Deepfake Cost Arup US$ 25M — and Your Company Could Be Next

In January 2026, an employee in the finance department of Arup — a British multinational engineering firm with more than 18,000 employees — joined a video call with who they believed to be the company's CFO and other senior colleagues. At the end of the meeting, they authorized a transfer of approximately US$ 25 million. None of the people on screen were real. They were all avatars generated by artificial intelligence, with voices and images synthesized in real time.

This episode is neither science fiction nor an isolated case of human distraction. It is the clearest signal yet that corporate fraud has entered a new phase — and that the controls that worked two years ago may no longer be sufficient today.

What made the scam possible

Audio deepfakes have existed since 2018. Real-time video deepfakes, however, until recently required expensive hardware, noticeable latency, and visual artifacts that gave away the forgery. That technical cost has plummeted.

Tools such as ElevenLabs (voice cloning), HeyGen (video avatar synthesis), and open-source pipelines based on diffusion models now make it possible to replicate an executive's voice and appearance with less than two minutes of reference audio — extracted from YouTube interviews, podcasts, or recordings from corporate events. The result doesn't need to be perfect; it only needs to be convincing enough for a context of stress, urgency, and hierarchical authority — exactly the environment that scammers construct.

In the Arup case, the social engineering was precise: the victim received a legitimate-looking email requesting a confidential meeting about an ongoing acquisition, joined the call, and saw familiar faces. Time pressure and a request for secrecy — classic elements of Business Email Compromise (BEC) — were simply transposed into video format.

Why this matters for Brazilian companies

The short answer: because Brazil is the second country in the world with the most victims of digital financial crimes, according to the Febraban 2025 report, and because SMEs rarely have the controls that large corporations already struggle to operate.

If Arup — with its security department, compliance policies, and global legal team — could not prevent the attack, the right question is not "will this happen to us?" but "what do we do when it happens?"

The attack vector here is fundamental: the fraud did not rely on email phishing. The employee did not click on a malicious link. They did not open an attachment. They passed through every mental filter that conventional awareness training teaches — and were still deceived. This invalidates a significant portion of what companies call "security education."

What changes in practice: out-of-band verification

The most effective countermeasure — already adopted by global banks such as JPMorgan and HSBC in their internal protocols — is out-of-band verification. The principle is simple: any sensitive instruction received through one channel (email, Teams, Zoom, WhatsApp) must be confirmed through a different and independent channel, preferably via a phone call to a number already on file — not the number provided in the message itself.

In practice, this means:

Three rules that must become formal policy

1. Changes to supplier bank details — any account change for payment purposes requires confirmation by phone with the contact previously registered in the ERP or purchasing system. Never use the number provided in the request email.

2. Transfer instructions from the CFO or CEO via video conference — establish a code word or authentication protocol for high-value financial requests. It may seem archaic; it works. Swiss bank Julius Baer implemented internal security words after a similar incident in 2024.

3. Dual approval for amounts above a defined threshold — the ceiling must be calibrated to the company's reality. For a Brazilian SME, R$ 50,000 already justifies dual in-person approval or via a documented alternative channel.

The role of training must change

Awareness training needs to incorporate deepfake simulations, not just simulated phishing. Platforms such as KnowBe4 and Proofpoint Security Awareness already offer specific modules for this. The question that training must plant in employees' minds is no longer "does this email look suspicious?" — it is "how do I verify that the person on screen is who they claim to be, regardless of what I am seeing and hearing?"

The risk that is still being underestimated

There is an operational detail that few CISOs are addressing: the voice and image exposure surface of Brazilian executives is enormous. Interviews on business portals, appearances on industry podcasts, recorded panels at events such as CIAB Febraban, HSM, or SXSW São Paulo — all of this provides the training material that a synthesis model needs. There is no need to hack anything. The data is public.

This does not mean executives should disappear from the public sphere. It means that companies need to treat leadership's digital presence as part of the attack surface — and adjust financial authorization protocols accordingly.

What to do in the next 30 days

Arup will survive the US$ 25 million loss. Most Brazilian SMEs would not survive a fraction of that amount. Immediate action does not require a sophisticated security budget:

• Map which roles in your company have authority to approve payments and transactions.
• Define a written out-of-band verification protocol for each of those workflows.
• Test the protocol with a simulated exercise before the end of the quarter.
• Review individual approval limits and implement dual custody for significant amounts.

The technology that enabled the attack on Arup is available, cheap, and improving every month. The controls that counter it are largely procedural — and cost far less than a single successful incident.