The CFO calls you. The CEO is on video. The entire executive team is there. They want you to wire $25 million. Now. It's a legitimate video call. The faces move. The voices sync. The background is the actual office. So you transfer the money. Then you find out: none of it was real. Welcome to the era of deepfake CEO impersonation. The $25.6M Arup Case in 2026, a finance worker at Arup—global engineering firm with 18,000 employees—received a message from the company's "CFO" inviting him to a video conference. He joined. On screen: the CFO and several other executives. They discussed a "confidential acquisition" that required immediate payment to an offshore account. It looked real. It sounded real. The faces moved naturally. The executives discussed details only insiders would know. The worker transferred $25.6 million USD. Then reality hit: it was all AI-generated. Deepfakes. Every person on that call. Every word. Every "executive." The money? Gone. How It Works: BEC on Steroids This is Business Email Compromise (BEC) on a whole new level. Traditional BEC: Scammer sends email from "CEO" demanding wire transfer. Sometimes they spoof the email. Sometimes they compromise the account. Employee thinks: "This is weird." They might call to verify. Or they notice the email domain is slightly off. Deepfake BEC: Scammer creates AI-generated video + voice of multiple executives. They schedule a "meeting" on Teams/Zoom. Employee sees: "The CEO is literally right there. So is the CFO. And the general counsel." They don't question it. They don't verify. They transfer. The Technology Pipeline Here's what scammers do: Data Collection Scrape executive footage: YouTube interviews, conference presentations, public speaking events Harvest audio: Podcasts, earnings calls, internal videos (if leaked) Gather context: Company news, acquisition targets, recent projects Model Training Face cloning: Train diffusion models on executive facial data Voice synthesis: Match timbre, cadence, speech patterns Context modeling: Learn how executives speak, pause, react Video Generation Real-time rendering: Generate deepfake video that responds in real-time Multi-person orchestration: Coordinate multiple AI personas simultaneously Background recreation: Use company office footage for authenticity The Call Urgency framing: "Confidential deal. Time-sensitive. Cannot discuss outside this call." Social proof: Multiple "executives" reinforce each other Authority pressure: "The CEO is telling you to do this. Why are you hesitating?" Real-World Examples Beyond Arup Arup isn't alone: WPP (Ad Giant): Scammers impersonated CEO Mark Read in video calls, attempted transfers in millions Ferrari: Deepfake executives demanded urgent payments to vendors Wiz (Cloud Security): AI-generated CFO and executives tried to authorize transfers LastPass: Attackers used deepfake video calls to access internal systems Hong Kong Multi-Person Conference: Multiple deepfake "executives" coordinated to scam $20M Some got stopped. Employees asked verification questions. They noticed subtle glitches. Most didn't. The Scale: Nearly 60% of Companies Hit This isn't a handful of isolated cases. According to a 2026 enterprise security survey by 451 Research / S&P Global, deepfake attacks have reached epidemic proportions in the corporate world: 58% of organizations have faced deepfake attacks 48% report measurable reputational damage from AI-generated impersonation Average loss from successful attacks exceeds $2.4 million Detection rate for sophisticated deepfakes is below 30% 28% of breaches still involve human error—deepfakes exploit trust directly Beyond the headline CEO scams, attackers deploy multiple vectors: Vendor Fraud: Fake video messages from supposed business partners requesting payment redirects Employee Recruitment: Deepfakes of executives used in recruitment scams to damage employer brand or enable espionage Board Manipulation: AI-generated video of fake executive statements influencing investment and acquisition decisions The corporate world was built on the assumption that "seeing is believing." Deepfakes have shattered that contract—and companies didn't consent to the change. The "Artiphishul" Connection Here's the core problem: Executives didn't consent to having their faces and voices cloned. A CEO gave a TED talk. It's on YouTube. Anyone can download it. A CFO appeared in a company video. It's publicly accessible. Scammers scraped it all. Trained AI. Weaponized it. Nobody asked these executives: "Is it okay if criminals clone your identity to steal $25 million?" But the data was public. So they took it. This is the pattern: public availability ≠ consent to weaponize. Why This Is So Effective Visual Confirmation Bias We trust what we see. Video calls feel "real" in a way emails don't. If I see someone's face, I assume they exist. Authority Cascading Multiple "executives" reinforce each other. "The CEO says it's urgent." "The CFO confirms." "Legal is on board." It's harder to doubt consensus. Emotional Override When your "boss" is demanding something, the default response is compliance. Especially when they frame it as critical business. Technical Sophistication Deepfakes are getting scary good. Micro-expressions. Natural blinking. Proper lip sync. The glitches that once gave them away are disappearing. How Companies Can Fight Back Immediate Protections Verification protocols: Require out-of-band confirmation for any payment over $10,000. Call the executive's known number. Challenge phrases: Establish secret phrases for high-value transactions. "If this is real, what's our quarterly password?" Multi-person approval: No single person can authorize transfers. Minimum two unrelated sign-offs. Video call recording: Record all executive video calls for forensic analysis. Technical Defenses Deepfake detection tools: Deploy AI that identifies synthetic video and audio Watermarking: Add inaudible markers to legitimate video calls that AI can't replicate Liveness detection: Verify real human presence via movement challenges or biometric checks Metadata verification: Verify video call authenticity through cryptographic signatures Policy Changes Reduce executive footage online: Limit public appearances, especially uncontrolled environments Internal communication policies: Establish secure channels that can't be spoofed Incident response plans: Have protocols for when deepfake impersonation is suspected What They Won't Do (Because It Costs Money) AI source watermarking: Require all AI-generated content to be traceable to its source Consent-based training: Prohibit training models on public executive data without explicit permission Platform-level detection: Zoom/Teams could flag AI-generated video calls automatically Rapid response databases: Share deepfake signatures across companies for early warning Will they do this? Maybe. After enough companies lose $25 million. The Individual Impact If you're an employee: Trust nothing: Even if it looks like your boss, even if they're on video Verify separately: Use known phone numbers, not the one in the "meeting" Question urgency: Real deals can wait 10 minutes for verification Report suspicious calls: Immediately alert security and IT If you're an executive: Reduce public footage: Every video you post is training data for scammers Warn your teams: Tell them you'll never demand urgent payments on video Use verification codes: Establish phrases that prove you're real The Broader Pattern This is just AI-powered identity theft. Today it's CEOs. Tomorrow: Doctors: Deepfake physicians prescribing treatments Politicians: Fake candidates spreading misinformation Lawyers: Synthetic attorneys giving fake legal advice Law enforcement: Impersonated officers demanding compliance The technology exists now. The attacks are happening now. The question is: who owns your face? Your voice? Your identity? Corporations say: "Public data is free data." We say: They didn't ask. Take Action Share this with your workplace: Every finance and executive team needs to know Establish verification protocols: Do it before you get scammed, not after Reduce your digital footprint: Less public footage = less training data for scammers Use detection tools: Check out our Media Forensics Tool Stay informed: Join our community for updates on AI safety --- Related: AI-Enhanced Phishing Scams Deepfake Celebrity Crypto Scams Data Removal Guide