Cross-industryBrand & Safety IncidentVoice AgentHigh

Arup loses $25 million to AI deepfake impersonation of CFO

In January 2024, engineering firm Arup was targeted by a sophisticated deepfake attack. Fraudsters impersonated the CFO and colleagues via a video call to steal $25 million.

Arup · Incident Jan 1, 2024 · Indexed Jun 16, 2026 · 3 sources

AI-generated video and audio were used to impersonate executives during a live video call to authorize a fraudulent transfer of $25 million.

Key facts

What
In January 2024, engineering firm Arup was targeted by a sophisticated deepfake attack.
Incident date
Jan 1, 2024
Who
Arup
Failure mode
Brand & Safety Incident
AI surface
Voice Agent
Severity
High

What happened

Fraudsters used AI-generated video and audio to impersonate Arup's CFO and other colleagues during a video conference call. This deception led a staff member to transfer $25 million to bank accounts in Hong Kong.

What broke inside the model

Failure path · mode profile · Brand & Safety Incident
  1. 01 · TriggerA user prompts the model in public view.
  2. 02 · Model stepThe model produces unsafe or off-brand output.
  3. 03 · Control gapNo filter holds the line before publish.
  4. 04 · FailureThe output goes public unchecked.
  5. 05 · ConsequenceA reputational or safety incident lands.

A contained signal crosses into output that goes public.

The failure was in the identity verification process during virtual communication. Attackers used generative AI to bypass visual and auditory trust, exploiting the lack of a secondary out-of-band confirmation for the financial transfer.

What it cost

Public visibilityHigh
Regulatory exposureNone
Customer impactFew customers
Financial impactDisclosed
Time to disclosureMonths

Sources

  1. PressArup revealed as victim of $25 million deepfake scamcnn.com
  2. PressScammers siphon $25M from engineering firm Arup via AI deepfakecfodive.com
  3. PressDeepfake AI Cybercrime Arupweforum.org

Cite this entry

Permalinkhttps://failureindex.ai/failures/arup-loses-million-deepfake-impersonation-cfo
CitationAI Failure Index. "Arup loses $25 million to AI deepfake impersonation of CFO" (FI-0512). Realm Labs. https://failureindex.ai/failures/arup-loses-million-deepfake-impersonation-cfo (indexed Jun 16, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0512. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

Realm watches the model's internal state for the signature of unsafe or off-brand generation and can block or reroute the output before it becomes public, in real time rather than after it has been screenshotted.

Book a Demo

Related failures

Other records that share this failure mode (Brand & Safety Incident) or industry (Cross-industry).

FI-0501Cross-industryMedium
Hallucination

KPMG pulls AI report after organizations dispute claims

KPMG withdrew its "Total Experience: Redefining Excellence in the Age of Agentic AI" report after several organizations stated the claims about their AI usage were untrue. Research by GPTZero revealed that the majority of the report's citations were AI-generated hallucinations.

Confidence
High (multi-source, primary)
KPMG3 sourcesPrimaryPublicJun 2026
FI-0334SaaSHigh
Brand & Safety Incident

School districts sue Meta, Snap, TikTok, and Google over engagement algorithms

Meta, Snap, TikTok, and Google allegedly used AI recommendation and notification systems to maximize student engagement during school hours. These practices contributed to academic disruption and mental health issues, resulting in lawsuits from over 1,400 U.S. school districts.

Confidence
High (multi-source, primary)
Meta, Snap, TikTok, and Google3 sourcesPrimaryPublicJun 2026
FI-0576Cross-industryMedium
Brand & Safety Incident

Reddit ads used deepfake news and cloned sites to promote AI investment scams

Reddit failed to prevent a series of sponsored ads that used deepfakes and cloned websites to impersonate news outlets like the BBC and The Guardian. These ads promoted fraudulent AI investment platforms, targeting users in the US and Europe.

Confidence
High (multi-source, primary)
Reddit3 sourcesPrimaryPublicJun 2026