A finance employee transferred $25.6 million after a deepfake video call with fake CFO and colleagues. Hong Kong police confirmed the attack. The threat forces companies to rethink wire authorization.
A finance employee at a multinational engineering firm joined a video call. The CFO was on screen. Colleagues appeared. The meeting ran in real time. Every face was an AI-generated deepfake. The employee transferred $25.6 million before the fraud was discovered.
Hong Kong police determined that attackers used publicly available video and audio from online conferences to recreate the CFO and other executives. The victim was Arup, the London-based firm behind the Sydney Opera House. Arup’s spokesperson confirmed that "fake voices and images were used."
The employee had initially suspected a phishing email. The video call eliminated that suspicion. The attack combined synthetic video, cloned audio and real company context delivered simultaneously on a live meeting platform. This multimodal approach is what made the Arup attack different from earlier fraud.
Multimodal campaigns combine email, voice and video sequentially to build cumulative credibility across multiple communication channels. The attacker does not need to win on one channel; they need to win on the last one.
In the Arup case, the initial email triggered suspicion. The video call was designed to eliminate that suspicion. The attackers built a fabricated environment using existing video and audio from online conferences and virtual company meetings. Publicly available footage of executives, earnings calls, conference presentations and LinkedIn videos is now training data for fraudsters.
The World Economic Forum noted that voice cloning now requires just 20 to 30 seconds of audio, while convincing video deepfakes can be created in 45 minutes using freely available software.
Fraudsters attempted to impersonate Ferrari CEO Benedetto Vigna through AI-cloned voice calls that replicated his southern Italian accent, the WEF reported. That call ended only when an executive asked a question only Vigna would know.
The attempt on Ferrari N.V. (RACE) shows that deepfake threats are not limited to finance departments. Any executive whose voice or image appears in public channels is a potential target. Ferrari is rated Mixed by AlphaScala with an Alpha Score 46 (Consumer Cyclical sector). For a company where brand trust and internal controls are critical, a single deepfake breach could erode investor confidence. RACE stock page
PYMNTS Intelligence found that 58% of companies with more than $1 billion in annual revenue reported encountering AI-generated documents or deepfake-related attacks in the past year, a full 11 percentage points above smaller firms. Large caps are the primary targets because wire transfer sizes are larger and security layers are often fragmented across departments.
American Express (AXP), rated Mixed with an Alpha Score 39 (Financials sector), operates across payment authorization and fraud detection. While AXP’s own systems are not directly compromised by deepfake social engineering, the banks and corporate clients that process wire transfers using AXP’s network are exposed. A deepfake fraud that exploits a client could lead to reputation spillover and increased compliance costs. AXP stock page
Southern Company (SO), rated Mixed with an Alpha Score 47 (Utilities sector), faces lower direct risk because utility payments are typically not triggered by executive video calls. The broader read-through, however, is that any company with a centralized treasury function and senior executives visible in earnings calls is vulnerable. SO stock page
Deepfake-enabled vishing attacks surged 1,600% in the first quarter of 2025 compared to the fourth quarter of 2024 in the U.S. alone, CybelAngel reported, citing Keepnet Labs data. The FBI’s 2025 Internet Crime Report logged more than 22,000 AI-related fraud complaints with losses exceeding $893 million. Congressional researchers estimate fewer than 5% of voice clone victims report their losses.
The actual loss figure, however, is likely higher. Underreporting is typical because companies fear reputational damage and regulatory scrutiny.
Arup’s Chief Information Officer Rob Greig told Fortune that attempts to defraud companies have risen sharply using phishing scams and WhatsApp voice cloning. The practical takeaway is that visual confirmation on a video call is no longer a valid verification step. The attack surface has expanded to include any public-facing content.
Key insight: If a wire transfer authorization process relies on a single video call or a single executive approval, that process is broken. The new floor requires out-of-band confirmation through a separate, pre-established channel that cannot be spoofed by synthetic media, such as a physical token or a dedicated app with cryptographic verification.
Risk to watch: Companies that rely on earnings call video archives or public LinkedIn profiles for executive communications are providing the training data for future attacks. Removing or restricting that data is a low-cost first step.
The Arup attack was discovered only because the employee followed up with headquarters. In many cases, the follow-up never happens. The $25.6 million transfer was a single data point. The 1,600% surge in vishing attacks suggests that fraudsters are scaling the multimodal playbook.
The FBI’s 22,000 AI fraud complaints are a lower bound. As voice and video cloning tools improve, the quality threshold for a convincing deepfake will drop further. The WEF’s 45-minute timeline for a video deepfake will shrink.
Companies with high executive visibility, big wire transfer volumes and fragmented security protocols are the most exposed. For investors, the risk is not just a one-off loss but the compounding cost of deploying new verification infrastructure across every treasury, vendor payment and payroll process.
AlphaScala’s stock market analysis page tracks sector-level risk shifts. The AXP stock page and RACE stock page include security spending and fraud exposure as input factors. The deepfake threat is not a headline risk. It is a structural change in how corporate authorization must work.
For traders, the watchlist question is which companies are already investing in deepfake detection and authentication upgrades. Those that lag may face surprise charges, regulatory fines or a sudden reassessment of internal control quality. Those that adapt will have a competitive advantage in trust and execution speed.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.