What Happened

This type of scam starts with a familiar spear-phishing email. This particular email purportedly came from the CFO at Arup’s London office, requesting a participation in an urgent video conference about a sensitive transaction [1].

Initially, the employee in the Hong Kong branch thought this was a scam attempt. The email was suspicious. But then the call came, and he saw the CFO, colleagues, people whose faces and voices he knew. It looked legit.

But all of it – the video conference, everyone on screen – was faked. The deepfake scammers used real-time AI models connected to a virtual camera and created a live deepfake of the Arup employees’ faces and voices [2].

In total, 15 separate transactions totaling $25,600,000 were transferred into 5 bank accounts in Hong Kong.

How the Attack Was Uncovered

The scammers were not caught during the fraudulent transactions. They were found out when the employee called London to make sure everything went according to plan. The London branch, however, had no knowledge of any such call or transactions [3].

As of this article, the fraud is ongoing, and Hong Kong police opened an investigation in February 2024. No arrests or recoveries have been made as of yet.

What This Means for the State of Corporate Security

The Arup case completely rewrites the unwritten laws of business security. Up until 2024, the rule was clear: a video call is secure. You can see your colleagues and listen to them.

The rule no longer applies.

The technology that took $25 million from Arup is not classified military technology. It can be bought online. It is cheaper than a month’s subscription of a regular security program. And every week, it becomes better and more powerful [4].

None of us was targeted by anything we were ready for. Not a hack, not a phishing email, but an attack on human perception.

— Rob Greig, CIO, Arup

How SYNHAWK Protects Against This Type of Attack

SYNHAWK PROTECTION: VYRA 9, SYNHAWK’s base model for video, analyzes the video call in real-time and identifies AI deepfakes in real-time by recognizing unique characteristics of faces generated using modern generative AI models. It can detect inconsistencies in facial expressions, lighting, framing, or background, and flag the presence of deepfake video while the call is in progress, not after it.