
can a video call alone authorize a wire transfer at your company?
Quick recap if you missed it. Early 2024, a finance worker at the Hong Kong office of Arup (the engineering firm) gets a sketchy email from the "UK CFO" about a confidential transfer. Good instincts, he pegged it as phishing. So he asked for a video call to confirm. On the call was the CFO plus a few colleagues he recognized, all telling him the transfer was legit. He sent around 25.6 million dollars across 15 transactions. Every single person on that call except him was a deepfake, built from public video and audio of the real execs. He only clocked it when he later checked with head office.
The part I keep coming back to is that he did the right thing. He got suspicious, he escalated, he asked for live verification. The verification method itself was the hole. "I saw their face and heard their voice" has been the gold standard for confirming who someone is for about as long as offices have existed, and that assumption quietly stopped being safe.
Here's my take, and tell me where I'm wrong. Almost none of the security spend people are proud of touches this attack. MFA, EDR, email filtering, network monitoring, all of that guards endpoints and perimeters. A deepfake whaling call barely brushes any of it. The gap is in how high-stakes decisions get authorized, and that is a process problem before it is a tooling problem.
The boring controls are the ones that hold up. Out-of-band callback to a known number for any large transfer. A challenge phrase for money movement that never rides the same channel as the request. Dual authorization above a threshold. None of it is exciting and all of it would have killed this attack cold. Start there before you buy anything.
On the tooling side, I'm wary of "deepfake detection" pitched as a silver bullet. Any vendor quoting a fixed accuracy number is quoting a figure that decays the next time the generators improve, and they improve constantly. Pure pixel detection is an arms race defenders mostly lose. The stuff I think is more durable looks at metadata and provenance signals around a call rather than just the image, and runs in real time inside the meeting so a human gets a heads up in the moment instead of in the postmortem.I know at Netarx.com gives real-time flags across voice, video, email and SMS. I'd still tell you the process controls above matter more than any detector.
So, real questions for the room:
- Does your org have a hard rule that a video call alone cannot authorize a transfer, or is it still a recognizable face plus vibes?
- Anyone actually running an internal code word for money movement, and does it survive contact with busy executives who hate friction?
- If you've put a deepfake scenario into your phishing sims, did people fall for it more or less than you expected?
This is the attack that keeps getting cheaper, and I'd rather steal good ideas from people here than wait for our own incident report.