The $25M Deepfake Fraud That Fooled a Human

The video call that cost $25 million

In February 2024, a multinational company based in Hong Kong recorded one of the most impactful cases of financial fraud through social engineering with AI ever documented. According to CNN's report, a finance department employee participated in a video call with someone they believed to be the company's CFO and other high-ranking colleagues. They were all fake. They were real-time deepfake avatars, with synthetic voice, image, and body language. The result: bank transfers totaling $25 million sent to fraudulent accounts, according to an analysis by Forbes.

Since then, the case has become a benchmark in discussions about million-dollar fraud by artificial intelligence in the corporate environment. And it hasn't been isolated: investigators have recorded new similar incidents in smaller companies in the United States and Europe, with an average cost that already exceeds $500,000 per occurrence in SMEs, according to alerts from cybersecurity authorities.

The inevitable question remains: if even a multinational with a structured finance department was vulnerable to this type of deepfake scam, what happens when the target is a smaller company, with less formalized processes and leaner teams?

What this scam reveals about the financial risks of SMEs

The most relevant point of this case for managers of small and medium-sized enterprises is not the lost value, but the mechanism of the attack. The deepfake fraud did not rely on system invasions, did not require password theft, and did not exploit any technical software vulnerabilities. The target was the most difficult element to protect with technology alone: human trust.

SMEs are increasingly targeted precisely because they tend to have less formalized financial approval processes. In companies with 10 to 200 employees, it is common for a single employee to have the authority to approve significant transfers without the need for validation through a secondary channel. This scenario creates a huge window of opportunity for social engineering fraud with AI.

The sophistication of deepfakes has evolved rapidly. Commercially available tools now allow for the cloning of voice and image with short samples of audio and video, often obtained from social media or public recordings. For a criminal, the logic is simple: if the employee sees and hears the boss ordering an urgent transfer, the likelihood of compliance is extremely high, especially under time pressure and confidentiality, classic tricks of social engineering.

Moreover, the deepfake scam in video calls tends to deactivate the triggers of distrust that would normally work in a suspicious email. The visual presence creates an illusion of authenticity that is difficult to question at the moment. Therefore, corporate financial security cannot rely solely on the individual perception of the employee.

Layers of protection that make a real difference

The good news is that there are concrete and accessible strategies to drastically reduce the risk of this type of digital fraud in companies of any size. Effective protection works in complementary layers:

• Mandatory multifactor authentication for financial access: MFA ensures that, even if an employee is convinced to provide credentials during a scam, access and the execution of transactions require a second independent verification that the criminal does not control.
• Out-of-band validation protocols: Any transfer above a predefined amount must be confirmed through a secure secondary channel, different from the channel through which the request was received. A callback to a previously registered number is sufficient to thwart most AI-driven social engineering attacks.
• 24/7 behavioral monitoring: Endpoint detection and response (EDR) solutions combined with continuous monitoring identify anomalous behaviors in real-time, such as access outside of normal hours, unusual financial movement attempts, or transfers to unregistered destinations.
• Managed and continuous awareness training: Regular phishing and deepfake simulations, with immediate feedback, measurably elevate the team's maturity. Studies indicate that organizations with active awareness programs reduce the success rate of social engineering attacks by up to 83% compared to companies without structured training.
• Zero Trust model applied to financial processes: No request, even from a superior, should be fulfilled without independent verification. The premise is simple: do not automatically trust any digital identity without additional validation.

The question every financial manager needs to answer

If an employee in your company were to receive an urgent video call from your chief executive asking for a confidential transfer, what would their next step be?

If the answer is "he would probably execute the transfer," your company has a real vulnerability window, regardless of size or industry. The good news is that closing this window does not require complex technological transformation. It requires clear processes, consistent training, and layers of verification that work even under pressure.

Managed IT contributes directly here: with Zero Trust-based access policies, 24/7 monitoring of anomalous behaviors, MFA implemented throughout the financial approval chain, periodic awareness training, and continuity protocols that ensure dual validation in critical transactions. These capabilities, combined, create a defense architecture that does not rely on the luck of any employee in a moment of pressure.

Deepfake technology will continue to evolve. But companies that build robust processes and well-trained teams are always one step ahead, regardless of how the scam presents itself.

References

• CNN, Deepfake CFO scam in Hong Kong costs company $25 million
• Forbes, The $25 Million Deepfake Video Call Fraud

Want to understand what layers of protection make sense for the size and profile of your company? Talk to a specialist at Zamak for a Complimentary Initial Consultation, with no obligation.