Arup, a British engineering giant, fell victim to a sophisticated deepfake scam. An employee, duped by an AI-generated video call, unknowingly transferred HK$200 million (£20 million / $25 million) to criminals.
Back in February, Hong Kong police revealed a case in which a worker at an undisclosed company fell victim to a hoax call. “Posing as senior officers of the company,” the scammers tricked the worker into transferring significant sums of money.
Deepfake Scam Targets Arup: Millions Lost
Arup later confirmed that it was the company targeted in the February fraud case reported by Hong Kong police. A London-based spokesperson for Arup told CNN that they notified the authorities about a fraud incident in Hong Kong earlier this year.
The spokesperson further confirmed the use of deep fakes, stating that the scammers employed fake voices and images to trick their employees into sending the money.
“Unfortunately, we can’t go into details at this stage as the incident is still the subject of an ongoing investigation. However, we can confirm that fake voices and images were used,” the spokesperson said in an emailed statement.
Despite the financial loss, the spokesperson assured the public that the incident did not impact Arup’s monetary stability or day-to-day operations. They further emphasised that the criminals did not breach the company’s internal systems.
Rob Greig, Arup’s global chief information officer responsible for the company’s computer systems, revealed that the organisation has been facing increasing cyberattacks, including deepfakes.
Arup’s Vulnerability Despite Its Stature
The top executive echoed a growing concern, highlighting that, like many businesses worldwide, Arup faces a constant barrage of cyberattacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes. Alarmingly, Greig noted a sharp rise in the number and sophistication of these attacks in recent months.
Greig expressed hope that Arup’s unfortunate experience would serve as a wake-up call, raising awareness about cybercriminals’ growing sophistication. The Financial Times first broke the news, revealing Arup as the target of the deep fake fraud.
“Deepfake” refers to fabricated videos created using artificial intelligence (AI) that appear unsettlingly realistic. This technology gained notoriety in 2018 when reports surfaced of malicious actors using it to make revenge pornography by superimposing victims’ faces onto existing pornographic content.
Earlier in 2024, the non-consensual spread of AI-generated images involving pop star Taylor Swift on social media platforms was a stark reminder of the potential for misuse of AI technology. In February, deepfakes depicting Taylor Swift in a compromising manner spread rapidly on social media last week, sparking outrage from fans, the public, and even the White House.
This misuse highlights the potential dangers of deepfakes, where the technology’s ability to manipulate reality can be easily overlooked.
The incident goes to show that even a leading engineering firm like Arup, with 18,500 employees across 34 global offices, is not immune to cyberattacks. The company’s impressive portfolio includes landmarks like the Bird’s Nest stadium and the 2008 Beijing Olympic Games site.
Global authorities are raising the alarm about deepfakes’ growing sophistication and potential for malicious exploitation.
Arup’s East Asia regional chairman, Michael Kwok, emphasised in an internal memo obtained by CNN that the “frequency and sophistication of these attacks are rapidly increasing globally, and we all must stay informed and alert about how to spot different techniques used by scammers.”