Deepfake Protection for C-Level Executives: The CEO Isn’t Real

The British engineering group Arup lost 25.6 million dollars through a single deepfake video call. The attacker had recreated the CFO and colleagues using AI. A finance employee made 15 transfers in one day. The case is no longer an isolated incident: voice-cloning fraud rose by 680 percent in 2025. For CIOs and executives, deepfake protection is becoming a matter of personal security.

Key points at a glance

The Arup case: anatomy of a deepfake attack

In January 2024, a finance employee at the British engineering group Arup received a suspicious email at the Hong Kong branch. To dispel his concerns, he was invited to a video call. On the screen, he saw and heard his CFO and several colleagues. They all spoke convincingly, responded to questions and gave instructions for transfers. The employee carried out 15 transfers to five different Hong Kong accounts, totaling 25.6 million dollars.

None of the participants in the call was real. They were all AI-generated deepfakes, created from publicly available video and audio recordings. The attack was only discovered hours later. Hong Kong police made the case public in February 2024, and Arup confirmed in May 2024 that it had been affected. The case demonstrates how far deepfake technology has advanced: no longer just individual fake videos, but interactive real-time video calls with multiple AI-generated participants.

Arup is not a small company without IT security. It is a global group with more than 18,000 employees, known among other things for the structural engineering of the Sydney Opera House. If Arup can be deceived, any company can be deceived. The question is not if, but when a comparable attack will hit your own company.

The Numbers: Why 2026 Will Be the Year of Deepfake Attacks

The statistics are clear. Voice-cloning fraud rose by 680 percent in 2025 compared with the previous year. Attackers need just three seconds of audio material to create a voice copy with an 85 percent match. LinkedIn videos, podcast appearances, conference recordings, and internal webinars provide the raw material for free.

CEO fraud, meaning the targeted deception of employees by imitating executives, affects at least 400 companies worldwide every day, according to industry reports. In 2024, 64 percent of US companies were affected by a business email compromise attack, with average losses of 150,000 dollars per incident. Deepfakes significantly increase the success rate of these attacks because they bypass employees’ last line of defense: visual and acoustic verification.

“There is a fundamental problem with security and privacy that overshadows the hype around AI agents.”

Meredith Whittaker, President of Signal (SXSW, March 2025)

Particularly worrying: 80 percent of companies have no established protocols or response plans for deepfake-based attacks. Traditional security awareness training focuses on phishing emails and social engineering via text. Most organizations have not planned for defense against audiovisual deception. In Italy, a coordinated wave of deepfake attacks hit prominent entrepreneurs in early 2025: criminals imitated the defense minister and stole at least 1 million euros from a single victim.

Sources: Deepstrike.io 2025, Fortune/CNN 2024, industry reports

Why the C-Level Is Particularly at Risk

Board members and managing directors are the preferred targets for deepfake attacks, for three reasons. First: their voices and faces are publicly available. Keynotes, interviews, podcasts, LinkedIn videos, and shareholder meetings provide high-quality audio and video material for training deepfake models. The more prominent an executive is, the easier the fake becomes.

Second: instructions from board members are questioned less often. In hierarchical organizations, the threshold for questioning an instruction from the CEO or CFO is high. Deepfake attackers deliberately exploit this dynamic. The Arup case shows: even when there were initial doubts, one convincing video call was enough to move the employee to carry out the instruction.

Third: DACH companies with flat hierarchies are particularly exposed. In many mid-sized companies, the CFO has direct access to payment systems. There is no dual-control principle for transfers below 100,000 euros. A single successfully deceived finance officer can transfer six-figure sums within minutes without a second person approving it.

Four layers of protection against deepfake attacks

Layer 1: Technical detection. Specialized software can analyze deepfake video and audio in real time. Tools such as Pindrop, Sensity AI or Resemble Detect check for artifacts in speech and visuals that are invisible to the human eye and ear. Detection rates range from 85 to 95 percent, but vary depending on the quality of the forgery. CIOs should integrate these tools into their security architecture, especially for video call platforms and telephone systems.

Layer 2: Organizational protocols. For all financial transactions above a defined threshold, there must be a verification protocol that cannot be bypassed via video or audio. Specifically: a callback to a registered landline number (not the one mentioned in the deepfake call), confirmation via encrypted messenger with a pre-agreed code word, or personal approval by a second authorized person. These protocols must be documented in writing, known to the entire finance team and tested regularly.

Layer 3: Awareness training. Employees need to know that deepfakes exist and how they work. Traditional phishing training is not enough. CIOs should introduce specific deepfake awareness modules that show examples and train people to recognize key indicators: unnatural mouth movements, latency between lip movement and sound, lack of response to unexpected questions and strange lighting. The most important lesson: If an instruction is unusual, it must be questioned, regardless of who gives it and how convincing the person looks or sounds.

Layer 4: Reducing the public footprint. CIOs and CISOs should work with the communications department to review how much audio and video material of board members is publicly available. Not everything can be removed, but the volume can be reduced. Internal meetings should not be recorded unless necessary. Recordings of board presentations should not be left unprotected on YouTube or on the company website. Every minute of publicly available material is a minute of training material for attackers.

What CIOs need to put on the agenda now

Deepfake protection is not a niche issue for the security department. It is a board issue. The personal liability of management under NIS2 makes the situation more acute: If it can be proven that no appropriate protective measures were taken against a known threat, this can be considered gross negligence.

For CIOs, this means specifically: By Q2 2026, a deepfake risk analysis should be available for their own organization. Who are the most exposed people? How much public material exists? Which financial transaction processes are vulnerable? Based on this analysis, verification protocols are developed, detection tools are evaluated and awareness training is rolled out. The costs are manageable compared with a successful attack. Arup lost 25.6 million dollars. A deepfake protection program for a medium-sized company costs a fraction of that.

Frequently Asked Questions

Title image source: Tima Miroshnichenko / Pexels

Read more

• CISA KEV Update from April 20: What the eight new exploits mean for the board meeting
• NIS2 Goes Operational: Three Decisions Boards Will Face in April 2026
• Cyber Insurance 2026: Premiums Doubled, Coverage Halved – The Calculation No CFO Wants to See