TL;DR: A finance employee at engineering firm Arup transferred $25 million to fraudsters during a video call where everyone, including the CFO, was a deepfake. Trust kept us alive for millennia, but in the digital age, it’s become our greatest security weakness. Verizon’s 2024 research shows pretexting now accounts for 40% of social engineering attacks because it exploits our instinct to trust authority and familiar faces. Organizations need verification cultures, not paranoid workplaces.
Key Takeaways#
- In January 2024, a finance employee at Arup transferred $25 million to fraudsters after a video call where every participant — including the CFO — was an AI-generated deepfake
- Pretexting now accounts for more than 40% of social engineering incidents, surpassing traditional phishing at 31% (Verizon 2024 DBIR, 10,626 confirmed breaches)
- The median time for an employee to fall for a phishing attack is under 60 seconds — 21 seconds to click, 28 more to enter credentials
- Video and voice are no longer sufficient to verify identity; the only reliable check is a callback through a contact channel you already had before the suspicious communication arrived
- “Verification culture” — where secondary-channel confirmation is treated as standard professional practice, not paranoia — is the only defense that scales
In January 2024, a finance employee at Arup, a multinational engineering firm, received an email from the company’s UK-based CFO requesting a series of confidential transactions. The employee was suspicious. It looked like phishing. But then came the video call.
On the call, the employee saw the CFO. Not just saw, but watched him speak, gesture, interact with other senior colleagues who were also on the line. The employee recognized everyone. Their faces, their voices, their mannerisms. It all checked out. So the employee did what the CFO asked and authorized 15 transactions totaling HK$200 million, approximately $25 million USD, to five different bank accounts.
Every single person on that video call was fake. AI-generated deepfakes, all of them. The fraudsters had downloaded videos from past company meetings and used AI to create convincing digital puppets. The employee only discovered the truth a week later when checking with headquarters. By then, the money was gone.
This isn’t a story about technical failure. Arup’s systems weren’t breached. No data was stolen. As Arup’s CIO later explained, it was “technology-enhanced social engineering.” The attack succeeded because it targeted something no firewall can protect: our hardwired instinct to trust what we see and hear.
Trust Kept Us Alive. Now It’s Killing Our Security#
Humans evolved to trust. For most of our species’ history, if someone looked like your chief, sounded like your chief, and acted like your chief, they were your chief. Questioning that reality would have been paranoid delusion. Trust in what your senses told you kept you alive.
That same neurological wiring now makes us sitting ducks.
When you see a colleague’s face on a video call, your brain doesn’t run a authentication protocol. It doesn’t check for digital artifacts or verify through a secondary channel. It sees a face it recognizes and immediately shifts into trust mode. Millions of years of evolution say that face equals person equals trustworthy. Your conscious mind never even gets consulted.
This is why deepfakes work. And why they’re going to keep working.
The Numbers Tell a Disturbing Story#
The Arup case isn’t an outlier. It’s a preview. According to Verizon’s 2024 Data Breach Investigations Report, which analyzed 10,626 confirmed breaches across 94 countries, pretexting now accounts for more than 40% of social engineering incidents. That’s higher than traditional phishing at 31%.
Pretexting is the art of the believable story. It’s business email compromise. It’s the “CFO” calling from a new number asking you to update the wire transfer details. It’s the “IT department” texting about your account security. It works because it exploits context, authority, and trust.
Verizon found that 68% of all breaches involved the human element. Not malicious insiders, but regular employees falling for social engineering or making mistakes. And pretexting and phishing together account for 73% of social engineering-related breaches. These aren’t sophisticated technical attacks. They’re psychological manipulation at scale.
The median time for someone to fall for a phishing email is under 60 seconds. Twenty-one seconds to click the link. Another 28 seconds to enter their data. That’s how fast trust overrides caution.
Video Doesn’t Mean Real Anymore#
For decades, security training taught employees to be suspicious of text. Emails could be forged. Phone calls could be spoofed. But video? Video was the gold standard of verification. If you could see someone’s face and hear their voice, you knew it was real.
That assumption is now a critical vulnerability.
The technology to create convincing deepfakes is no longer limited to nation-state actors or Hollywood studios. Fraudsters can generate realistic video and audio with nothing more than publicly available footage. Company webinars. Conference presentations. LinkedIn videos. YouTube interviews. All of it is training data for AI that can make your CFO say anything.
The attackers in the Arup case likely used exactly this approach. They grabbed video from past virtual meetings and fed it to deepfake software. The result was good enough to fool someone who worked with these people regularly. Good enough to convince them to move $25 million.
And the technology is only getting better.
Authority Makes Us Stupid#
There’s another psychological factor at play here: authority bias. When someone who outranks you tells you to do something, your brain’s default response is compliance, not skepticism. This is especially true when the request comes with urgency, confidentiality, or the suggestion that you’ve been specially selected for the task.
Verizon’s data shows that financially motivated incidents involving pretexting have held steady at around 25% for the past two years. Business email compromise, the most common form of pretexting, has a median transaction value of $50,000. Not millions, just $50,000. Small enough to authorize quickly. Large enough to hurt.
The pattern is consistent. The “executive” emails from a new address because they’re traveling or their account has issues. They need you to handle an urgent vendor payment. It’s confidential. Don’t discuss it with anyone. Just update the bank details and process the wire.
Your brain sees: authority figure, urgent request, special responsibility. It feels: pressure to perform, fear of letting the team down, pride at being trusted. What it should feel is suspicion. But that’s not how we’re wired.
The Trust Tax is Getting Expensive#
Organizations are starting to realize that trust has a cost. Not just in dollars, though those costs are real. The Ponemon Institute’s 2025 Cost of Insider Risks Global Report found that the average organization now spends $17.4 million annually dealing with insider threats, many of which start with social engineering.
But the deeper cost is operational. Every new deepfake attack, every successful BEC scheme, every compromised executive account forces organizations to add friction to legitimate business processes. You can’t just call your boss anymore and ask for approval. You need to verify. Through a different channel. With documented procedures. Multiple times.
This is the trust tax. The overhead cost of living in a world where you can’t believe your eyes and ears.
Building Verification Culture Without Building Paranoia#
The solution isn’t to stop trusting people. An organization where nobody trusts anyone is dysfunctional and probably more vulnerable, not less. Burned-out, suspicious employees make worse security decisions, not better ones.
What you need is verification culture. A workplace where confirming unusual requests through secondary channels isn’t seen as insulting or paranoid, but as standard professional practice.
This means:
Out-of-band verification for financial transactions. If someone asks you to move money, you verify through a different communication channel. Video call request? Confirm via the company directory phone number. Email from the CFO? Text them on the number you already have. WhatsApp from IT? Call the help desk directly.
Established procedures that can’t be social-engineered away. The Arup employee initially suspected phishing but was convinced by the video call. The problem is there was no procedure that said “even if you see the CFO on video, you still verify through a separate channel before moving millions.” That procedure exists now.
Permission to slow down. Urgency is a weapon. “Handle this immediately.” “Don’t discuss with anyone.” “I need this done before the end of day.” These are red flags, not instructions. Organizations need to give employees explicit permission to pause, verify, and push back even when a supposed executive is applying pressure.
Regular exposure to realistic attack scenarios. Verizon found that 20% of users now report phishing emails without clicking them, and another 11% report even after clicking. That’s progress. It came from regular training and simulation, not from a single annual awareness session. The same approach works for pretexting and deepfakes. Show people what modern attacks look like. Let them practice saying no.
The Uncomfortable Reality#
Your employees will see deepfake videos of your executives. They probably already have, even if they don’t know it. The technology exists. It’s accessible. It’s being used right now.
Voice cloning is trivial. A few seconds of audio from a YouTube video is enough to generate a convincing fake phone call. Video deepfakes are harder but not prohibitively so. And they’re improving fast. What required a team of specialists two years ago can now be done with consumer-grade software.
This means the old heuristics don’t work anymore. “I saw them on video” doesn’t mean anything. “I recognized their voice” doesn’t mean anything. “They knew details only an insider would know” doesn’t mean anything because all of that information is scrapable, inferable, or fakeable.
The only thing that means something is verified through an independent channel using contact information you already had, not information provided in the suspicious communication.
Trust, But Verify. Actually, Just Verify#
For most of human history, trust was a survival advantage. The person who trusted their community thrived. The paranoid loner died alone. Our brains are built for trust because trust worked.
But we’re not living in small hunter-gatherer bands anymore. We’re living in a digital world where anyone can impersonate anyone, where video can be fabricated, where your CFO might be an AI puppet, and where $25 million can vanish in 15 transactions before anyone notices.
Trust is still important. You still need it to build teams, run organizations, do business. But blind trust is a luxury we can’t afford anymore.
The finance employee at Arup did nothing wrong by normal human standards. They saw people they recognized, heard voices they knew, verified through the most reliable means available to them at the time. They used their judgment and their judgment said this was legitimate.
Their judgment was wrong because the rules changed. What we see and hear can now be manufactured. What sounds real can be fake. What looks like your colleague can be a algorithm.
Organizations that survive this transition will be the ones that build verification into every high-stakes decision. Not because they don’t trust their people, but because they understand that in 2024 and beyond, seeing isn’t believing. Hearing isn’t confirming. Video isn’t verification.
The only thing that’s real is what you can verify through channels you control.
Trust got us this far. Verification will get us the rest of the way.
Sources#
This article is based on data from the following primary sources:
Verizon Business. (2024). 2024 Data Breach Investigations Report (17th edition). Analysis of 30,458 security incidents and 10,626 confirmed data breaches across 94 countries covering the period from November 1, 2022 to October 31, 2023. Available at: https://www.verizon.com/business/resources/reports/dbir.html
Ponemon Institute. (2025). 2025 Cost of Insider Risks Global Report. Independently conducted for DTEX Systems. Analysis of 7,868 insider security incidents across 349 organizations in North America, EMEA, and Asia-Pacific. Available at: https://ponemon.dtexsystems.com/
Hong Kong Police / CNN. (2024). Deepfake CFO fraud incident involving Arup engineering firm, reported February 2024. The incident involved HK$200 million (US$25.6 million) transferred across 15 transactions to five bank accounts.
Greymantle Risk Advisory helps organizations build verification procedures and security cultures that defend against social engineering without creating paranoid, dysfunctional workplaces. We combine technical controls, process design, and security awareness to address the human dimension of cyber risk.
