The 25 million dollar deepfake.

The Observation

Attackers just scammed Arup out of 25 million dollars using a coordinated deepfake hit. They didn't just send a fake email. They backed it up with a real-time deepfake video call that looked and sounded exactly like the real thing. It completely shredded their standard security checks because it weaponized the trust we all have in seeing a face on a screen. When the tech is this good, your old verification playbook is officially useless.

The Analysis

AI just broke the old rules of social engineering. Scammers are now cranking out perfect phishing hits in five minutes flat. The days of spotting a fake because of bad grammar or a weird typo are over. These machine-generated attacks are landing a massive 54 percent click rate because they look flawless. If you are still training your team to look for content signals, you are already compromised. You have to stop looking at the message and start hunting for behavioral red flags and enforcing hard verification.

The Roadmap

Forget the annual compliance videos that everyone ignores. You need to hit your team with micro-training the second they actually trip a behavioral red flag. If a sensitive financial request comes in, make it mandatory to pick up the phone or use a separate channel to verify it. No exceptions. Finally, get rid of basic MFA and move to hardware keys that actually lock the authentication to the device. If the tech doesn't cryptographically stop the theft, it isn't security. It is just a speed bump.

Question for the network

Is your security training still obsessing over typos and bad grammar, or have you woken up to the fact that deepfakes are already walking through your front door?

Hint: If your employees are looking for spelling mistakes while a live video of the CFO is asking for a wire transfer, you've already lost.

By Michael Lennard Gnaedinger. © 2026 Gnaedinger Consultancy. All rights reserved.