In February 2024, a finance executive at engineering firm Arup joined what appeared to be a routine video call. The CFO was there. Several colleagues were on screen. The discussion involved a wire transfer.
He authorized million.
Every person on that call except him was an AI-generated deepfake. The CFO. The colleagues. All synthetic. The attackers had harvested enough photos, video clips, and voice samples to build convincing real-time impersonations of multiple executives. The finance worker had no reason to doubt what he was seeing.
This is not a future scenario. This already happened. The tools to do it are cheap, accessible, and improving rapidly.
The Chain Starts Before You Notice
The fraud didn't begin with the video call. It began weeks or months earlier, with steps so small they were invisible.
An email account gets compromised. Could be yours, could be a vendor's, could be a customer's. The attacker sits quietly in that inbox, reads the threads, learns the names, the tone, the inside references. Then they step in. A few exchanges. Nothing alarming. Just enough to collect an email address, a phone number, an account reference.
Then a phone call. A customer service pretext. A vendor follow-up. Doesn't matter what. What matters is they now have a voice sample. Modern AI cloning tools need as little as 30 seconds of clean audio to replicate pitch, tone, cadence, and accent with convincing accuracy.
Meanwhile, someone else is pulling LinkedIn photos, headshots, conference appearances. Building a visual library. These attack stages are frequently bought and sold between threat groups. One harvests. One builds. One executes.
Now they have your name, your email, your phone number, reference data that makes them sound legitimate, your voice, and your face.
Now they impersonate you. To your bank. To your CFO. To your IT team. A synthetic video call. A voice call that sounds exactly like you, requesting a wire transfer, a password reset, an access grant.
The FBI recorded more than billion in cybercrime losses in 2024, up 33% from the prior year. Phishing remains the most reported crime type. The tactics haven't changed. The production quality has.
The Playbook
I spent 16 years as a CIO. I've sat across from companies worth hundreds of millions of dollars with no formal procedures in place for exactly this scenario. None. The conversation usually reveals one of two attitudes: "It could never happen to us" or "We're too small to be a target."
Both are wrong. A million company with loose wire transfer procedures and no verification protocol is not too small to defraud. It's easier to defraud.
Here's what actually works:
Treat verification as a process, not a formality. Any request involving money movement, credential changes, or system access requires out-of-band confirmation. Not a reply to the same email thread. Not a callback to the number the caller just gave you. A separate, pre-established channel.
Accept that voice and video are no longer reliable authentication. Train your team on this explicitly. A caller who sounds exactly like the CFO is not automatically the CFO. A video that looks real is not proof of identity. If the request is sensitive, the authentication method needs to be stronger than the medium used to make it.
Establish verbal codewords for high-risk transactions. Simple. Uncomfortable for some. Highly effective. A pre-arranged word or phrase that both parties know and that no email thread or LinkedIn scrape would ever surface.
Build in mandatory cooling-off periods. Urgency is a core ingredient in every one of these attacks. A required 30 to 60 minute delay before executing any out-of-pattern transaction eliminates the pressure tactic entirely. Legitimate requests can wait. Fraudulent ones are designed so they cannot.
Flag anomalous communication patterns. If someone who normally emails starts calling, or a vendor contact you've never spoken to suddenly calls with an urgent request, that pattern deserves scrutiny before compliance.
Run tabletop exercises on this specific scenario. Not generic phishing awareness. This scenario. Walk your finance team, your IT team, and your executive assistants through a synthetic impersonation attempt. See where the gaps are before an attacker does.
None of this is novel. Out-of-band verification, codewords, cooling-off periods. These concepts have existed in security literature for years. The difference now is that the cost of a sophisticated impersonation attack is measured in dollars and minutes, not thousands and weeks. The barrier to entry collapsed. The defenses haven't kept pace.
The Attack Surface Is About to Get Bigger
Everything above assumes a human is the final target. That's changing.
Agentic AI systems, the ones now being deployed to autonomously manage workflows, execute transactions, and interact with other systems, create a new problem. An AI agent with access to your financial systems, your email, your calendar, and your HR data is not just a productivity tool. It's a highly privileged identity with the ability to take real-world action.
When a compromised email or an injected prompt can instruct an agent to move money, modify records, or exfiltrate data without a human ever approving the specific action, the impersonation scenario doesn't just target your people. It targets your machines.
A 2025 Dark Reading survey found that nearly half of security professionals believe agentic AI will represent the top attack vector by end of 2026. Only 29% of organizations deploying agentic systems report being prepared to secure them.
That gap between deployment and readiness is not theoretical. It's a standing invitation.
The Question
The fraudsters upgraded their tools. The playbook above isn't complicated. It doesn't require a large security team or an enterprise budget. It requires someone in leadership deciding the risk is worth taking seriously before the call comes in.
Have you?
Raphael Savastano is the founder and principal consultant of ROFONIC LLC. With 25+ years in IT, 16 years in leadership, including 8 years as CIO scaling technology for a global manufacturer from M to 0M. He now helps growing companies get executive-level technology and operations leadership without the full-time cost. Want to know where your technology actually stands? Take the Founder's IT Reality Check →
