Deepfake fraud costs engineering giant Arup £20m

An employee was tricked into participating in a video conference, featuring a digitally recreated version of the CFO

British engineering firm Arup, the company behind architectural marvels like the Sydney Opera House, has fallen victim to a sophisticated deepfake scam, losing a HK$200 million (£20 million) to fraudulent financial transfers.

Arup confirmed the incident to the Financial Times, revealing that it had notified Hong Kong police about the incident earlier this year.

"We can confirm that fake voices and images were used," the company said.

Hong Kong police previously reported the case in February but hadn't disclosed the company's name.

Arup declined to elaborate details of the incident due to the ongoing investigation but gave an assurance that "financial stability and business operations were not affected" and their internal systems remained secure.

"Deepfake" refers to realistic AI-generated videos or audio.

In February, Hong Kong police told local media that the targeted employee received a message supposedly from the company's UK-based Chief Financial Officer (CFO) regarding a confidential transaction.

The employee was then tricked into participating in a video conference, featuring a digitally recreated version of the CFO and other seemingly real company personnel.

Deceived by the deepfake, the employee was ultimately convinced to transfer a total of HK$200 million across 15 transactions. The scam was only discovered later upon contacting the company headquarters.

Rob Greig, Arup's global chief information officer, said the company frequently faces various cyberattacks, including phishing scams, invoice frauds, WhatsApp voice spoofing, and deepfakes and that the number and sophistication of these attacks has been rising sharply in recent months.

"I hope our experience can help raise awareness of the increasing sophistication and evolving techniques of bad actors," he added.

The investigation is ongoing with no arrests reported so far.

Interestingly, Arup's East Asia chair, Andy Lee, stepped down shortly after the incident, after just a year in the role. He was replaced by Michael Kwok, a former East Asia regional chairman for the company.

In an internal memo to employees, Kwok said that such attacks are rapidly increasing worldwide, and "we all have a duty to stay informed and alert about how to spot different techniques used by scammers."

Arup, with its 18,500-strong workforce across 34 global offices, is known for engineering landmarks like the 2008 Beijing Olympics' Bird's Nest stadium. The company is also involved in ongoing work on the Sagrada Família in Barcelona.

Arup's misfortune is just one example of the evolving threat landscape faced by businesses.

Earlier this month, international advertising giant WPP revealed that its CEO, Mark Read, was targeted in an elaborate deepfake scam involving an AI voice clone.

In an email to the company's leadership, Read detailed the attempted fraud, cautioning others to be vigilant against calls purportedly from top executives.

"Fortunately the attackers were not successful," Read wrote in the email.

"We all need to be vigilant to the techniques that go beyond emails to take advantage of virtual meetings, AI and deepfakes."