A finance employee at British engineering firm Arup joins a video call with the CFO and several colleagues. They discuss confidential transactions requiring urgent attention. Everyone looks right, sounds right, acts right. Over the next week, following their instructions, the employee transfers $25.6 million to Hong Kong.
There’s just one problem. Every person on those calls except that one finance employee was an AI deepfake.
This isn’t science fiction. This happened to Arup in 2024, and if you think your team is too smart to fall for something similar, I’ve got news for you. And it’s not good.
Here’s your quick-read brief:
- How a British engineering firm lost $25 million to deepfake executives
- Why AI has made every business a prime target (especially yours)
- The practical defense playbook that actually works
Let me walk you through what’s really happening out there, and more importantly, how we can fight back together.
The Day Social Engineering Grew Up
Bad grammar and obvious scams are ancient history. Today’s cybercriminals are using Hollywood-level technology to empty your bank accounts.
The Arup incident should terrify every business owner. Here’s how it went down: Over several video calls, an employee spoke with what appeared to be the company’s CFO and other senior staff. They discussed urgent, confidential transactions. The deepfakes were so convincing that the employee made 15 separate transfers over a week. The fraud only came to light when they contacted headquarters for routine verification (Fortune, 2024; CNN, 2024).
By then, $25.6 million had vanished into international accounts.
This isn’t an outlier. In 2024 alone:
- Change Healthcare lost $2.5 billion affecting 190 million Americans because one account lacked multi-factor authentication (TechCrunch, 2025)
- Pepco Group lost €15.5 million to AI-generated phishing emails that fooled experienced finance professionals (SecurityWeek, 2024)
And this technology isn’t new. Back in 2019, a UK energy company transferred €220,000 ($243,000) after receiving a call from their “CEO”—complete with his distinctive German accent. It was the first documented case of AI voice fraud at this scale (Wall Street Journal, 2019).
I’ve been in cybersecurity for over 20 years, and even I had to read the Arup story twice. The red flags we trained everyone to spot? Grammar mistakes, urgent requests, generic greetings? Those are as outdated as floppy disks. Today’s attacks use perfect language, patient timelines, and faces you trust.
Why Cybercriminals Have Your Business in Their Crosshairs
Small to mid-size businesses aren’t collateral damage anymore. You’re the primary target.
Here’s a stat that should make you sit up straight: businesses with 20-1,000 employees receive 350% more social engineering attacks than larger enterprises (Secureframe, 2025). Why? Because criminals aren’t stupid. They know you’re trying to do more with less. That’s exactly what they’re counting on.
The targeting is surgical:
- Healthcare faces the highest costs at $10.1 million per breach, with 41% caused by social engineering (IBM, 2024)
- Manufacturing accounts for 26% of all incidents, with Toyota Boshoku losing $37 million to a single business-email-compromise attack (Firewall Times, 2023)
- Retail ranks dead last in social engineering resistance, especially vulnerable during seasonal rushes (Truvantis, 2024)
The reality for small businesses is stark: 60% that suffer a successful cyber attack go out of business within six months (NVITS, 2024). Only 14% have cyber insurance. Nearly half have no cybersecurity budget at all (Embroker, 2025).
When you look at the costs, the pattern becomes clear. Average breach cost: $4.88 million. Average phishing breach: $4.91 million. Business-email-compromise attacks alone: $2.77 billion in 2024 (IBM, 2024). For a business your size, even a fraction of these losses is catastrophic.
What’s driving this explosion? AI has democratized cybercrime. Creating a convincing phishing campaign used to take a skilled team 16 hours. AI does it in 5 minutes (IBM, 2024). Voice cloning needs just 3 seconds of audio (McAfee, 2023). Deepfake video calls cost as little as $5 per month to execute (Integrity360, 2024).
Your Defense Playbook (That Won’t Break the Bank)
Perfect security is a myth, but smart security is achievable and it starts with admitting we’re all vulnerable.
Good news: you don’t need a Fortune 500 budget to build solid defenses. Here’s your roadmap:
This Week: Quick Wins That Matter
- Enable phishing-resistant multi-factor authentication everywhere ($1-3 per user/month, blocks 99.9% of account compromises)
- Set verification protocols for any transfer over $5,000 (two people, two channels, no exceptions)
- Deploy DNS filtering to block known malicious domains
- Review who has admin access to what (you’ll be surprised)
Next Quarter: Building Your Human Firewall
- Monthly 15-minute security briefings focused on current threats, not generic warnings
- Role-specific training: executives on whale phishing, finance on wire fraud, IT on pretexting
- Create a culture where reporting suspicious activity is celebrated, not embarrassing (remember, every company faces these threats daily, so reporting them shows security awareness, not weakness)
- Run quarterly phishing simulations and aim for under 5% click rates
Your 12-Month Strategic Plan
- Implement Zero Trust architecture (“never trust, always verify” for every user, every time)
- Deploy behavioral analytics to spot unusual communication patterns
- Build a vendor risk-management program (your security is only as strong as your weakest partner)
- Test your incident-response plan monthly, not annually
Real results speak volumes: IBM research shows organizations with incident-response teams and tested plans save an average of $2.66 million per breach compared to those without (IBM, 2024). Companies using AI-powered email security report blocking over 90% of phishing attempts before they reach employee inboxes (Microsoft, 2024).
The technology exists. The strategies work. But they only work if you use them.
Tech, Prep, and Collaberations Win the Day
Your best defense isn’t just technology. It’s partnership, preparation, and a healthy dose of reality.
AI has fundamentally transformed how cybercriminals operate. They’re patient, sophisticated, and armed with tools that would have been science fiction just five years ago. The good news? We don’t have to face these threats alone. At Sagacent Technologies, we’ve helped hundreds of businesses build defenses that actually work against these new attacks.
Because in my experience, the best time to strengthen your security was yesterday. The second best time? Right now.
Worried about your team’s vulnerability to AI-powered attacks? We’d love to give you an honest assessment of your security posture in confidence. For straight talk from someone who’s seen it all, drop Sagacent a line to schedule a confidential “second opinion” on your defenses.
Stay vigilant, stay human, and remember: paranoia is just good planning in 2025.
Glossary of terms:
- Deepfake: AI-generated video or audio that looks and sounds exactly like a real person, used to impersonate executives or colleagues
- Multi-factor authentication (MFA): Security method requiring two or more verification factors to access an account, like a password plus a code from your phone
- Zero Trust: Security model that verifies every user and device, every time, regardless of whether they’re inside or outside your network
Extra reading cited in newsletter: