Cyber Daily Report

None--securityboulevard.com
published date: 2026-03-26 00:00:00 UTC

None

<img decoding="async" src="https://images.unsplash.com/photo-1568777984968-2ce482b45aaa?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wxMTc3M3wwfDF8c2VhcmNofDN8fGRlZXBmYWtlfGVufDB8fHx8MTc3NDIxODE5M3ww&ixlib=rb-4.1.0&q=80&w=2000" alt="The $25 Million Deepfake: Why Your Video Calls Can No Longer Be Trusted">The finance manager at Arup, a global engineering firm, joined what appeared to be a routine video conference in September 2025.The CFO was on the call. So were several colleagues from the London office. The video quality was perfect. The audio was crisp. Everyone looked and sounded exactly right.The CFO explained that the company needed to execute several urgent wire transfers for a confidential acquisition. The amounts were large but not unprecedented for a firm of Arup's size. The colleagues confirmed the details. Everything followed proper procedures.The finance manager, following what seemed like clear instructions from verified executives on a video call, authorized multiple wire transfers totaling $25 million.Every single person on that call was an <a href="https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/" rel="noreferrer">AI-generated deepfake</a>.Not one human. Not one real executive. Not one legitimate instruction.$25 million gone because "I could see them on video" no longer means "they're real."After building authentication systems for a CIAM platform that verified over a billion user identities, I thought I understood the fundamentals of identity verification. Something you know (password). Something you have (token). Something you are (biometric).But here's what the Arup case proved: "something you are" is no longer something you are. Your face can be generated. Your voice can be cloned. Your video presence can be synthesized in real-time.The foundation of identity verification just collapsed. And most organizations haven't noticed yet.Let me show you why this isn't just about deepfakes, it's about the fundamental breakdown of how we verify identity in the modern enterprise. And what needs to change before your organization becomes the next $25 million lesson.<h2 id="how-the-arup-attack-actually-worked">How the Arup Attack Actually Worked</h2>The details of the Arup fraud matter because they reveal how sophisticated these attacks have become.Here's what we know happened:<h3 id="phase-1-intelligence-gathering">Phase 1: Intelligence Gathering</h3>Before the attack began, someone did extensive research on Arup:<ul> <li>Organizational structure (who reports to whom)</li> <li>Key personnel (names, roles, responsibilities)</li> <li>Communication patterns (how does the finance team interact with executives)</li> <li>Previous transactions (what kinds of transfers are normal)</li> <li>Visual and audio profiles (what do these people look and sound like)</li> </ul>Sources for this intelligence:<ul> <li>LinkedIn profiles (organizational hierarchy, recent posts)</li> <li>Corporate website (executive bios, photos)</li> <li>Conference videos (speaking style, mannerisms, voice patterns)</li> <li>Publicly available annual reports (business operations, deal patterns)</li> <li>Social media (personal accounts revealing additional context)</li> </ul>None of this required hacking. It was all publicly available.When building the CIAM platform, I always told clients: assume attackers know everything that's public. The Arup case shows they're now using that information to generate perfect replicas.<h3 id="phase-2-deepfake-generation">Phase 2: Deepfake Generation</h3>Using the gathered intelligence, attackers created deepfakes of:<ul> <li>The CFO (video and audio)</li> <li>Multiple colleagues (video and audio)</li> <li>Realistic background environments (office settings)</li> </ul>The technology isn't science fiction anymore:<ul> <li>Real-time video synthesis (ElevenLabs, Synthesia, HeyGen)</li> <li>Voice cloning from minutes of audio samples</li> <li>Facial animation that matches speech perfectly</li> <li>Background generation that looks like real offices</li> </ul>The cost? A few hundred dollars worth of commercial AI services.The skill required? Moderate technical knowledge, not expert-level.The time investment? Days, not months.This isn't nation-state capability. This is accessible to organized crime.<h3 id="phase-3-social-engineering-setup">Phase 3: Social Engineering Setup</h3>The attackers didn't start with "$25 million wire transfer."They built credibility first:<ul> <li>Initial "meeting" was about routine business review</li> <li>Early requests were for information, not action</li> <li>Communication style matched known executive patterns</li> <li>Topics referenced real company initiatives</li> </ul>This is sophisticated social engineering:<ul> <li>Establish normalcy before making unusual requests</li> <li>Build trust through familiar interactions</li> <li>Reference real context to appear legitimate</li> <li>Escalate requests gradually</li> </ul>The finance manager wasn't stupid. The finance manager was experiencing a perfectly executed attack that exploited every assumption about identity verification.<h3 id="phase-4-the-kill-chain">Phase 4: The Kill Chain</h3>Once credibility was established, the attack executed:Request 1: "We need to move funds for the acquisition we discussed."<ul> <li>Context established (previous meetings mentioned acquisition)</li> <li>Authority confirmed (CFO giving instruction)</li> <li>Urgency implied (time-sensitive deal)</li> </ul>Request 2: "Execute transfers to these accounts."<ul> <li>Account details provided (looked like legitimate intermediaries)</li> <li>Amounts specified (large but plausible for acquisition)</li> <li>Colleagues confirm (multiple people validate instruction)</li> </ul>Request 3: "Process these immediately. This is confidential."<ul> <li>Time pressure (need to move fast)</li> <li>Secrecy (don't verify through normal channels)</li> <li>Implicit threat (challenging CFO's instruction seems insubordinate)</li> </ul>The finance manager followed procedure. Verified identities through video. Confirmed with multiple participants. Executed authorized instructions.Everything was wrong. Everything looked right.<h3 id="phase-5-discovery-and-aftermath">Phase 5: Discovery and Aftermath</h3>The fraud was discovered when:<ul> <li>Actual CFO inquired about unusual account balances</li> <li>Finance team mentioned the "acquisition transfers"</li> <li>Real CFO: "What acquisition? What transfers?"</li> </ul>By then, $25 million had been transferred across multiple jurisdictions, making recovery extremely difficult.The investigation revealed:<ul> <li>No systems were hacked</li> <li>No credentials were stolen</li> <li>No malware was installed</li> <li>Security infrastructure worked perfectly</li> </ul>The attack bypassed all technical controls by exploiting human identity verification.<h2 id="why-seeing-is-believing-no-longer-works">Why "Seeing Is Believing" No Longer Works</h2>For all of human history until approximately 2023, seeing someone's face and hearing their voice was reliable proof of identity.That assumption is now broken.Here's why:<h3 id="generative-ai-achieved-real-time-fidelity">Generative AI Achieved Real-Time Fidelity</h3>The deepfakes in the Arup attack weren't static videos. They were real-time interactive participants in a video conference.What that means:<ul> <li>Deepfakes responded to questions in real-time</li> <li>Facial expressions matched speech naturally</li> <li>Body language appeared authentic</li> <li>Multiple participants interacted with each other convincingly</li> </ul>This requires:<ul> <li>Real-time video generation (no lag between audio and facial movement)</li> <li>Contextual understanding (responses relevant to conversation)</li> <li>Multiple simultaneous deepfakes (several people on same call)</li> <li>Environmental consistency (all in appropriate office settings)</li> </ul>This wasn't possible two years ago. It's routine in 2026.The technology curve on deepfakes followed the same trajectory as large language models: long period of "not quite there" followed by sudden achievement of human-indistinguishable quality.We're past the inflection point. Deepfakes are now perfect.<h3 id="voice-cloning-became-trivial">Voice Cloning Became Trivial</h3>Voice authentication, once considered secure, is now completely compromised.What it takes to clone a voice:<ul> <li>3-5 minutes of target audio (obtained from conference videos, podcasts, earnings calls)</li> <li>Commercial voice cloning service (ElevenLabs, PlayHT, many others)</li> <li>$20-100 in API costs</li> <li>Result: Perfect voice replica that can speak any text in target's voice</li> </ul>When building the CIAM platform, I evaluated voice biometrics for <a href="https://guptadeepak.com/customer-identity-hub/mfa-implementation-in-ciam" rel="noreferrer">multi-factor authentication</a>. We didn't deploy it because we knew voice could eventually be cloned.What we didn't predict was how quickly "eventually" would arrive.Voice authentication is not just vulnerable. It's actively counterproductive because it creates false confidence in identity verification.<h3 id="video-verification-creates-false-security">Video Verification Creates False Security</h3>Here's what makes the Arup case especially dangerous: the victim did everything right according to conventional security training.Conventional wisdom says:<ul> <li>Verify requests through multiple channels ✓ (video call with multiple people)</li> <li>Confirm identity before executing high-value transactions ✓ (saw and heard executives)</li> <li>Follow approval procedures ✓ (got authorization from proper authority)</li> </ul>All of that happened. All of it was useless.Video verification created a false sense of security. "I can see them" felt like proof. It wasn't.This is why I'm worried about organizations rushing to implement video-based authentication for sensitive operations. They're building security controls that attackers have already defeated.<h3 id="the-uncanny-valley-is-behind-us">The Uncanny Valley Is Behind Us</h3>Older deepfakes had tells:<ul> <li>Unnatural blinking patterns</li> <li>Lip sync slightly off</li> <li>Facial expressions didn't match emotion</li> <li>Lighting inconsistencies</li> <li>Audio artifacts</li> </ul>Skilled observers could detect fakes.Modern deepfakes don't have those tells. The "uncanny valley" (the uncomfortable feeling when something is almost-but-not-quite human) has been crossed.Current deepfakes are indistinguishable from real people to human perception.This means:<ul> <li>Training employees to "spot deepfakes" is like training them to spot perfect forgeries—impossible</li> <li>Visual inspection is no longer a viable verification method</li> <li>Trusting your eyes and ears is now a vulnerability</li> </ul>When building the CIAM platform, I assumed biometric data (what you are) was harder to compromise than passwords (what you know).That assumption is now backwards. Passwords can be changed. Your face and voice cannot.<h2 id="the-economic-reality-that-makes-this-worse">The Economic Reality That Makes This Worse</h2>The Arup attack cost $25 million. But here's what should terrify CFOs: the attack probably cost less than $10,000 to execute.<h3 id="cost-benefit-analysis-for-attackers">Cost-Benefit Analysis for Attackers</h3>Attacker investment:<ul> <li>Deepfake technology: $500-2,000 (commercial AI services)</li> <li>Voice cloning: $100-500 (audio samples and processing)</li> <li>Research time: 40-80 hours (gathering intelligence on target)</li> <li>Technical execution: 20-40 hours (creating deepfakes, orchestrating call)</li> </ul>Total cost: $5,000-10,000 (including time at black market rates)Return: $25,000,000ROI: 2,500x to 5,000xThe economics are absurd. Even if only 1 in 100 attempts succeeds, the math works overwhelmingly in attackers' favor.This is why deepfake fraud will explode in 2026. It's not just technically possible. It's economically inevitable.<h3 id="why-targets-cant-outspend-attackers">Why Targets Can't Outspend Attackers</h3>Traditional security followed an economic principle: make attacks expensive enough that they're not worth executing.Deepfake fraud breaks that principle.Defense costs:<ul> <li>Implementing multi-channel verification: $50,000-500,000</li> <li>Training all employees on deepfake awareness: $100,000-1,000,000</li> <li>Deploying deepfake detection technology: $200,000-2,000,000</li> <li>Creating verification procedures: Ongoing operational cost</li> </ul>Attack costs: $5,000-10,000Defenders must protect against all attacks. Attackers only need one success.The economic asymmetry is crushing.When building the CIAM platform, I secured systems by making unauthorized access expensive (technically difficult). We can't make deepfakes expensive. The technology is commoditized.This requires a different defense strategy entirely.<h2 id="the-identity-verification-crisis-across-industries">The Identity Verification Crisis Across Industries</h2>Arup isn't alone. Deepfake fraud is hitting every sector that relies on voice or video identity verification.<h3 id="finance-and-banking">Finance and Banking</h3>Current vulnerability:<ul> <li>Wire transfer approvals often use phone verification</li> <li>Large transactions require executive authorization</li> <li>Multi-signature processes assume you can verify signers</li> </ul>Real incidents (2025-2026):<ul> <li>Hong Kong-based company lost $26 million (employee fooled by deepfake video conference)</li> <li>Bank executive authorized fraudulent loan based on cloned CEO voice</li> <li>Investment firm manipulated by deepfake board member in virtual meeting</li> </ul>Why it's getting worse:<ul> <li>Remote work means video calls replace in-person verification</li> <li>International transactions make callback verification complicated</li> <li>Time-sensitive deals create pressure to "trust but verify quickly"</li> </ul><h3 id="corporate-executives">Corporate Executives</h3>The CEO doppelgänger problem:<ul> <li>Executives are high-value deepfake targets (lots of public footage)</li> <li>Their voices carry authority for financial decisions</li> <li>They travel frequently (making "I'm in a meeting, use video" plausible)</li> </ul>Attack scenarios:<ul> <li>CFO instructs controller to execute transfers</li> <li>CEO approves emergency expenditure</li> <li>Board member votes on virtual acquisition approval</li> </ul>This isn't hypothetical. Security researchers estimate 60-80% of Fortune 500 CEOs have enough public footage for high-quality deepfake generation.<h3 id="legal-and-compliance">Legal and Compliance</h3>Emerging problem:<ul> <li>Video depositions becoming unreliable</li> <li>Remote notarization vulnerable to deepfake impersonation</li> <li>Legal agreements via video call losing evidentiary value</li> </ul>The legal system hasn't caught up:<ul> <li>What constitutes proof of identity in video format?</li> <li>How do you authenticate video evidence when deepfakes are perfect?</li> <li>Can contracts signed via video conference be enforced?</li> </ul>These are questions courts will face in 2026 and beyond.<h3 id="political-and-regulatory">Political and Regulatory</h3>Beyond fraud:<ul> <li>Deepfake political figures making false statements</li> <li>Fabricated emergency announcements causing market panic</li> <li>Synthetic "official" communications triggering policy responses</li> </ul>The trust crisis: When citizens can't distinguish real officials from deepfakes, governance itself becomes unstable.The Arup case is about money. The broader crisis is about trust.<h2 id="what-actually-works-and-what-doesnt">What Actually Works (And What Doesn't)</h2>Security vendors are rushing to sell "deepfake detection" solutions. Most won't work at scale.Here's what actually works:<h3 id="what-doesnt-work">What Doesn't Work</h3>❌ Training employees to spot deepfakesThe tells that used to identify deepfakes don't exist anymore. Training people to look for artifacts that aren't there is security theater.❌ Voice biometric authenticationVoice can be cloned perfectly. Using voice as authentication factor is worse than useless—it creates false confidence.❌ Video-only verification for high-value transactionsThe Arup case proved this. Seeing someone on video is not proof of identity.❌ Relying on "trusted" video platformsDeepfakes work on Zoom, Teams, Google Meet—any platform. The platform isn't the vulnerability. The human perception is.❌ Deepfake detection softwareCurrent detection has high false positive/negative rates. As deepfakes improve, detection becomes harder. This is an arms race defenders will lose.<h3 id="what-does-work">What Does Work</h3>✓ Multi-channel verificationIf someone makes a high-value request via video, verify through a completely different channel.Example:<ul> <li>Request comes via video call</li> <li>Callback to known phone number (not number provided in call)</li> <li>Verify request details through email to known address</li> <li>Use previously established code word or verification phrase</li> </ul>The principle: Deepfakes excel in single channel. They fail when you verify through independent channels.When building the CIAM platform, I implemented this as "<a href="https://guptadeepak.com/customer-identity-hub/types-of-multi-factor-authentication-mfa-methods" rel="noreferrer">multi-factor authentication</a>" for users. The same principle applies to verifying humans making requests.✓ Pre-established verification protocolsBefore high-stakes situations arise, establish verification procedures:For financial transactions:<ul> <li>Code words known only to authorized parties</li> <li>Out-of-band confirmation required for amounts over threshold</li> <li>Time delays between authorization and execution (giving time to detect fraud)</li> </ul>For executive communications:<ul> <li>Verified phone numbers for callback (updated regularly)</li> <li>Secondary confirmation via different medium (video → email with digital signature)</li> <li>Predetermined questions only real executive would know</li> </ul>✓ Physical tokens for critical operationsFor the highest-stakes transactions, require physical token possession:<ul> <li>Hardware security keys (YubiKey, Titan)</li> <li>Smart cards with PIN</li> <li>Biometric device in person (not over video)</li> </ul>This is the "something you have" factor that deepfakes can't fake remotely.✓ Time delays and review periodsMost fraud relies on urgency. Removing urgency defeats the attack.Implementation:<ul> <li>All transactions over $X have mandatory 24-hour delay</li> <li>During delay, multiple verification channels used</li> <li>Any discrepancy halts transaction immediately</li> </ul>The attacker's nightmare: Time for victim to verify through multiple channels.✓ Behavioral analysis and anomaly detectionTechnology can't detect deepfakes reliably, but it can detect anomalous requests:<ul> <li>Is this transaction pattern unusual for this executive?</li> <li>Is the requested amount outside normal parameters?</li> <li>Is the urgency level inconsistent with typical behavior?</li> <li>Are account destinations new or unfamiliar?</li> </ul>Example from Arup case: A behavioral system might have flagged:<ul> <li>Multiple large transfers to new accounts</li> <li>Urgency combined with confidentiality (red flag combo)</li> <li>Request coming through video call rather than written authorization</li> </ul>This doesn't detect the deepfake. It detects the unusual request pattern.When building the CIAM platform, I used anomaly detection to flag unusual authentication patterns. The same approach works for detecting deepfake-enabled fraud attempts.<h2 id="the-new-security-model-never-trust-audiovideo-alone">The New Security Model: Never Trust Audio/Video Alone</h2>Organizations need to rebuild identity verification with a fundamental assumption: audio and video are never, by themselves, proof of identity.Here's what that means in practice:<h3 id="for-financial-operations">For Financial Operations</h3>Old model:<ul> <li>CFO calls → controller executes transfer</li> <li>Video conference with executives → approve transaction</li> <li>Phone verification → process high-value request</li> </ul>New model:<ul> <li>ANY request (phone, video, email, in-person) → multi-channel verification</li> <li>High-value transactions → mandatory delay + callback + written confirmation</li> <li>Critical operations → physical token requirement</li> </ul>The shift: Audio/video are claim of identity, not proof of identity.<h3 id="for-executive-communications">For Executive Communications</h3>Old model:<ul> <li>Recognize voice → trust instruction</li> <li>See face on video → accept authorization</li> <li>Email from executive address → follow directive</li> </ul>New model:<ul> <li>Voice/video establishes who is claiming to be on call</li> <li>Verification protocol confirms who actually is making request</li> <li>Written confirmation with digital signature provides audit trail</li> </ul>The shift: Seeing and hearing someone is start of verification, not end of verification.<h3 id="for-legal-and-compliance">For Legal and Compliance</h3>Old model:<ul> <li>Video deposition → legally binding testimony</li> <li>Remote notarization via video → official document</li> <li>Video signature → enforceable contract</li> </ul>New model:<ul> <li>Video deposition → supplemented with in-person verification or physical token</li> <li>Remote notarization → requires multiple verification factors</li> <li>Video signature → paired with blockchain timestamping and out-of-band confirmation</li> </ul>The shift: Video alone has no evidentiary value without additional verification.<h3 id="for-customer-service-and-support">For Customer Service and Support</h3>Old model:<ul> <li>Customer calls → verify with personal info → authorize account changes</li> <li>Video chat for sensitive requests → accept if ID shown on video</li> </ul>New model:<ul> <li>Voice/video → establishes session, not identity</li> <li>Multi-factor authentication required for any account modification</li> <li>Out-of-band confirmation (email, SMS to verified address) before changes execute</li> </ul>The shift: Customer identity is continuous verification, not one-time confirmation.This is fundamentally different from traditional <a href="https://guptadeepak.com/ciam-basics-a-comprehensive-guide-to-customer-identity-and-access-management-in-2025/" rel="noreferrer">customer identity and access management</a>. We're not just securing access. We're assuming the entire audio/visual channel is compromised.<h2 id="what-organizations-must-do-right-now">What Organizations Must Do Right Now</h2>If you're responsible for security, compliance, or risk management, here's your action plan:<h3 id="immediate-this-week">Immediate (This Week)</h3>1. Identify high-value audio/video verification pointsWhere does your organization currently accept audio or video as proof of identity?<ul> <li>Wire transfer approvals</li> <li>Vendor payment authorizations</li> <li>Contract signatures</li> <li>Executive instructions</li> <li>Password resets</li> <li>Account modifications</li> </ul>Map every instance. That's your immediate vulnerability.2. Implement emergency verification protocolsFor highest-risk operations:<ul> <li>Callback to verified numbers (in phone directory, not caller ID)</li> <li>Email confirmation to known addresses</li> <li>Require 24-hour delay on large transactions</li> </ul>This is a bandaid, not a solution. But it reduces immediate risk.3. Alert high-risk employeesFinance teams, executive assistants, controllers, anyone with authority to execute high-value transactions.Key message:<ul> <li>Video calls can be perfect deepfakes</li> <li>Voice calls can be cloned executives</li> <li>Never trust audio/video alone for financial decisions</li> <li>Always verify through second channel</li> </ul>Make this a standing security briefing topic.<h3 id="short-term-this-month">Short-term (This Month)</h3>4. Develop formal verification proceduresDocument specific protocols:For financial transactions over $X:<ol> <li>Request received (any channel)</li> <li>Callback to verified number</li> <li>Email confirmation with details</li> <li>24-hour hold period</li> <li>Secondary approval from different executive</li> <li>Execute with audit trail</li> </ol>For executive communications:<ol> <li>Note claimed identity from audio/video</li> <li>Verify through out-of-band communication</li> <li>Use pre-established code words</li> <li>Written confirmation before action</li> <li>Escalation path if verification fails</li> </ol>For customer service:<ol> <li>Multi-factor authentication required</li> <li>Sensitive changes require callback</li> <li>Video ID verification supplemented with additional factors</li> <li>All changes have reversal window</li> </ol>Publish these protocols. Train teams. Enforce compliance.5. Audit current authentication methodsWhere are you using voice or video as authentication factor?<ul> <li>Phone banking systems</li> <li>Remote notarization</li> <li>Customer verification</li> <li>Internal approvals</li> </ul>Replace pure voice/video authentication with multi-factor requirements.6. Review insurance coverageDoes your cyber insurance cover deepfake fraud?<ul> <li>Most policies written before deepfakes were viable threat</li> <li>Coverage may exclude social engineering</li> <li>Limits may be insufficient for large-scale fraud</li> </ul>Update policies to explicitly cover deepfake scenarios.<h3 id="medium-term-this-quarter">Medium-term (This Quarter)</h3>7. Implement behavioral analysisDeploy systems that flag anomalous requests:<ul> <li>Unusual transaction patterns</li> <li>Out-of-normal-hours requests</li> <li>Urgency combined with confidentiality</li> <li>New accounts or vendors</li> <li>Requests that bypass normal approval chains</li> </ul>This won't detect deepfakes. It will detect the fraud attempts that use deepfakes.8. Establish physical token requirementsFor highest-stakes operations:<ul> <li>Hardware security keys for executive authorizations</li> <li>Smart cards for financial controllers</li> <li>In-person verification for critical contracts</li> </ul>Yes, this reduces efficiency. That's the point.The Arup case happened because efficiency was prioritized over verification. Sometimes friction is security.9. Create escalation and response proceduresWhat happens when suspected deepfake detected?<ul> <li>Who gets notified?</li> <li>How is transaction halted?</li> <li>What investigation begins?</li> <li>How is incident communicated?</li> </ul>Have this documented before the incident occurs.<h3 id="long-term-next-6-12-months">Long-term (Next 6-12 Months)</h3>10. Rebuild identity verification architectureThis is the fundamental fix:<ul> <li>Audio/video never sufficient for identity proof</li> <li>Multi-channel verification required for high-value operations</li> <li>Behavioral anomaly detection integrated</li> <li>Physical tokens for critical functions</li> <li>Zero-trust principle: verify every request, regardless of channel</li> </ul>When we implemented <a href="https://guptadeepak.com/zero-trust-architecture-the-technical-blueprint/" rel="noreferrer">zero-trust architecture</a> for the CIAM platform, it wasn't a quick project. It was fundamental rethinking of how identity works.Organizations need the same rethink for audio/video identity verification.11. Partner with industry on standardsIndividual organizations can't solve this alone.Needed:<ul> <li>Industry standards for identity verification in deepfake era</li> <li>Cross-organization verification protocols</li> <li>Shared threat intelligence on deepfake attacks</li> <li>Regulatory guidance on legal standards for video evidence</li> </ul>This is infrastructure problem, not individual company problem.12. Prepare for regulatory changesRegulations will come (probably after high-profile fraud makes headlines).Likely requirements:<ul> <li>Mandatory multi-channel verification for financial transactions</li> <li>Disclosure of deepfake fraud incidents</li> <li>Minimum security standards for remote identity verification</li> <li>Liability frameworks for institutions that fail to verify identity</li> </ul>Organizations that prepare now will comply easily. Those that wait will scramble.<h2 id="the-broader-implications-when-trust-itself-fails">The Broader Implications: When Trust Itself Fails</h2>The Arup case is about $25 million. But the implications go far beyond one fraud.We're entering an era where:<ul> <li>Seeing someone's face doesn't prove they're real</li> <li>Hearing someone's voice doesn't prove it's them</li> <li>Video calls create false confidence in identity</li> <li>"Trust your eyes and ears" is now bad security advice</li> </ul>This breaks fundamental human communication assumptions.For all of human history, if you saw someone's face and heard their voice, you could be reasonably confident it was them. That certainty is gone.<h3 id="the-social-impact">The Social Impact</h3>Beyond corporate fraud:<ul> <li>Can you trust video calls with family members?</li> <li>Is that really your friend calling for emergency money?</li> <li>Did that politician actually say what's in the video?</li> <li>Is the breaking news anchor real or synthetic?</li> </ul>The erosion of trust in audio/visual communication has societal consequences beyond security.<h3 id="the-legal-impact">The Legal Impact</h3>Courts rely on:<ul> <li>Video depositions</li> <li>Recorded testimony</li> <li>Security camera footage</li> <li>Authentication of speakers in recordings</li> </ul>All of this becomes problematic when deepfakes are perfect.Legal systems will need to establish new standards for evidence authentication in the deepfake era.<h3 id="the-political-impact">The Political Impact</h3>Imagine:<ul> <li>Deepfake president declaring war</li> <li>Synthetic CEO announcing fake acquisition (stock manipulation)</li> <li>Fabricated testimony in high-profile trial</li> <li>Generated "leaked" executive conversation</li> </ul>The potential for market manipulation, political chaos, and social disruption is enormous.The Arup $25 million fraud is a preview. The real crisis is when trust in media itself becomes impossible.<h2 id="the-uncomfortable-truth">The Uncomfortable Truth</h2>Organizations want a technology solution to the deepfake problem. "Install detection software. Train the AI. Filter the fakes."That's not going to work.Deepfake generation and deepfake detection are in an arms race. Generators are winning. Every improvement in detection gets incorporated into better generation.The only sustainable solution is to stop relying on audio and video as proof of identity.This means:<ul> <li>More friction in high-value transactions (verification takes time)</li> <li>More procedural overhead (multiple channels, physical tokens)</li> <li>Less efficiency (delays, approvals, reviews)</li> <li>More cost (infrastructure, training, compliance)</li> </ul>Nobody wants this. Organizations optimized for efficiency, not security friction.But the alternative is Arup-scale fraud becoming routine.The choice:<ul> <li>Accept friction and overhead to verify identity properly</li> <li>Accept risk of deepfake fraud and plan for eventual breach</li> </ul>There's no third option where you get efficiency, low overhead, AND protection from deepfakes.When building the CIAM platform, I learned that security and convenience are often inversely correlated. The most secure systems have the most friction.In the deepfake era, that friction is non-negotiable for high-value operations.<h2 id="the-bottom-line">The Bottom Line</h2>An employee at <a href="https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/" rel="noreferrer">Arup saw executives on video</a>. Heard them speaking. Verified the request through what appeared to be proper channels. Authorized $25 million in transfers.Every executive was an AI-generated deepfake.This wasn't a failure of the employee. It was a failure of assumptions. The assumption that video calls prove identity. The assumption that seeing and hearing someone means they're real.Those assumptions are now liabilities.For organizations:<ul> <li>Implement multi-channel verification immediately</li> <li>Never trust audio/video alone for high-value requests</li> <li>Establish physical token requirements for critical operations</li> <li>Build behavioral anomaly detection</li> <li>Prepare for regulatory requirements</li> </ul>For individuals:<ul> <li>Be skeptical of urgent requests via audio/video</li> <li>Verify through independent channels before taking action</li> <li>Use code words or verification phrases with family</li> <li>Understand that perfect deepfakes exist and are accessible</li> </ul>For society:<ul> <li>Rebuild trust frameworks for digital communication</li> <li>Establish legal standards for authenticated video</li> <li>Create verification infrastructure that works at scale</li> <li>Accept that "trust your eyes" is outdated advice</li> </ul>The deepfake era is here. The technology that enables $25 million fraud is commercially available for a few hundred dollars.The question isn't whether deepfake fraud will become common. The question is whether organizations will adapt their identity verification before or after they become victims.Arup learned at $25 million cost. Your organization can learn from them instead.Identity verification is broken. Seeing is no longer believing. The sooner we accept that, the sooner we can build systems that actually work.<hr><h2 id="key-takeaways">Key Takeaways</h2><ul> <li>Arup lost $25M to perfect deepfake video conference – every "executive" was AI-generated</li> <li>Attack cost attackers ~$10K, return $25M (2,500x ROI) – economically inevitable</li> <li>Modern deepfakes are real-time, interactive, and indistinguishable from real people</li> <li>Voice cloning requires just 3-5 minutes of audio, costs $20-100</li> <li>"Seeing is believing" is now a security vulnerability, not verification method</li> <li>Training employees to "spot deepfakes" is useless – no reliable tells exist</li> <li>Video/voice authentication creates false confidence – actively dangerous</li> <li>Multi-channel verification REQUIRED: video request → callback to known number + email confirmation</li> <li>High-value operations need physical tokens (hardware keys, smart cards)</li> <li>Behavioral anomaly detection can flag unusual requests (urgency + new accounts + large amounts)</li> <li>Organizations must rebuild identity verification assuming audio/video can always be faked</li> <li>Immediate actions: map audio/video verification points, implement callback procedures, alert high-risk employees</li> <li>Long-term: zero-trust for identity verification, never accept single-channel proof</li> <li>Broader crisis: trust in audio/visual communication eroding across society, not just corporate fraud</li> </ul><hr>Building authentication systems that resist deepfakes? My <a href="https://guptadeepak.com/customer-identity-hub/" rel="noreferrer">Customer Identity Hub</a> covers <a href="https://guptadeepak.com/customer-identity-hub/mfa-implementation-in-ciam" rel="noreferrer">multi-factor authentication</a>, <a href="https://guptadeepak.com/what-is-zero-trust-security-a-plain-english-guide/" rel="noreferrer">zero-trust principles</a>, and <a href="https://guptadeepak.com/ciam-101-a-practical-guide-to-customer-identity-and-access-management-in-2025/" rel="noreferrer">modern CIAM architecture</a> that assumes all biometric channels are compromised.<a href="https://guptadeepak.com/about/" rel="noreferrer">Deepak Gupta</a> is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/the-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted/" data-a2a-title="The $25 Million Deepfake: Why Your Video Calls Can No Longer Be Trusted"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted%2F&linkname=The%20%2425%20Million%20Deepfake%3A%20Why%20Your%20Video%20Calls%20Can%20No%20Longer%20Be%20Trusted" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted%2F&linkname=The%20%2425%20Million%20Deepfake%3A%20Why%20Your%20Video%20Calls%20Can%20No%20Longer%20Be%20Trusted" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted%2F&linkname=The%20%2425%20Million%20Deepfake%3A%20Why%20Your%20Video%20Calls%20Can%20No%20Longer%20Be%20Trusted" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted%2F&linkname=The%20%2425%20Million%20Deepfake%3A%20Why%20Your%20Video%20Calls%20Can%20No%20Longer%20Be%20Trusted" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted%2F&linkname=The%20%2425%20Million%20Deepfake%3A%20Why%20Your%20Video%20Calls%20Can%20No%20Longer%20Be%20Trusted" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://guptadeepak.com/">Deepak Gupta | AI &amp; Cybersecurity Innovation Leader | Founder&#039;s Journey from Code to Scale</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Deepak Gupta - Tech Entrepreneur, Cybersecurity Author">Deepak Gupta - Tech Entrepreneur, Cybersecurity Author</a>. Read the original post at: <a href="https://guptadeepak.com/the-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted/">https://guptadeepak.com/the-25-million-deepfake-why-your-video-calls-can-no-longer-be-trusted/</a>