Video Call Deepfakes Cost Arup $25M in Single Fraud

The video call has become the front door to some of the most damaging corporate fraud of the past two years. A face on screen used to be enough. It no longer is.

On a single day in early 2024, an Arup finance employee in Hong Kong transferred HK$200 million (roughly US$25 million) across 15 wire transactions to five bank accounts after joining what appeared to be a routine video conference with the company's CFO and several colleagues. Every participant except the employee was AI-generated. The deepfakes were built from publicly available meeting footage. When the employee later contacted a real executive to confirm, the scam unraveled. By then, the money was gone.

The Arup incident was not an isolated failure of one employee's judgment. It was the proof-of-concept that bad actors had been waiting to replicate.

The Attack Surface Nobody Audited

Organizations have spent years hardening email, locking down endpoints, and training staff to spot phishing links. The video call, now the default channel for hiring decisions, financial approvals, customer onboarding, and account recovery, largely escaped that scrutiny. It carried an implicit assumption: if you can see the person, they must be real.

Why AI Ad Agents Are Collapsing the Economics of Video Production

AI ad agents now produce ads for $5-$8 in minutes.

Mission Media

That assumption has been systematically exploited. North Korea-linked operatives have used real-time synthetic media in remote job interviews to infiltrate hundreds of organizations, including major corporations and Fortune 500 firms. A candidate joins an interview call, clears every identity check, gets hired, and begins exfiltrating data or funneling salary to state-controlled accounts. The U.S. Department of Justice identified 136 victim companies and seized US$15 million in cryptocurrency linked to the campaign.

The common thread in both attack types, executive impersonation fraud and fake-candidate infiltration, is the video call itself. It is where identity is assumed rather than verified.

What iProov Verified Meetings Does

On May 19, 2026, iProov launched Verified Meetings, a native plugin for video conferencing platforms designed to close this specific loophole without forcing participants through a separate identity-check flow.

The tool runs silently in the background. When a host triggers a check, the platform analyzes the live video stream across two dimensions simultaneously: imagery analysis to detect deepfakes and presentation attacks, and hardware integrity verification to confirm that the video stream originates from a physical camera rather than a virtual camera environment. Virtual camera injection (routing a pre-generated deepfake through software that mimics a real webcam) is one of the primary delivery mechanisms for live video fraud.

The result appears in the host's interface as a Red, Amber, or Green status. The participant is not alerted that the check is running, which prevents a bad actor from simply disconnecting before a result is returned. Detection is continuous rather than a one-time gate, and the underlying models are updated in real time via iProov's dedicated Security Operations Center.

"Organizations still largely assume that seeing a person on screen means they're real," said Andrew Bud, founder and CEO of iProov. "That assumption no longer holds. Deepfakes are now easy to create and very difficult to detect, making deception in video interactions both scalable and hard to stop."

Rising Stakes for Financial and Hiring Decisions

The interactions most at risk, financial approvals, remote hiring, KYC, account recovery, are precisely where a wrong identity decision has irreversible consequences. Arup's HK$200 million was wired before anyone questioned the call. The North Korean IT workers had employment contracts and system access before the deception was detected.

iProov's approach does not ask organizations to replace their video conferencing infrastructure or add friction for legitimate participants. A RAG status appearing in the host's existing interface, with no interruption to the call, lowers the adoption barrier that sinks most enterprise security tooling.

The video call is not going away. Neither is the incentive to exploit it. Both Arup and the North Korea campaign are now driving a product category that barely existed 18 months ago.