Deepfake Fraud: The $25-Million Heist Era

Dark Side of AI · Report

DEEPFAKE FRAUD: THE $25-MILLION HEIST ERA

In early 2024, a finance employee at engineering giant Arup joined a routine video call with the company’s CFO and several colleagues, and authorized a transfer of about US$25 million. Every person on that call except the victim was an AI deepfake. It is the most expensive known case of a threat that has gone from novelty to normal business risk: synthetic audio and video used to impersonate the people we trust.

Thank you for reading this post, don't forget to subscribe!

By The AI Index· Updated · 5 min read

Key takeaways

  • It’s no longer rare: 49% of businesses say they faced an audio or video deepfake fraud attempt in 2024. (Regula)
  • It’s expensive: average losses run near $450,000 per company — over $600,000 in financial services. (Regula)
  • It’s accelerating: Sumsub recorded a 4× rise in detected deepfakes from 2023 to 2024; deepfakes are now ~7% of all fraud attempts and ~40% of biometric fraud. (Sumsub)
$25M
lost in the Arup deepfake call
49%
of businesses hit by deepfake fraud
~$450K
average loss per affected company

The $25-million call

The Arup case worked because it attacked trust, not technology. The fraudsters cloned real executives convincingly enough to survive a live video meeting, and the employee had no reason to doubt faces and voices they recognized. That’s the core shift: authentication based on what you see and hear has collapsed, and verification now has to come from a separate, trusted channel.

“No face on a screen authorizes a wire on its own.”

From outlier to operating risk

Regula’s 2024 survey of 575 business decision-makers found nearly half had already encountered deepfake fraud, with video deepfakes most reported in fintech (57%) and audio in crypto (55%). Identity-verification vendor Sumsub logged a fourfold increase in deepfakes year over year, with North America’s 2022–2023 surge exceeding 1,700%. Deepfakes have become a standard line item in the fraud toolkit, not an exotic one.

The defense: put verification back

Because the attack exploits trust, the fix is procedural as much as technical: liveness detection and injection-attack defenses at onboarding, and — for any high-value transfer — a mandatory callback or pre-agreed code word through a separate channel. The rule that defeats a deepfake CFO is simple: no face on a screen authorizes a wire on its own.

Frequently asked

What is the biggest deepfake fraud so far?

The 2024 Arup case, in which an employee was tricked into transferring about US$25 million after a video call where every other participant was an AI deepfake of a real colleague.

How can companies defend against deepfake fraud?

Combine technical controls (liveness detection, injection-attack defenses) with strict procedures — most importantly, callback or code-word verification through a separate channel before any high-value payment, so no on-screen identity can authorize a transfer alone.

Cite this page

The AI Index (2026). Deepfake Fraud: The $25-Million Heist Era. Retrieved Jun 20, 2026, from report-ai.org/reports/dark-side-of-ai/ai-deepfake-fraud-statistics/