‘This happens more frequently than people realize’: Arup chief on the lessons learned from a $25m deepfake crime

Arup's Rob Greig: 'It's freely available to someone with very little technical skill to copy a voice, image or even a video.' Image: Unsplash/Ales Nesetril
- Fraudsters used an AI deepfake to steal $25 million from UK engineering firm Arup.
- Here, Arup's Chief Information Officer, Rob Greig, talks about the lessons learned.
- Cyber resilience in the face of increasing threats is a critical objective for any organization, according to the World Economic Forum white paper Unpacking Cyber Resilience.
Early in 2024, an employee of UK engineering firm Arup made a seemingly routine transfer of millions of company dollars, following a video call with senior management.
Except, it turned out, the employee hadn’t been talking to Arup managers at all, but to deepfakes created by artificial intelligence. The employee had been tricked into sending $25 million to criminals.
This wasn't a traditional cyberattack, the kind that compromises a company’s digital systems. This attack used psychology and sophisticated deepfake technology to gain the employee’s confidence.
It's an example of how cybercrime is evolving. At the time, Arup’s Chief Information Officer, Rob Greig, said the company had seen the number of cyberattacks rise sharply, along with their sophistication.
This trend is underscored in a World Economic Forum report titled Unpacking Cyber Resilience, which aims to help companies become more cyber resilient.
Here, Greig – who was previously director of the UK’s Parliamentary Digital Service – talks about what the company learned from its deepfake attack, and what organizations can do to protect themselves.
What was your first reaction when Arup was hit by the deepfake attack?
The first thing to say is we are attacked every day. I used to do a presentation that described it like this: if cyberattacks were bullets, we would all be crawling around on the floor because they would be coming through the window, thousands of rounds a second.
Organizations like mine – we are on the receiving end of attacks every week. And some are more successful than others. It’s really important we’re more open and transparent about this.
The more we talk about what is actually happening in our organizations and the impact it's really having on businesses and society and individuals, the more we can do to raise awareness and combat these threats.
What happened at Arup – I would call it technology-enhanced social engineering. It wasn’t even a cyberattack in the purest sense. None of our systems were compromised and there was no data affected.
People were deceived into believing they were carrying out genuine transactions that resulted in money leaving the organization.
My understanding is that this happens more frequently than a lot of people realize.
Audio and visual cues are very important to us as humans and these technologies are playing on that. I think we really do have to start questioning what we see.
Do you think the distinction you made with the terminology is important – in order to help people understand what happened?
I think sometimes technology and cyber buzzwords can make it difficult for the average person to penetrate. They might ask, is this even something that affects me or my business?
The reality is that this crime has been taking place since history was written down. People have always tried to deceive others for some kind of gain.
What’s different today is people are using technology to do that.
Deepfake sounds very glamorous but what does it actually mean? It means someone successfully pretended to be somebody else. And they used technology to enable them to do that.
So what has changed with technology to enable this?
Technology is becoming much more effective, convincing and accessible. It's freely available to someone with very little technical skill to copy a voice, image or even a video.
After the incident, I was curious so I attempted to make a deepfake video of myself in real time. It took me, with some open source software, about 45 minutes.
It wasn’t particularly convincing – but it was surprising what can be achieved in such a short period of time.
What are some of the immediate actions an organization can take if faced with this kind of attack?
Firstly, it's about having visibility of what's happening from a technology and cyber and data perspective.
Who has access to what and when? What data is moving around your organization? Who is trusted and what is not trusted? And what sort of erroneous activity is happening within the organization?
Being able to detect that allows you to respond. For us, the first thing to do was quickly assess the extent of the attack and identify if the entire organization was affected. Were our clients at risk? Were our people or their data at risk?
With that visibility, we were able to very quickly identify that we were not compromised and this was being caused by something else.
Second, it’s important to have rehearsed a response, not to a particular incident, but to a general set of incidents that might occur so everyone knows what their role is.
How is the Forum tackling global cybersecurity challenges?
What are some other cyber threats that organizations are facing today?
We hear a lot about things like AI and quantum computing, and terms like quantum encryption and how this will change the technology landscape for ever. And it's a huge threat to us.
But the reality is, today, the same issues that we've been facing for the past decade and even longer continue to be a serious risk to individuals and to businesses.
A simple example is things like USB devices, which are still used as a vector to attack organizations and individuals.
And the classic phishing email remains one of the top ways that people try to compromise individuals or organizations – and even governments.
Quotes have been edited for length and clarity.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on Emerging TechnologiesSee all
Aleksander Dardeli
February 14, 2025