Overview
Between 2023 and 2025, deepfake fraud attempts targeting financial institutions increased by more than 2,000%. The average loss per successful attack now exceeds $500,000, with individual incidents reaching as high as $25 million.
Yet when we examine the actual attack vectors, we find something striking: Nearly every successful deepfake fraud exploited gaps in basic verification protocols, not sophisticated technical defenses. The Arup employee who lost $25 million didn't fail because of inadequate cybersecurity technology, Arup's systems were never breached. The failure happened because standard business processes had no defense against technology-enhanced social engineering attacks.
This checklist provides eight critical questions every CFO should answer to assess their organization's vulnerability to deepfake fraud. These aren't theoretical security concerns, they're the specific protocol gaps that criminals have successfully exploited in documented cases.
Take 15 minutes today to work through these questions. The gaps you identify could save your organization millions.
Question 1: Do We Have Dual Authorization for Transfers Over $X Amount?
Why This Matters?
In the Arup case, a single employee had the authority to execute 15 separate wire transfers totaling $25 million without requiring a second signature. While this may have been appropriate for business velocity, it created a single point of failure that criminals exploited.
Dual authorization serves two critical functions:
Redundant Verification: A second person independently assesses the legitimacy of the request
Fraud Resistance: Attackers must convince multiple people, preferably through different communication channels
Assessment Questions
Current State:
What is the highest transaction value a single employee can authorize?
For transactions requiring dual authorization, what is your threshold?
Can urgent or executive requests bypass dual authorization requirements?
Deepfake-Resistant Standards:
Transactions over $50,000: Require dual authorization, no exceptions
Transactions over $250,000: Require CFO + one other C-level approval
Transactions over $1 million: Require CEO + CFO + Board notification
Critical Gap to Address:
If your current thresholds allow single-person authorization above $50,000, you have a vulnerability. The cost of dual authorization (slight delay in transaction processing) is trivial compared to the risk of a six- or seven-figure fraud.
Implementation Checklist
☐ Document current authorization thresholds
☐ Identify gaps where single-person authority exceeds safe limits
☐ Establish new thresholds with no exceptions policy
☐ Configure treasury/payment systems to enforce dual auth automatically
☐ Train staff on new protocols and rationale
☐ Audit first 30 days of implementation for compliance
Question 2: Can We Identify If a Video Call Is on Our Corporate Platform vs. Personal Platforms?
Why This Matters?
The WPP(world’s biggest advertising group) deepfake attempt failed because the executive was suspicious of the unusual communication method, a WhatsApp invitation to a Microsoft Teams call from the "CEO". The Arup attack succeeded partly because the video call appeared legitimate enough that the employee didn't question the platform.
Corporate communication platforms provide:
Authentication: Verified corporate identities tied to your directory
Logging: Audit trails for compliance and forensic investigation
Security Controls: Encryption, access management, intrusion detection
Consistency: Expected behavioral patterns for your executives
When attackers move conversations to personal platforms, they deliberately choose channels that lack these protections.
Assessment Questions
Current State:
What video/communication platforms are authorized for business-critical decisions?
Can your staff identify whether a meeting is on your corporate platform or a personal account?
Are there clear policies about which platforms to use for sensitive discussions?
Red Flag Scenarios:
CEO sends a Zoom link from their personal Gmail for a confidential transaction discussion
CFO joins a video call via a link sent through WhatsApp
Executive requests financial information over personal messaging apps
Video meeting URL doesn't match your corporate domain
Implementation Checklist
☐ Document which platforms are authorized for financial communications
☐ Establish clear platform requirements by transaction types
☐ High-value transactions: In-person or corporate video only
☐ Routine requests: Corporate email + corporate video/voice only
☐ Emergency requests: Must verify through corporate-controlled callback
☐ Train staff to recognize corporate vs. personal platform invitations
☐ Create a standard response: "Our security policy requires business transactions to occur on corporate platforms. Can we schedule this on [corporate Teams/Zoom/etc.]?"
☐ Enable platform usage reporting to identify deviations
Question 3: Do Our Communication Platforms Have Proper Logging?
Why This Matters?
When Arup Firm discovered the fraud, they needed to reconstruct what happened. Having comprehensive logs of communications allows:
Forensic investigation of how the attack occurred
Evidence for law enforcement and potential fund recovery
Identification of security gaps to prevent future attacks
Compliance with regulatory requirements
FinCEN's guidance on deepfake fraud explicitly notes that financial institutions should maintain detailed records of verification attempts and suspicious activity.
Assessment Questions
Current State:
Are all video calls on your platform logged with participant information?
Do you retain audio recordings of sensitive financial discussions?
Can you retrieve email, chat, and video logs for a specific transaction or date?
How long are communication logs retained?
Regulatory Baseline:
Financial transaction discussions: 7 years retention minimum
Video calls involving payment authorizations: Full recording and metadata
Email and chat related to treasury operations: Searchable archive with 7-year retention
Implementation Checklist
☐ Audit current logging capabilities across all communication platforms
☐ Enable comprehensive logging for platforms that support it
☐ Establish retention policies meeting regulatory requirements
☐ Test log retrieval process (can you actually find and review past communications?)
☐ Document any gaps where logging is unavailable
☐ For gaps, implement alternative verification (such as manual documentation)
Question 4: Have We Trained Finance Staff on Deepfake Indicators?
Why This Matters?
A 2024 Medius survey found that over half of finance professionals in the US and UK had been targeted by deepfake-powered financial scams, but 43% reported they had fallen victim to such attacks. The problem isn't that finance staff are careless, it's that they haven't been trained to recognize these sophisticated threats.
Traditional cybersecurity training focuses on phishing emails and suspicious links. Deepfake attacks exploit different vulnerabilities:
Authority bias (trusting executive requests)
Urgency pressure (time-limited decisions)
Visual/audio confirmation bias (believing what you see and hear)
Assessment Questions
Current State:
When was the last time your finance team received training on deepfake threats?
Does your security awareness training include examples of voice cloning and video deepfakes?
Can your staff articulate what to do if they receive a suspicious urgent transaction request?
Specific Indicators to Train:
Requests for urgent transactions with unusual secrecy
Communications through personal platforms or unknown numbers
Pressure to bypass normal approval procedures
Subtle audio or video anomalies (though these are increasingly rare)
Verification reluctance or frustration from the requester
Training curriculum essentials you should try to look for:
Module 1: Real Cases (30 minutes)
Arup $25M case study
UK Energy Firm voice cloning
Failed WPP attempt (what went right)
Module 2: Recognizing Red Flags (20 minutes)
The four critical red flags (urgency + secrecy + unusual platform + verification resistance)
Psychological tactics attackers use
Why "seeing" and "hearing" are no longer sufficient
Module 3: Response Protocols (30 minutes)
Step-by-step verification process
How to delay without refusing
Escalation procedures
Practice scenarios
Module 4: Hands-On Simulation (30 minutes)
Simulated deepfake call with finance staff
Measure who detects it vs. who complies
Debrief on decision-making process
Implementation Checklist
☐ Schedule mandatory training for all finance staff (next 30 days)
☐ Include actual audio/video examples of deepfakes in training
☐ Role-play scenarios with simulated urgent requests
☐ Establish clear escalation procedures for suspicious requests
☐ Create quick-reference cards with red flags and response protocols
☐ Implement quarterly refresher training
☐ Track metrics: % staff who can identify red flags in simulation
Question 5: Is Our Verification Out-of-Band?
Why This Matters?
The single most important technical defense against deepfake fraud is out-of-band verification: confirming requests through a completely separate communication channel that the attacker doesn't control.
If someone requests a wire transfer via video call, and you verify by asking them to confirm on that same video call, you've accomplished nothing. The deepfake can simply say "yes, confirmed."
True out-of-band verification means:
Request arrives via Channel A (video call, email, chat)
Verification happens via Channel B (phone call to known number, in-person conversation, corporate chat system)
Channels A and B are independent and controlled by you, not the requester
Assessment Questions
Current State:
How do you currently verify unusual transaction requests?
Do you call back on the number the person called from, or on a pre-established corporate number?
For video call requests, do you verify through a different communication method?
Deepfake-Resistant Verification:
Scenario: You receive a video call from the CFO requesting an urgent $500K wire transfer.
Inadequate Response:
"Can you confirm that amount again?" (still on the same call)
Sending confirmation email to the address that initiated the request
Calling back the number that just called you
Proper Out-of-Band Response:
Note the request details
End the current call/communication
Call the CFO's office number from your corporate directory
Speak directly with them to verify the request
If unable to reach, delay transaction until verification is complete
Document all verification steps
Implementation Checklist
☐ Define what constitutes "out-of-band" for your organization
☐ Establish corporate directory of verified contact numbers for all executives
☐ Create decision tree: "If request comes via [channel], verify via [different channel]"
☐ Train staff on why same-channel verification is ineffective
☐ Implement "pause and callback" protocol for high-value transactions
☐ Document verification steps in transaction records
Question 6: Do We Have Challenge Questions for High-Risk Transactions?
Why This Matters?
AI can perfectly clone your voice and appearance, but it cannot access information about recent specific events or private conversations. Challenge questions exploit this limitation.
The key is asking questions that:
Reference recent, specific events (last 1-3 days)
Aren't publicly available information
Would be natural to ask in conversation
Can't be researched or predicted by attackers
Assessment Questions
Current State:
Do you have established challenge questions for verifying executive identities?
Are these questions specific and recent, or generic and predictable?
Do staff know they're empowered to ask these questions even of verified-seeming executives?
Effective Challenge Question Examples:
"What did we discuss in yesterday's 3 PM meeting?" (recent, specific)
"Who else was on that investor call this morning?" (verifiable, specific)
"What was the first item on today's leadership team agenda?" (recent, private)
"What's the status on the [specific project] we talked about last week?" (contextual)
Ineffective Challenge Questions:
"What's your employee ID?" (static, potentially compromised)
"Where did you go to college?" (public information)
"What's your favorite color?" (unchanging, trivial)
Implementation Approach
Rather than pre-establishing specific questions (which could be compromised), train staff to ask contextual questions about recent events:
If the person is really your CFO, they will:
Answer immediately and specifically
Appreciate your diligence
Understand why you're asking
Engage naturally in conversation
If it's a deepfake, it will:
Provide vague or generic responses
Express frustration at being questioned
Try to redirect away from verification
Struggle with unexpected conversational turns
Implementation Checklist
☐ Train staff on the concept of challenge questions
☐ Provide examples of good vs. bad questions
☐ Emphasize that questions should be spontaneous and contextual
☐ Role-play scenarios where staff practice asking executives challenge questions
☐ Establish cultural acceptance: Real executives expect and appreciate verification
☐ Document that staff will not face repercussions for questioning unusual requests
Question 7: Can Urgent Requests Still Bypass Our Protocols?
Why This Matters?
Every successful deepfake fraud case involves urgency. Attackers create artificial time pressure to prevent the careful verification that would expose the fraud.
The critical question isn't whether you have verification protocols, it's whether those protocols have exceptions for "urgent" requests.
Assessment Questions
Current State:
Do your verification and approval protocols allow exceptions for urgent situations?
Can an executive request override standard procedures by claiming urgency?
Have there been past instances where "urgent" transactions bypassed normal approvals?
Red Flag Responses:
"Usually we require dual authorization, but for urgent requests the CFO can approve alone"
"We normally call back to verify, but if they say it's time-sensitive we process immediately"
"Typically we need documentation, but in emergencies we can do paperwork later"
Deepfake-Resistant Approach:
Principle: Urgency doesn't eliminate verification, it changes the timeline.
For Legitimate Urgent Transactions:
Real urgency can accommodate 30-60 minutes for proper verification
If it can't wait 30 minutes for verification, it's either fraud or poor planning
Proper advance planning eliminates most "urgent" situations
Protocol Override Requirements:
Override requests must come from TWO executives (not just the one requesting the transaction)
CFO and CEO must both approve protocol overrides
Legal and compliance must be notified within 24 hours
Full documentation must be completed within 48 hours
Implementation Checklist
☐ Review past 90 days of transactions for "urgent" bypasses
☐ Identify patterns: Who requests urgency? How often? For what amounts?
☐ Eliminate blanket urgency exceptions from procedures
☐ Establish the protocol override process requiring dual executive approval
☐ Document that verification delay is acceptable for even legitimate urgent requests
☐ Train staff with confidence: "Real executives understand security protocols"
Question 8: Do We Know What to Do If We've Been Scammed?
Why This Matters?
In the Arup’s Firm case, the employee discovered the fraud "after following up with the company's headquarters". The delay between the fraudulent transfers and discovery gave criminals time to move the money, making recovery extremely difficult.
Rapid response can significantly improve fund recovery outcomes. According to fraud recovery specialists, funds reported within hours of transfer have a much higher recovery rate than those reported days later.
Assessment Questions
Current State:
If someone discovers a suspected deepfake fraud, do they know who to contact immediately?
Do you have established relationships with law enforcement cybercrime units?
Can you rapidly freeze accounts or reverse transactions?
Do you know which authorities to notify (local police, FBI, FinCEN, etc.)?
Immediate Response Checklist:
Within 1 Hour of Discovery:
☐ Contact your bank(s) immediately to attempt transaction reversal or freeze
☐ Contact receiving bank(s) to request temporary hold on funds
☐ Notify internal Legal and Compliance teams
☐ Preserve all communication records (emails, call logs, video recordings)
Within 4 Hours:
☐ File report with local law enforcement
☐ File report with FBI Internet Crime Complaint Center (IC3.gov)
☐ If financial institution: File Suspicious Activity Report (SAR) with FinCEN referencing "FIN-2024-DEEPFAKEFRAUD"
☐ Notify cyber insurance carrier
Within 24 Hours:
☐ Conduct internal investigation of how security was compromised
☐ Identify and secure any other potential vulnerabilities
☐ Brief executive leadership and Board (for material losses)
☐ Engage forensic cybersecurity firm if needed
☐ Review public relations/disclosure obligations
Critical Point: Every hour of delay reduces recovery probability. The Hong Kong police investigation of Arup began after the employee "later checked with head office" but by then the money had been moved through multiple accounts.
Implementation Checklist
☐ Create "Suspected Fraud" emergency contact list (internal and external)
☐ Establish 24/7 contact protocol for urgent fraud reporting
☐ Build relationships with FBI cybercrime unit and local authorities before you need them
☐ Document step-by-step response procedures
☐ Conduct tabletop exercise: simulate discovering a deepfake fraud and practice response
☐ Review cyber insurance coverage for deepfake fraud scenarios
Putting It All Together: Your Vulnerability Score
Now that you've worked through all eight questions, assess your organization's current state:
Scoring Guide
For each question, rate your organization:
2 points: Strong controls in place, regularly tested, no exceptions
1 point: Partial controls, some gaps or inconsistencies
0 points: Significant vulnerabilities, no formal controls
Total Your Score:
14-16 points: Low Vulnerability
You have strong defenses against deepfake fraud. Focus on maintaining these controls and staying updated on evolving threats.
9-13 points: Moderate Vulnerability
You have some protections but significant gaps remain. Prioritize addressing the 0-point and 1-point items within 60 days.
0-8 points: High Vulnerability
Your organization has critical exposure to deepfake fraud. This requires immediate executive attention and rapid implementation of basic controls.
Priority Action Plan
Regardless of your score, implement these items within 30 days:
Week 1:
Establish dual authorization thresholds with no exceptions
Document which communication platforms are authorized
Train finance team on the four red flags
Week 2:
Implement out-of-band verification protocol
Create challenge question framework
Remove urgency exceptions from procedures
Week 3:
Enable comprehensive logging on all platforms
Establish emergency response procedures
Conduct tabletop fraud response exercise
Week 4:
Review and document all implemented changes
Schedule quarterly reassessment
Brief executive leadership on new protocols
Conclusion: Vulnerability assessment is an ongoing process
The deepfake threat landscape evolves rapidly. What works today may be inadequate in six months. Quarterly reassessment of these eight questions should be part of your standard risk management process.
Remember: Nearly every successful deepfake fraud exploited gaps in basic verification protocols, not sophisticated technical failures. The Arup employee who lost $25 million wasn't careless, they were operating in a system without adequate deepfake defenses.
The questions in this checklist aren't exhaustive, but they address the specific protocol gaps that have been successfully exploited in documented cases. Answer them honestly, address the gaps you find, and train your team thoroughly.
The investment in these controls is measured in hours and modest process changes. The potential loss from not having them is measured in millions of dollars and damaged careers.
Take the 15 minutes today to work through these questions. The gaps you identify could save your organization from becoming the next deepfake fraud case study.