Voice and video impersonation has moved from a curiosity to a working attack against protected people and the organisations around them. The reference case remains Arup: in 2024 the engineering firm confirmed a Hong Kong employee was tricked into making 15 transfers totalling around US$25 million after a video call populated with deepfaked versions of the CFO and colleagues, built from footage of real meetings. No arrests, no recovery.
For protective teams the relevance is direct. The same technique that spoofs a finance approval can spoof a principal's instruction to staff, a duress call to a family member, or a change of plan to a driver. Cloning a usable voice now takes seconds of public audio.
Regulation is arriving but will not carry the load. Under Article 50 of the EU AI Act, deployers using AI to generate or manipulate deepfake audio, image or video must disclose it, with obligations applying from 2 August 2026; the European Commission published a Code of Practice on AI-generated content on 10 June. That compels the lawful. It does nothing to a criminal running an impersonation.
Operator implication: the defence is process, not detection on the call. Set a verification protocol, a call-back on a known number, a challenge phrase, a second channel, for any instruction that moves money, changes a movement, or shares sensitive detail. Rule that no one, including the principal, can authorise those on a voice or video call alone. Rehearse it, because staff who have not practised will comply under pressure.





