
Earlier this month, Hong Kong police reported that a finance employee at a multinational firm wired about $25 million after a video conference with the company’s CFO and several colleagues — every one of whom was an AI-generated deepfake. Email fraud now has a face and a voice, and finance teams can no longer treat a video call as proof of identity.
How the $25 million call worked
According to police, the employee first received a message, supposedly from the UK-based chief financial officer, about a confidential transaction. He was suspicious — it read like a phishing email. What dissolved his doubt was a group video call where the CFO and other colleagues looked right and sounded right. Everyone on that call was fake, generated from publicly available footage of real staff.
Reassured, he followed instructions and made 15 transfers totaling roughly HK$200 million before a routine check with head office days later exposed the fraud. Note what failed here: not one system was hacked. Every control that fell was human.
This has been building for years
Voice came first. In 2019, criminals cloned a chief executive’s voice to talk a UK energy firm out of roughly $240,000. In 2021, police in the UAE investigated a heist in which a cloned voice helped move $35 million. Last year the FTC warned that a few seconds of audio are enough to fake a family member’s voice. Video was the last frontier, and it just fell — the tools are now cheap, fast and require no special skill.
The economics explain what happens next. Business email compromise was already among the costliest crimes reported to the FBI year after year, and it worked with nothing but a spoofed address and decent grammar. Give that same criminal a convincing face and voice, and every finance team that relies on recognizing people becomes a target — not just at multinationals, but anywhere one person can move money on a manager’s say-so.
Why seeing someone on video no longer counts
Executives are the easiest people on earth to deepfake: webinars, conference talks, earnings calls and LinkedIn videos supply all the training data an attacker needs. And the playbook underneath hasn’t changed — authority, urgency and secrecy, the same levers as classic business email compromise. AI just upgraded the production values.
There are still occasional tells — odd lighting, stiff framing, a caller who resists turning their head or answering an unscripted question — but you should treat spotting them as a bonus, not a defense. In the Hong Kong case, the call was reportedly kept short and scripted, with the victim doing little of the talking. That’s the shape these attacks will take: minimal interaction, maximum authority.
Controls that actually stop it
You cannot train people to reliably spot a good deepfake; some are already too convincing. Procedure has to do the work, and none of it requires new software:
- Verify out-of-band, every time. Call the requester back on a number you already have on file — never one supplied in the request or on the call itself.
- Dual approval for wires above a set threshold, with no exception for urgency. Urgency is exactly when the rule matters most.
- Treat secrecy as a red flag. Any “confidential — don’t discuss with anyone” payment request gets escalated, by written policy.
- Agree on a code phrase for executive payment requests. Low-tech, nearly free, and it defeats a deepfake outright.
- Rehearse the refusal. Give finance staff explicit permission, in writing, from the CEO, to slow down any payment request — including the CEO’s own.
Verification only works over channels you already trust. It’s the same reason our clients keep their dedicated account manager’s real cell number on file: when something feels off, they call a known number and reach a known voice — in both directions.
Key takeaways
- Deepfake fraud has jumped from cloned voices to full multi-person video meetings.
- The Hong Kong case moved about $25 million without breaching a single system — only trust.
- Public footage makes executives easy to clone; assume yours can be.
- Out-of-band callbacks, dual approval and code phrases beat detection tricks.
- Write the rules down now, before the urgent-sounding call arrives.
Wondering where AI-enabled fraud could slip past your current controls? Take our AI security assessment and find out before someone tests you for real.
Turn insight into action.
Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.



