In early 2024, a multinational company in Hong Kong lost HK$200 million (approximately AUD$40 million) when a finance employee was deceived by a video call featuring deepfake representations of the company's CFO and other executives instructing a funds transfer. The quality of the deepfake was sufficient to deceive a trained finance professional under normal working conditions.
The Technology Is Now Accessible
Voice cloning tools that produce convincing audio from a few minutes of source material are publicly available and inexpensive. Video deepfake tools remain more computationally intensive but have become significantly more accessible. The barrier for attackers is no longer technical capability — it is access to sufficient source material, which for executives is often abundant through earnings calls, interviews, and LinkedIn videos.
How These Attacks Work in Practice
The most common scenario is a phone call or video call impersonating an executive, requesting an urgent wire transfer, a credential reset, or access to sensitive data. The victim may be told the situation is confidential, that normal procedures should be bypassed, and that speed is critical. These social engineering elements compound the technical deception.
Updated Verification Procedures
Standard callback verification — calling a known number to confirm a request — remains effective against voice cloning if the known number is genuinely independent of the communication channel. Out-of-band verification for any significant financial instruction, credential change, or data access request: confirm via a pre-established second channel, not a reply to the same call or email thread. Pre-agreed code words for executives and finance teams provide an additional layer that AI cannot replicate without specific insider knowledge.
Should we block video calls from unrecognised contacts?
In high-risk contexts — finance team members who regularly process significant transfers — restricting video calls to known contacts and requiring additional verification for financial instructions is reasonable. The control should match the risk: not every staff member needs the same level of verification, but those with payment authority do.
