Wednesday, June 3, 2026
Latest:
Column

How a $25 million deepfake heist rewrites the rules of cybercrime

HackAcademy

A Hong Kong staffer thought they were on a routine video call with the company’s chief financial officer and a handful of colleagues. The CFO approved a transfer of $25 million. The money moved. Only later did the employee learn the callers were not colleagues at all, they were interactive deepfakes, realistic simulations generated with artificial intelligence. The thieves did not slip past a firewall. They acted their way through a boardroom.

That single scene captures the state of cybercrime in the age of AI. We are no longer protecting machines from code alone, we are protecting people from theatre. The stakes are not abstract. They are wired to live bank accounts, reputations and careers.

Forget the hoodie. Think supply chain.

The pop culture image of a lone hacker in a dark room is outdated. Modern cybercrime looks more like a marketplace than a movie set. Tools are commoditised and traded. Breaches, botnets, phishing kits, deepfake services and laundering channels are packaged and sold. One crew steals and sells passwords. Another uses them to break in. A third monetises the access. The result is scale. Physical criminals can hit one victim at a time. Cybercriminals automate and aim at millions.

Credential stuffing shows the maths in motion. Attackers take a dump of stolen emails and passwords from one site, then script log-in attempts across banks, airlines and government portals. Because many people reuse passwords, even a modest success rate becomes devastating at scale. A one or two percent hit rate against a million attempts means tens of thousands of real accounts opened like a row of unlocked doors.

If you are thinking, my organisation is too small to target, that logic belongs to a different decade. Automation removed the need for criminals to pick you. They can pick everyone.

Know where you can be hurt

Some sectors face obvious exposure. Banks and payments need layered controls simply to exist online. Digital advertising lives under constant fraud pressure. Any customer-facing platform sits in the firing line. The practical lesson is not panic, it is prioritisation. Map your incentives and the attacker’s incentives. Treat security as game theory, not just compliance. Ask, if we ship this control, what do criminals try next, and what must we be ready to do in response.

That conversation belongs in product reviews and budget meetings, not only in security stand-ups. Security debt is product debt. The right control in the right place can change the business model for an attacker, turning you from low-hanging fruit into hard labour.

Deepfakes turn social engineering into performance art

Humans have always been the weak link. Phishing, pretexting and business email compromise work because they exploit trust and hurry. AI raises the ceiling on deception. Audio cloning can mimic a familiar voice from a tiny sample. Video synthesis can place a trusted face on a live call. The scammer no longer needs to be a convincing writer. They can be a convincing person.

Traditional training helps with the basics, but it cannot carry the full load. People miss things, especially under pressure, and especially when the request looks and sounds like the boss. Some malicious messages will get through any filter. The answer is not to blame the employee who falls for a world-class con. The answer is to design systems that expect people to be human.

Reduce blast radius. Raise friction where money moves.

You cannot block every con. You can keep a single mistake from becoming a catastrophe. Start with access and authorisation. Many organisations run with over-privileged users who can touch systems and data they do not need. That inflates the cost of one compromised account. Shift to least privilege as a habit. Give people the minimum they require, review it often, and remove access when it is not needed.

Then harden your high-risk workflows. Payment approvals. Vendor changes. Payroll updates. Data exports. Anything that moves money or sensitive information deserves friction by design. Friction is not failure, it is a control.

A Monday-morning playbook

  1. Establish a trusted back-channel for verification. If a financial request arrives on email or chat or video, require a second confirmation on a different channel that you control. Publish the rule. Enforce it.

  2. Use multi-person approvals for thresholds. Two human approvals for large transfers. More for very large ones. Rotate approvers so a single social-engineering campaign cannot blanket them all.

  3. Add a live challenge to video approvals. A shared passphrase of the day. A request to hold up a random object. A question that references a private, current detail. Make it normal and non-negotiable.

  4. Lock down identity. Turn on phishing-resistant authentication for admins and finance staff. Hardware security keys for the crown jewels. Conditional access so unusual behaviour triggers extra checks.

  5. Kill password reuse inside your walls. Use a password manager. Enforce strong and unique credentials. Add rate limits and detection for credential stuffing on customer-facing systems.

  6. Segment and log. Put sensitive systems on segmented networks. Log admin actions and access to payment systems in detail. Send logs to a place attackers cannot edit. Review them.

  7. Rehearse the breach. Run tabletops for deepfake and business email compromise scenarios. Decide who freezes payments, who talks to the bank, who informs customers, who handles regulators. Write it down.

  8. Clean up permissions. Inventory access monthly. Remove dormant accounts. Expire temporary access automatically. Make least privilege the default, not the exception.

  9. Buy the boring basics. Managed email protection, web filtering, endpoint detection, secure backups with offline copies, robust patching. Tools will not save you on their own, but the absence of them will cost you.

  10. Tell your board a true story. Replace vanity metrics with risk narratives. Show the controls on your most dangerous workflows. Tie spend to reduced blast radius and faster recovery.

Be paranoid, not paralysed

Cybercrime will keep using the same advantages that make software powerful, speed and scale. AI deepens those advantages by letting criminals fake presence and authority. That is frightening, but it is not unbeatable. Treat people as targets worth protecting, not as perfect guardians who never slip. Build verification into the moments that matter. Shrink permissions so one slip does not sink you. Expect the performance, and refuse to give it a stage.

Paranoia is a posture, not a mood. It looks like clear rules, small doors, bright lights and a culture that backs employees when they slow down to check. In an era where a video call can be an illusion, the most modern control you can deploy is also the oldest, trust, verified twice.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *