Dear Decision Maker,

Before I get into it, a thank you!

Last week's newsletter got more replies than anything I've sent in months. People emailed. People messaged.

A few of you actually picked up the phone and called. I read every single one, and I'm still working through the longer threads. I'm really grateful.

Keep them coming, because half of what I learn comes from those conversations, not from my own desk.
​
​Right. Now let me tell you about a video call...

In January 2024, a finance worker at the Hong Kong office of Arup, the engineering firm behind the Sydney Opera House, got a message.

It claimed to be from the company's UK-based CFO, and it mentioned a confidential transaction.

The employee was suspicious. He thought it smelled like phishing.

So far, so good. He did exactly what you would want him to do.

Then he was invited onto a video call to clear it up.

His CFO was on it. So were several colleagues he recognised.

Faces he knew. Voices he knew. They walked him through the transaction and told him to move the money. Reassured by the room, he did.

Every person on that call was a deepfake.

Here is how it actually unfolded:

• He made 15 separate transfers, totalling roughly US$25.6 million (HK$200 million)
• The money went to five different Hong Kong bank accounts
• He only realised something was wrong after he checked in with head office in the UK
• By then the money was gone, and it has not been recovered

Hong Kong police were blunt about what made it work.

Senior Superintendent Baron Chan summed it up in one line:

Sit with that for a second. Everyone on the call. Fake.

Arup's global CIO, Rob Greig, later confirmed it publicly. His words:

He also made the point that matters most, which is that these attacks are getting more sophisticated and more frequent, fast.

This is not a freak event. It is the curve

I went and checked the numbers before writing this, because I do not want to feed you something that falls apart under scrutiny.

So here is the honest version, with the sources named.

• Global deepfake fraud losses hit around US$1.1 billion in 2025, roughly triple the year before, according to Surfshark. Worth knowing: most of that is consumer investment scams, not boardroom wire fraud. The corporate slice is smaller. It is also growing fastest.
  ​
• Deloitte projects gen-AI-enabled fraud losses in the US could reach US$40 billion by 2027, up from US$12.3 billion in 2023. That is the number I would put in front of a board.
  ​
• Half of businesses have already been hit. Regula's survey found 49% of companies had experienced video deepfake fraud, up from 29% two years earlier.
  ​
• Only 32% of organisations are confident in their defences against deepfakes and synthetic identity attacks, per Ironscales in 2025. Note the word confident. Two thirds are not.
  ​
• Voice is the frontier. Pindrop logged a rise in deepfake voice fraud attempts of more than 1,300% in a single year, from roughly one a month to seven a day.

So no, Arup was not a one-off. It was an early, expensive data point on a line that is still climbing.

The thing we never questioned

Here is what almost nobody is saying out loud.

We built our entire corporate governance on one quiet assumption: that seeing someone's face and hearing their voice counts as verification.

The approval chains, the sign-offs, the "jump on a quick call to confirm." All of it rests on the idea that presence equals proof.

If I can see you and hear you, it's you.

That assumption is now broken. Not weakened. Broken.

Because the channel you used to trust, the live video call, is exactly the channel the attacker now controls end to end.

The fraudster in the Arup case did not break a firewall. He did not crack a password. There was no clever malware.

He simply rebuilt the room.

He gave a cautious employee the one thing human beings are wired to obey without thinking: a senior face, on screen, in real time, telling them to act.

This is the part the legacy coverage gets wrong. They file it under "cyber" and "scam" and move on.

It is neither.

Deepfakes are not really a fraud problem.

They are an attack on the trust infrastructure that makes an organisation function at all.

Strip away the logo and the office, and a company is just a network of people making fast decisions based on who they believe they are talking to.

Take away the ability to know who you are talking to, and the whole thing seizes up.

• You cannot fully trust a video call.
• You cannot trust an audio message.
• You cannot even trust a real-time conversation.

So what is left?

Only this: the relationship, and the protocol you agreed before the attack ever started.

What intelligence people have always known

None of this is new to us. That is the uncomfortable truth at the centre of it.

In HUMINT, authentication was never about the face or the voice.

It was never about the channel.

We always assumed the channel could be compromised, the voice could be faked, the message could be turned.

So you never relied on the medium.

You relied on something the other side could not synthesise: a pre-agreed challenge and response, a piece of shared history only the two of you hold, a protocol set up in advance precisely so that the moment of pressure is not the moment you start improvising.

Authentication is a human problem.

It always has been.

The technology was never the verification. The relationship was.

The World Economic Forum now tells corporates the same thing, just in their language.

Move from "trust but verify" to "never trust, always verify."

We have been saying that for decades.

Corporates are learning it at 25 million dollars a lesson.

Your peers are already on the target list

The reason I am confident this matters to you and not just to a finance team in Hong Kong is simple.

The same attack has already been pointed at some of the most recognisable companies on earth.

Most of these were caught.

Look at why.

• WPP (May 2024). Criminals built a fake account for CEO Mark Read, cloned his voice and used real conference footage in a Teams meeting to try to set up a fraudulent venture. It failed. Read warned staff afterwards that vigilance now has to extend beyond email into live AI-driven meetings.
  ​
• Ferrari (July 2024). A scammer deepfaked CEO Benedetto Vigna's voice, accent and all, and pushed a confidential acquisition over WhatsApp. An executive stopped it cold by asking a question only the real Vigna could answer: the title of a book he had recently recommended. The caller hung up.
  ​
• LastPass (April 2024). An employee got calls and voice messages deepfaking the CEO. They spotted the tells, off-hours, WhatsApp, manufactured urgency, and reported it instead of acting.

Notice the pattern.

The companies that survived did not win with better detection software.

They won because a human being applied a verification step the attacker could not fake.

Ferrari's executive ran a challenge-response from memory.

The LastPass employee trusted process over panic.

That is tradecraft, whether they would call it that or not.

Every founder is now a target

Here is the part that is uncomfortable for you specifically.

If you are a founder, a CFO, or a board member, you are now a deepfake target.

Not a hypothetical one.

• Your conference talks are on YouTube.
• Your voice is on every earnings call and podcast.
• Your face is all over LinkedIn.

That is the raw training material, and you published it yourself.

The attack surface is not your IT stack. It is your public footprint and your internal culture.
And this is where most companies are quietly sitting ducks.
​

If your organisation runs on:

You have built the perfect target.

A culture where authority is never questioned is a culture where a synthetic authority gets obeyed instantly.

The junior in Hong Kong did everything right by the unwritten rules of a hierarchical company.

He did what the boss on the screen told him to do. That was the failure.

So pair the risk with the opportunity, because there is one.

The businesses that come through this are the ones that borrow straight from intelligence tradecraft and build three things into how they operate.

1. Challenge and response. A pre-agreed verification step for any high-value or unusual instruction, run outside the channel the request arrived on. If the "CFO" asks on video, you confirm through a separate route using a code only the two of you hold. This is the Ferrari move, made standard.
   ​
2. Compartmentalised approval. No single human, however senior their face looks on screen, can move serious money alone. Set a hard threshold above which large or unusual transfers need a second authoriser and an out-of-band callback to a known number. Now the attacker has to defeat a chain, not a person.
   ​
3. Rewarded scepticism. A culture where a junior can say "I need to verify this" to the CEO's face and be thanked for it, not made to feel small. This is the one that actually matters most, because it is the only control the deepfake cannot beat. It does not care how convincing the face is.

Compartmentalisation, challenge-response, and rewarded scepticism.

Tradecraft, dropped straight into a finance function.

Where we come in

This is exactly the ground our Intelligence School was built on.

​HUMINT Fundamentals is, at its core, a course about this problem: authentication protocols, counter-elicitation, and building a culture inside an organisation that resists social engineering instead of rolling over for it.

The deepfake is just social engineering wearing a better mask.

The defence is the same one professionals have used for decades.

It is now a boardroom skill, not a spy skill.

​Operational OSINT Fundamentals shows you the attack from the other side: exactly how an adversary harvests the public material, the conference footage, the earnings calls, the social posts, to build the model of you that ends up on that call.

Once you have watched how the collection actually works, you never look at your own public footprint the same way again.
​
Reply to this one and tell me, honestly: would your team have caught it?

The answer tells you most of what you need to build this year.

Ahmed
CEO Grey Dynamics
​Where headlines end, ground truth begins

Intel Report Read More

Articles and Guides Read More

Read More

Read More

Read More

Read More