In early 2024, Arup, the multinational firm behind the Sydney Opera House, fell victim to a sophisticated scam. An employee in the Hong Kong finance department was tricked into sending HK$200 million to scammers.
The attackers didn't just use a fake emailโthey staged a live video conference where every other participant (including the UK-based CFO) was a deepfake clone created using AI.
The victim was initially suspicious of a phishing email. However, the scammers invited the victim to a video call. Seeing familiar faces and hearing familiar voices in a group setting lowered the victim's defenses completely. This is known as a Deepfake attack.
A finance employee receives a phishing email from the "CFO" regarding a confidential transaction. The employee is suspicious.
To prove legitimacy, the employee is invited to a video conference. They join a call with several "colleagues" and the "CFO." All are AI-generated deepfakes based on public YouTube/social media footage.
Under pressure from the "executives" on the call, the employee authorizes 15 transfers totaling $25.6 million USD to five different bank accounts.
The employee checks with the actual headquarters. No such transaction existed. The fraud is revealed.
You are the Finance Manager at Arup HK. Can you spot the scam, or will you lose the money?
INITIALIZING SYSTEM...
INCOMING EMAIL FROM: cfo.office@arup-internal-secure.com
SUBJECT: Secret Acquisition - Urgent
"We need to discuss a confidential merger. Please join the secure video room immediately."
Click each item to acknowledge the protocol. These steps could have prevented the Arup loss.
If a request comes via Email/Video, verify it via a different channel (e.g., call their internal desk phone).
Establish a secret phrase with your team for urgent money transfers. An AI voice clone won't know the code.
Policy Change: No single employee should have the authority to wire large sums (>$10k) without a second human signature.
Train eyes to look for unnatural blinking, lip-sync errors, or blurry hairlines during video calls.
Scammers rely on urgency. If someone demands "Immediate Action" for money, pause and investigate.
1. Why did the employee authorize the transfer despite initial suspicion?
2. How did scammers create the deepfakes?