Senior exec at Arup duped by deepfake vishing scam; lessons and fixes

Engineering firm Arup recently confirmed that one of its employees in Hong Kong fell victim to a sophisticated deepfake video call scam, transferring HK$200 million (GB£20 million) to criminals. 

This incident highlights the growing threat of advanced cyber-attacks and underscores the need for heightened vigilance and robust security measures. Vishing, short for voice phishing, refers to fraudulent phone or video calls and voice messages designed to trick victims into providing sensitive information, like login credentials, credit card numbers, or bank details and money transfers.

In the Arup scam, perpetrators posed as senior company officers during a seemingly genuine company video conference. They used AI-generated deepfake technology to convincingly impersonate high-ranking executives, persuading an employee to transact with designated bank accounts.

Incident and impact

In January, Arup reported the fraud to the police, although details remain scant due to the ongoing investigation. The company assured that its financial stability and business operations were not compromised, and none of its internal systems were breached. 

This incident follows a similar report by Hong Kong police in February, initially identifying the victim only as an employee at an unnamed company.

Arup's global chief information officer, Rob Greig, emphasised this is not an isolated case. "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes. We have seen that the number and sophistication of these attacks has been rising sharply in recent months," he said.

Greig hoped that Arup's experience would raise awareness about cybercriminals' increasing sophistication and evolving techniques. The Financial Times was the first to report that Arup was the company targeted by the fraudsters.

Global concerns and recent trends

The incident with Arup is part of a worrying trend of rising cyber-attacks utilising advanced technologies. Arup, a leading consulting engineering firm with over 18,000 employees, is renowned for its work on iconic projects such as the Sydney Opera House and the Crossrail transport scheme in London.

This event echoes another recent deepfake scam involving the head of the world's largest advertising group, WPP. Mark Read, WPP's chief executive, revealed that he had been targeted by a deepfake scam using an AI voice clone. This growing trend of using AI to create compelling fake audio and video content poses significant risks to organisations worldwide.

How to avoid becoming a victim of deepfake scams

Given the increasing prevalence and sophistication of deepfake scams, businesses and individuals must adopt proactive measures to protect themselves. Here are five key strategies to help avoid becoming a victim:

Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring multiple types of verification before allowing access to sensitive information or authorising transactions. These can include something you know (password), something you have (security token), and something you are (biometric verification).

Conduct regular cyber security training: Educate employees about the latest phishing tactics, deepfake threats, and other cyber scams. Regular training sessions can help staff recognise potential threats and respond appropriately, reducing the likelihood of successful attacks.

Verify identities through multiple channels: When dealing with sensitive transactions or information, verify the requesting party's identity through multiple channels. For example, confirm a request via email or video call with a follow-up phone call or an in-person meeting.

Use advanced AI detection tools: Invest in advanced AI and machine learning tools to detect and flag deepfakes and other fraudulent activities. These tools can analyse patterns and anomalies indicating a deepfake attempt, providing additional protection.

Establish strict financial protocols: Develop and enforce strict protocols for financial transactions. This can include requiring multiple approvals for large transfers, setting transaction limits, and maintaining a transparent chain of command for authorising payments. Regular audits and reviews of financial processes can also help identify and mitigate risks.

Summary of Arup deepfake vishing scam

The deepfake vishing scam that targeted Arup is a stark reminder of the growing threats posed by advanced cyber-attacks. As technology continues to evolve, so do cybercriminals' methods. 

By implementing robust security measures, conducting regular training, and staying vigilant, businesses can better protect themselves against these sophisticated scams. 

The experiences of companies like Arup and WPP highlight the importance of being proactive and prepared in the face of increasingly complex cyber threats.