Summary
In March 2025, a finance director at an unnamed multinational corporation (MNC) headquartered in Singapore was defrauded of US$499,000 (approximately SG$670,000) through a meticulously orchestrated deepfake video conference attack. Cybercriminals used artificial intelligence(AI) to generate real-time synthetic personas of the company's CFO and other senior executives, then hosted a live Zoom call with the finance director, convincing them to authorize a large wire transfer.
This case is one of the first of its scale in Southeast Asia and marks a turning point in corporate fraud. It did not involve a phishing email or a suspicious phone call, but a multi-participant live deepfake video conference that bypassed the traditional “seeing is believing” safeguard. Importantly, authorities in Singapore and Hong Kong responded swiftly and recovered the transferred funds before the fraud was fully completed.
⚠ WHY THIS MATTERS TO EVERY CFO
Traditional verification protocols, including video calls are no longer sufficient. By the time fraudsters ask for a second transfer of US$1.4 million, the first payment may already have been sent. This case shows clearly that deepfakes are no longer just a future risk they are a real and present danger for businesses today.
The targeted organisation is an unidentified multinational corporation with operations in Singapore and cross-border financial activities extending to Hong Kong. The company's name has not been publicly disclosed by Singapore authorities (consistent with privacy protections for corporate victims). Its finance function involved regular large-value intercompany and project-related wire transfers, a profile that made it an attractive target.
Fact | Details |
|---|---|
Target Organisation | Unnamed multinational corporation (MNC) |
Location | Singapore (with accounts in Hong Kong) |
Victim | Finance Director (role confirmed by Singapore Police Force |
Industry | Not publicly disclosed |
Nature of Fraud | AI-generated deepfake video conference-executive impersonation |
Reported By | Singapore Police Force (SPF), MAS, CSA -Joint Advisory, 12 March 2025 |
Attack Timeline & Methodology
Step-by-Step Reconstruction
The attack was multi-stage, psychologically sophisticated, and leveraged multiple channels to build trust before extracting funds. The following timeline is reconstructed from the Singapore Police Force advisory and corroborated by independent reporting from HRD Asia, Cyber Security Asia, and Reality Defender.
DATE | EVENT | DETAIL |
Early March | Reconnaissance & Preparation | Criminals harvest publicly available video footage of the company's CFO and executives from earnings calls, webinars, LinkedIn interviews, and press conferences to build deepfake training data. |
24 March 2025 | Initial Contact via WhatsApp | Finance director receives a WhatsApp message from an individual impersonating the company's CFO (UK-based). The message requests participation in an urgent, confidential Zoom video conference about a supposed regional business restructuring. |
25 March 2025 | Pre-Meeting Priming | Additional messages and a fabricated Non-Disclosure Agreement (NDA) and Board Letter are shared, signed by a scammer posing as the company's legal counsel, designed to legitimise the upcoming request. |
26 March 2025 | Live Deepfake Zoom Call | Finance director joins the Zoom call. Multiple participant: CFO, other senior executives appear on screen. Faces, voices, and body language are AI-generated in real-time from scraped public media. No technical anomalies are noticed. |
26 March 2025 | Fund Transfer Authorised | Under instruction from the fake executives, the finance director authorises a wire transfer of US$499,000 to a local Singapore corporate bank account. Funds are quickly routed to Hong Kong mule accounts. |
Shortly After | Second Transfer Demanded | Fraudsters escalate, demanding an additional transfer of approximately US$1.4 million (SG$1.9 million). The unusually large second request triggers suspicion in the finance director. |
Late March 2025 | Incident Reported | Finance director contacts the Anti-Scam Centre (ASC) in Singapore and the Hong Kong Police Force's Anti-Deception Coordination Centre (ADCC). Authorities act swiftly. |
Late March 2025 | Funds Frozen & Recovered | Singapore's ASC and Hong Kong's ADCC cooperate to trace and freeze the full US$499,000 in Hong Kong bank accounts before it could be further dispersed. Full recovery achieved. |
12 March 2025* | Joint Advisory Issued | SPF, MAS, and CSA issue a public Joint Advisory warning businesses of deepfake video call scams. (*Note: Advisory predates this incident's public disclosure, suggesting earlier cases triggered the warning.) |
The Deepfake Technology Used
The attackers used generative AI and deepfake video technology sourced from publicly available footage. Key technical characteristics of the attack included:
Real-time face and voice synthesis: The deepfakes ran live during the Zoom call, not as pre-recorded footage, a significant technological leap.
Multi-persona orchestration: Multiple deepfake identities participated simultaneously, CFO, other executives, and even a fake lawyer, creating a boardroom-level illusion.
Voice cloning accuracy: Each simulated executive's voice matched known speech patterns derived from public recordings.
Contextual scripting: Scammers used insider-sounding business language (restructuring, M&A, confidential acquisition) to reinforce authenticity.
Supporting documentation: Fake legal documents (NDA, Board Letter) were shared to reinforce the deception's paper trail.
🔍 HOW THEY BUILT THE DEEPFAKES
Every earnings call, investor day recording, LinkedIn video, and media interview your executives appear in becomes raw training data for attackers. The Singapore attackers needed only publicly available footage , no insider access required. 3 seconds of audio is sufficient for voice cloning using current commercial tools.
Financial Impact Analysis
Cost Category | Amount |
Initial Transfer Made | US$499,000 (~SG$670,000) |
Second Transfer Demanded | US$1,400,000 (~SG$1,900,000) |
Total Attempted Fraud | ~US$1,900,000 (~SG$2,570,000) |
Funds Recovered | US$499,000 (100% of transferred amount) |
Net Financial Loss | US$0 (full recovery- operationally rare outcome) |
Investigation & Response Costs | Not publicly disclosed |
Reputational/Insurance Impact | Not publicly disclosed |
While the full US$499,000 was recovered, this outcome is exceptional. The recovery was only possible because the finance director's suspicion was triggered by the second request and because Singapore-Hong Kong law enforcement cooperation moved within hours. In the majority of comparable global incidents, funds are dispersed and irrecoverable within 24–48 hours.
Control Failure Analysis
What Failed And Why?
This incident is instructive precisely because the finance director followed what were, until recently, best-practice verification steps. The failure was not negligence, it was that the threat evolved beyond existing control frameworks.
1. Video Verification as Final Check- Now Compromised
The widely taught counter-measure to Business Email Compromise (BEC) attacks is 'escalate to a video call to verify the requester.' This incident shows that video calls can no longer serve as a final verification step. The attackers aware that finance professionals had been trained to request video verification, proactively suggested the Zoom call themselves, weaponising the verification step.
2. Single-Channel Authentication
The finance director received the initial request via WhatsApp, was briefed via documents, and then confirmed via Zoom, all channels controlled by the attackers. There was no step that required the finance director to initiate contact with the real CFO through an independently verified number or email on file.
3. Absence of Out-of-Band Dual Authorisation
A second independent authoriser, physically present, or contacted via a pre-registered separate channel was not required. For a wire transfer of US$499,000, many financial governance frameworks would mandate dual sign-off, but this control either did not exist or was bypassed within the deepfake's false authority structure.
4. No Deepfake Detection Capability
Neither the Zoom platform nor the company's internal systems flagged the video call as containing AI-generated content. Commercial real-time deepfake detection tools existed at the time but were not deployed in this organisation's workflow.
🚨 CRITICAL INSIGHT
The most dangerous element of this scam was not the technology, it was the psychological engineering. Scammers knew that finance professionals had been warned about BEC emails and voice calls. They pre-empted verification by offering video confirmation themselves. The 'willingness to verify' created false confidence that exploited the very security culture meant to protect the victim.
Red Flags & Warning Signs
Indicators That Should Have Triggered Escalation
In retrospect, multiple warning signs were present. Awareness of these signals should form part of every finance team's ongoing training.
Red Flag | Why It Matters |
Unsolicited WhatsApp from 'CFO' | Senior executives rarely initiate large financial requests via personal messaging apps. WhatsApp is not a standard corporate communication channel for sensitive financial transactions. |
Urgency framing | The request was framed around a 'confidential restructuring' requiring rapid action, a classic pressure technique to reduce scrutiny time. |
Confidentiality demand | Requests to keep the transaction secret from other colleagues or processes are a hallmark of social engineering. |
New or unusual bank account | The transfer destination was a local Singapore corporate account not a known company account. New payees should always trigger enhanced verification. |
Legal documentation pre-shared by scammers | Legitimate legal agreements are generated through internal counsel, not arrived pre-packaged from an external party initiating a call. |
Multi-party Zoom call initiated by requester | The scammers proactively offered a video call, reversing the expected flow where the finance team would initiate verification independently. |
Second escalating request | The demand for a further US$1.4 million, significantly larger, is characteristic of scam escalation once an initial transfer is secured. |
Cross-border routing of funds | Post-transfer, funds moved rapidly to Hong Kong accounts, a pattern consistent with money mule networks. |
Lessons Learned & Root Cause
Root Cause Analysis
The root cause is the intersection of two converging factors:
(1) the commoditisation of real-time deepfake technology that has made multi-person video impersonation accessible to criminal networks, and
(2) the absence of control frameworks that account for compromised video verification. Security postures built for Business Email Compromise and voice-only fraud are structurally inadequate against live video deepfake attacks.
Key Lessons for Finance and Treasury Teams
Video verification is not enough: A video call confirming an executive's identity can no longer serve as a standalone authorisation step for large transfers.
Pre-shared materials are not authentication: Receiving a legally formatted NDA or board resolution via email or messaging does not constitute verification that the request is genuine.
Urgency and confidentiality are manipulation tools: Any request that discourages normal process compliance should increase not decrease scrutiny.
Attackers study your defences: Scammers in 2025 are aware of BEC training materials. They are engineering attacks that defeat trained responses. Training must evolve continuously.
Recovery is the exception: The US$499,000 was recovered because of exceptional cross-border law enforcement speed. Assume funds are unrecoverable once transferred.
Public media creates attack material: Every executive video appearance generates deepfake training data. Digital presence management is now a security consideration.
Cost-Benefit Analysis of Controls
Control | Estimated Cost |
Callback verification protocol | Low (policy + training, <SG$5,000) |
Dual authorisation upgrade | Low-Medium (process redesign, <SG$20,000) |
Finance team deepfake training | Low (SG$5,000–15,000/year) |
Real-time deepfake detection software | Medium (SG$30,000–100,000/year) |
Payment fraud cyber insurance rider | Variable (premium-dependent) |
Annual red team simulation | Medium (SG$20,000–50,000) |
A full control stack addressing deepfake threats can be implemented for under SG$200,000 annually, a fraction of the SG$670,000 targeted in this incident, and negligible against the potential US$1.9 million total exposure had the scam fully succeeded.