly the right thing and must be thanked, never made to feel foolish.
The instant people fear embarrassment for double-checking, you have handed the attacker their victory.

6. Train and drill for voice and video, not just email.
Run consented simulations.
Rehearse the call-back.
Find out where your real escalation path breaks before an attacker does.

The insurance market has already read the trend.
Carriers increasingly treat deepfake-driven wire fraud as a named category with its own sub-limits, and many now require call-back or voice-authentication protocols on large transfers as a condition of coverage — the same way multi-factor authentication became mandatory after the ransomware wave.
Expect this to become a universal baseline, not an option.

Your next 30 days

You don't need a budget or a new platform to start. You need decisions:

  • Write a one-page rule: no funds move, and no credentials change, on the basis of a call, video, or message alone — verification on a separate known channel, always.
  • Agree a challenge phrase for your leadership team.
  • Add an out-of-band confirmation step for any new or changed payee.
  • Tell every employee, in plain words, that verifying a request — including one from the founder — will always be praised, never punished.
  • Run one practice drill.

That's a meaningful defense built in a week, for the cost of a meeting.

How we think about it at BuonaLabs

Security isn't a product you buy and bolt on; it's a set of habits and workflows designed into how your business actually runs.
When we build internal tools, approval flows, and finance processes for clients, verification steps for anything sensitive are part of the architecture — not a sticky note someone ignores under pressure.
The goal is a system where doing the safe thing is the path of least resistance, so a stressed employee on a Friday afternoon doesn't have to be a security expert to be protected.

The uncomfortable truth of 2026 is that your CEO's face and voice are now public, cloneable, and no longer proof of anything.

That should sharpen your attention — but it should not frighten you into paralysis, because the fix is squarely within reach and mostly free.

The companies that get hit are the ones still trusting a familiar face on a screen. The companies that don't are the ones who decided, in advance, that trust is verified, not assumed.

Seeing is no longer believing. Build like you know it.