The Arup Deepfake Scam (2024)

The moment "Seeing is Believing" became a lie.

A finance employee joined a video call with their CFO and coworkers. But none of them were real.

$25 Million Stolen

0 Humans on Call

🤖 The Weapon: AI

Attackers used publicly available videos of Arup executives to create Deepfake avatars. They mimicked the voices and faces perfectly in real-time.

🎣 The Target: Humans

No firewalls were breached. No passwords were cracked. The attackers hacked the employee's trust by making the scam look incredibly realistic.

🌍 The Warning

This incident proves that video calls can no longer be trusted blindly. If it can happen to a global engineering firm, it can happen to anyone.

The $25 Million Video Call

Jan 2024

The Setup

A Hong Kong finance employee receives an email from the "CFO" (UK-based) regarding a "Secret Acquisition." It requests a secure video conference.

Feb 2024

The Call

The employee joins the video call. They see the CFO and other colleagues. Everyone looks real. They instruct the employee to transfer funds urgently.

The Execution

15 Transfers

The employee, initially suspicious, is reassured because they "saw" their boss. They make 15 transfers totaling HK$200 million ($25M USD) to scam accounts.

Late Feb 2024

The Discovery

Arup HQ notices the missing money. They confirm: No such video call ever happened. The employee was the only real human on the line.

The Mechanics of a Deepfake

1. Source Material

AI needs data to learn. The scammers downloaded YouTube videos, conference talks, and news clips of the Arup executives to train the AI on their faces and voices.

2. Real-Time Generation

Using tools like Stable Diffusion or specialized voice cloning software, the scammers projected these AI faces onto themselves during the live Zoom/Teams call.

3. Social Engineering

The tech wasn't perfect. To hide glitches, they likely claimed "bad connection" or kept the meeting short. They used authority and secrecy to stop the victim from thinking critically.

Consumer Defense: When Reality is Fake

You might not transfer $25M, but scammers use this same tech to fake "Grandma in trouble" calls. Here is how to verify reality.

🔐

1. The "Safe Word"

Establish a secret code word or phrase with your family and close colleagues. If you get a video call asking for money, ask for the code. AI won't know it.

📞

2. Call Them Back (Out-of-Band)

If your "Boss" calls you on Teams asking for money, hang up. Call their actual mobile number. Verify the request through a second channel.

⏳

3. Break the Urgency

Scams rely on speed ("Do it NOW!"). Pause. Ask a personal question that isn't on the internet (e.g., "What did we eat for lunch yesterday?").

🕵️

4. Spot the Glitches

Current Deepfakes struggle with blinking, lip-syncing perfectly, or lighting changes. If the video looks slightly "uncanny" or robotic, trust your gut.

Knowledge Check

Can you spot the signs of an AI scam? Test your knowledge.