Deepfake CEO video / voice fraud

Deepfake CEO fraud is the next-generation BEC. Instead of just an email impersonating an executive, the attacker stages a real-time video call with a synthetic face and voice — sometimes including multiple "executives" in the same Zoom — to authorize a wire transfer.

The most-publicized case so far is the 2024 Arup engineering attack: a Hong Kong finance employee transferred US$25 million after a video call with what appeared to be the CFO and several other executives. All were deepfakes.

The tooling is increasingly accessible. Real-time face-swap libraries run on consumer GPUs; voice cloning needs only seconds of audio. Defense has to assume the executive on camera might not be the executive.

An invitation arrives, often last-minute:

"Confidential — please join this brief Teams call. We're moving on a deal and I need finance to action a wire today. Can't share details in writing."

You join. The CFO looks normal. The video is a little low-quality, "bad connection." Several other "team members" are present. The CFO asks for a wire to a new vendor for the acquisition. Standard procedure, except the procedure is being bypassed because of "confidentiality."

Variant: a voice-only call from "the CEO" in transit. The voice is cloned from prior conference talks or earnings calls.

• The call was set up urgently and over a channel the executive doesn't normally use (Teams instead of Zoom, WhatsApp instead of corporate phone).
• Video quality is degraded — "bad connection" used to mask deepfake artifacts.
• The executive avoids close-ups, side angles, profile shots, or sustained eye contact.
• Subtle lip-sync mismatches, especially on plosives ("p," "b") or fricatives.
• Skin tone doesn't shift naturally when they turn their head.
• The executive doesn't engage with unexpected small-talk topics ("how was your daughter's recital?"). Real deepfake operators can't improvise.
• The request bypasses your normal control process — confidentiality, urgency, secrecy.
• Other "executives" on the call don't behave naturally with each other.

1. Out-of-band verification stays the gold standard. Even after a video call, any wire above a threshold is confirmed via callback to a previously known phone number.
2. Pre-agree on a verification phrase or behavior. If a wire is approved, the executive must answer a personal-knowledge question or perform a specific physical gesture not in the script (turn camera 360 degrees, hold up a piece of paper with a date).
3. Demand specific live behaviors during the call. Ask the executive to wave both hands across their face. Real-time face-swap libraries struggle with hand occlusion. Ask them to turn 90 degrees in profile — most fail there too.
4. Use multi-factor approval workflows. No single human, no matter how senior they appear, can authorize a wire above the threshold.
5. Train staff to recognize the social-engineering frame. Urgency, confidentiality, and bypassing of process are the constants, not the synthetic faces.
6. Inform finance staff that this is real. Many employees still don't believe deepfakes are operational threats. The Arup case is a useful reference.

• Call your bank immediately. Request a SWIFT recall.
• File an IC3 report. The Recovery Asset Team has 72 hours to act effectively.
• Notify your CISO / security team. This is a high-priority incident requiring forensic analysis.
• Preserve the call. If Teams / Zoom recorded the meeting, secure the recording. Even pre-recorded portions may help identify the deepfake tooling.
• Engage incident response and your cyber-insurance carrier.
• Notify the FBI (local field office) directly in addition to IC3.
• Communicate internally carefully — the attackers may still be monitoring the email environment.

• Do not treat the video call as verification. The call is the attack surface, not the safeguard.
• Do not assume "low video quality" is innocent. It's a known cover for deepfake artifacts.
• Do not bypass dual-approval because the executive on screen is impatient.
• Do not keep the incident quiet. Other employees may be next.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

Is deepfake CEO fraud actually common? Increasing rapidly. The Arup case is the highest-profile, but the FBI has documented dozens of cases since 2023. Synthetic-media fraud is currently the fastest-growing variant of BEC.

Can the deepfake tooling really run in real time? Yes, on consumer-grade hardware. Open-source projects like DeepFaceLive and commercial offerings have made real-time face-swap accessible. Voice cloning is even easier — a few seconds of audio is enough.

Should we add liveness detection? Liveness checks (blink detection, head movement) help against pre-recorded deepfakes but real-time face-swap can produce convincing blinks and head movement. The most robust defense is procedural, not technical: out-of-band verification.

Is video on by default a defense? Sometimes. Insisting on video forces the attacker into the deepfake space, which raises their effort. But "I'll just call you" with a voice clone is also an attack surface. Procedural verification is the only durable answer.