"Three seconds of your CEO’s voice is already on the internet. Make sure your team knows what to do when it calls." — Brian Long, CEO and Co‑founder, Adaptive Security
A $499,000 call in Singapore and a pattern traced to Arup
In March 2025 a finance director at a multinational firm in Singapore joined what appeared to be a routine Zoom call and authorized a $499,000 transfer before anyone flagged the fraud; every face on the call was AI‑generated, according to Brian Long of Adaptive Security. The piece places that incident alongside a widely reported early‑2024 attack that used the same approach to steal $25.6 million from Arup in a single afternoon, and presents both as instances of a reproducible template attackers now deploy broadly.
Tools, cost and ease: three seconds, free downloads, consumer hardware
Adaptive Security describes the technical bar for these attacks as exceptionally low. Contemporary voice cloning models need a three‑second audio sample — from a voicemail, podcast, earnings call or LinkedIn video — and a free download to generate an interactive voice replica in real time. The models run offline, require no special technical background and can run on standard consumer hardware. The article reports that voice deepfake incidents rose 680% year‑over‑year in 2025, and that more than 100,000 attacks were recorded in the United States in a single year. The tools, it says, are available on public repositories and carry no moderation.
Targets, tactics and the preparatory work behind the call
According to the source, attackers do substantial reconnaissance before placing a single call: they map org charts, identify who holds financial authority and study approval workflows for wire transfers so the script is already written when the phone rings. Primary targets named include the Controller, accounts payable specialists and HR coordinators handling payroll; the article also cites attacks against IT help desks seeking credential resets delivered in voices cloned to sound like senior technologists. It also warns that AI‑built personas are appearing in hiring pipelines — constructed from stolen LinkedIn profiles to pass video interviews and gain internal access.
Scale in dollars and incidence: reported losses and rising prevalence
The piece places the financial scale of the problem in stark numbers. Deepfake fraud losses exceeded $200 million in the first four months of 2025, and 2024 totaled $359 million. Global documented losses have crossed $2.19 billion, with the United States accounting for the largest share. Among organizations that reported losses from deepfakes, 61% said losses exceeded $100,000 and nearly 19% reported losses above $500,000. The article emphasizes these are only reported figures and asserts the actual total is higher. Adaptive Security also reports a shift in CISO experience: when the author began raising the issue with CISOs eighteen months prior, roughly one in ten had seen a successful deepfake attack; today that number is over half.
Three low‑cost controls and a live test that worked in July 2025
Adaptive Security highlights three inexpensive controls that organizations can put in place immediately: a verbal passcode for any high‑value financial request; a callback requirement to a pre‑stored number before approving wire transfers; and a standing policy that urgency is itself a reason to slow down. The article supplies a recent example where those behavioral cues mattered: in July 2025 an attacker used an AI‑generated voice impersonating Secretary of State Marco Rubio to send voice messages via Signal to foreign ministers, a sitting senator and a governor. None of the recipients acted; because the requests arrived through an unofficial consumer messaging app and were reported to the State Department, the attack failed when recipients paused and scrutinized the inconsistency.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: prioritize human‑facing controls and simulations. The article argues that even the most sophisticated technical stack will not stop a live voice call unless employees have been trained to verify and resist urgent requests.
- Procurement and finance leaders: adopt simple verification policies now. The source asserts that a name, a three‑second audio sample and one employee without a verification protocol are sufficient to run these attacks — and recommends verbal passcodes and mandatory callbacks before releasing funds.
- End users and hiring managers: vet video interviews and hiring pipelines. Adaptive Security warns that AI personas built from stolen LinkedIn profiles are being used to pass interviews and gain access, making identity checks in hiring processes an operational security task.
Adaptive Security positions simulation‑based training as the operational response: simulated AI‑powered voice, SMS, email and video attacks create the reflex to pause and verify, and the vendor says it ties failed tests to adjusted risk scores and personalized remediation. The wider point in the article is direct: the gap between synthetic and human voices is closing faster than many organizations are preparing for, and the organizations that have stopped these attacks trained their people to pause and verify before money moves.




