"I Thought It Was My Boss." How an AI Ghost Stole $25 Million Over a Single Video Call.
Published on September 28, 2025 by MoreMeets Team
In February 2024, the business world was shaken by a story straight out of a science fiction movie. A finance employee at the multinational firm Arup received an email from his Chief Financial Officer, requesting his presence on a video call to discuss a confidential transaction. When he joined, he saw his CFO and other colleagues on the screen. They looked and sounded exactly as they should. They instructed him to process a series of urgent transfers totaling HK$200 million (US$25.6 million). He complied.
The only problem? The people on the call were not his colleagues. They were AI-generated deepfakes. This incident represents a terrifying new frontier in financial fraud. Traditional cybersecurity measures are useless against a threat that so perfectly mimics trusted human leadership. The Arup case proves that in the age of AI, the last line of defense is no longer technology, but a rigorously enforced, human-centric operational process.
Failure Point 1: The Single Point of Failure
The entire scam hinged on convincing a single employee to act alone based on a single, albeit highly convincing, communication channel. The process relied on perceived authority, not procedural verification.
A foundational principle in finance. Our High-Value Transaction SOP mandates that all transactions over a pre-defined threshold (e.g., $100,000) require independent electronic approval from two authorized signatories from different departments. The deepfake could fool one person, but it can't be on two separate systems getting two separate approvals simultaneously.
Failure Point 2: Lack of Out-of-Band Verification
The employee was kept within the scammer's controlled environment (the fake video call). There was no procedural requirement to verify such an unusual and urgent request through a separate, secure communication channel.
The same SOP would require the employee, upon receiving such a request, to make a simple voice call to the CFO's pre-registered, trusted mobile number to verbally confirm the transaction details. This simple step breaks the scammer's digital control and would have instantly exposed the fraud. The key is that the verification happens outside the channel of the initial request.
Conclusion: Process is Your Best Defense Against Advanced Threats
As technology evolves, so do the threats. The emergence of convincing deepfakes means that "seeing is believing" is no longer a safe assumption in business. The only true defense is a robust, disciplined, and consistently enforced operational process that removes single points of failure and builds a culture of verification. Explore the control principles in our Enterprise Risk & Cybersecurity Pack to build a financial system resilient enough for the AI age.
Continue Your Journey to Excellence
The concepts in this article are operationalized in the following toolkit:
Enterprise Risk & Cybersecurity Pack
Premium Pack
Explore The Full Toolkit
