A finance worker at a global engineering firm sat down for what looked like a routine video call. His chief financial officer was on screen. So were a few familiar colleagues. They walked him through a confidential deal and asked him to move some money, and over fifteen separate transfers he sent about 25 million dollars out the door. Every face on that call was fake. The CFO was a deepfake. The coworkers were deepfakes. He was the only real human in the room. Security researchers at Trend Micro documented how the attackers pulled it off, and the playbook has only gotten cheaper since.
I keep coming back to that story, and not because of the technology. The unsettling part is how reasonable he was being. He saw his boss. He heard his boss. He had a live video call confirming the instructions, which is the exact thing most of us were taught to ask for when something feels off. That is what makes this new wave of fraud so hard. The proof we used to trust, a face and a voice on a screen, is now the thing being forged. You can read the full breakdown of that case in our piece on the $25 million Arup deepfake, and it still gives me chills.
So the question every finance team, business owner, and honestly every person paying a contractor needs to sit with is simple. How do you verify a wire transfer request is real when the request comes from a face you recognize?
Business email compromise, the category these wire scams fall under, cost American victims about 3 billion dollars in 2025 according to the FBI's 2025 Internet Crime Report. That same report, for the first time, carved out a dedicated section on artificial intelligence, logging more than 22,000 AI-related complaints with losses over 893 million dollars. Voice cloning tools now need only a few seconds of audio to copy someone, which is why a panicked call from a "family member" or a calm request from a "CFO" can both be manufactured in an afternoon. I wrote more about how that voice side works in our guide to protecting yourself from voice cloning scams.
Here is the good news, and I do mean good news. You do not need fancy detection software to beat this. You need a habit. One boring, repeatable habit that the most sophisticated deepfake on earth cannot get around.
The single most effective control is what security teams call out-of-band verification. In plain language, when a payment request comes in by email, video call, or voicemail, you confirm it through a completely separate channel before any money moves. J.P. Morgan lays this out clearly in its own deepfake fraud prevention guidance, and the core idea is almost stubbornly simple. Never trust the channel the request arrived on.
That means if your CFO appears on a video call asking for a transfer, you hang up and call the CFO back on the number already saved in your company directory. Not the number in the email signature. Not the one the caller gives you. The known one. A deepfake can imitate a face and a voice, but it cannot answer the real phone sitting on your colleague's real desk.
A workable policy has just a few moving parts. First, set a dollar threshold above which every transfer requires a callback, no exceptions, even when the boss is "in a hurry." Second, the callback number always comes from your internal directory, never from the message itself. Third, write down who verified what, so the confirmation lives in your records and not just in someone's memory. Fourth, and this is the human part I care about most, make it culturally safe to slow down. The fraud works because people feel rude pausing an urgent request from someone senior. Tell your team out loud that pausing is the policy, not an insult.
Verification is your wall, but it helps to recognize a fake before you even reach for the phone. Deepfakes still stumble on odd lighting, lag between lips and audio, and a strange flatness when you ask an unexpected question. Our walkthrough on what a deepfake is and how to spot one covers the tells worth knowing. And if you run a smaller operation without a finance department, the same thinking scales down to you, which is why we put together a plain-language deepfake protection playbook for small businesses.
I started this work because I have watched how much damage lands on real people when their trust gets turned into a weapon. The finance worker who sent that 25 million was not careless. He was human, doing his job, trusting his own eyes. The fix is not to stop trusting people. It is to build one small ritual that protects them when their eyes get fooled. A two-minute callback would have saved that company 25 million dollars. That is the best return on two minutes I can think of.
If you want to know where your own exposure sits before a fake CFO ever calls, take our free 2-minute Deepfake Risk Assessment and see your score.