Blog

Arup and the $25.6 Million Video Call: Deepfakes, Business, and the Law

Deepfake fraud is on the rise. In 2025, losses stemming from the phenomenon topped $1.1 billion in the United States; three times more than the year before. Deepfake fraud attempts surged over 1,300 percent within the same period, transitioning from an occasional monthly occurrence to multiple attempts per day. In a 2025 Internet Crime Report, the FBI logged more than 22,000 AI-related fraud complaints, with losses exceeding $893 million. Congressional researchers estimate most voice cloning victims never report their losses, which means the real numbers are likely far higher.

Schemes involving AI-generated content are not solely confined to the personal arena, either, which means business leaders need to take heed of the legal and business risks it poses; as engineering giant, Arup, learned.

It was January of 2024 and a finance employee at Arup joined what he thought was a routine video call with the CFO and several other senior colleagues. Over the course of the call, the employee was asked to process fifteen purportedly “urgent” wire transfers totaling $25.6 million. He did as he was asked but later discovered every single person on that call was an AI-generated deepfake. No one was ever arrested, and the money was never recovered.

Instances like this are no longer an anomaly, and business executives are prime targets.

Why Are Deepfakes so Prevalent?

Deepfakes are more common because the tools required to produce them are cheap, accessible, and can produce convincing results with very little source material. In some cases, just three seconds of recorded audio can be used to generate synthetic speech that closely resembles that of a real person.For businesses, the threat tends to manifest in three ways:

• Financial Fraud and Executive Impersonation is the most immediate (and quantifiable) risk, as demonstrated by the Arup example. Business executives are especially vulnerable because they often speak during interviews, podcasts, videos, and all-hands meetings, creating a ready supply of public audio and video scammers can use.
• Brand Impersonation and Reputational Harm present a distinct risk for consumer brands, agencies, and other companies with public-facing executives, primarily because deepfake content generated by AI can ostensibly put false words into the mouths of real people, and no one will know the difference.
• Workplace Liability is another, often-overlooked, risk with many employers failing to realize liability can arise not only from external deepfake scams, but also from the internal use or circulation of AI-generated content. For example, the California Court of Appeal recently upheld a landmark ruling involving a sexually explicit deepfake image of an officer that colleagues circulated within a police department. The court concluded distributing the image constituted workplace harassment and affirmed a judgement for $4 million. For businesses, the message the court sent was clear: failing to adopt and enforce policies prohibiting the creation or distribution of deepfake images or videos in the workplace can result in significant litigation exposure.

The Changing Legal Landscape

Lawmakers are moving quickly to address the growth of deepfakes. Since 2022, 46 states have enacted legislation targeting synthetic media, the federal Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act, also known as the TAKE IT DOWN Act, was signed into law in May 2025, and key EU AI Act transparency obligations are scheduled to take effect beginning in August 2026. Together, these developments have created a fragmented compliance landscape for businesses operating across jurisdictions.

A few developments worth special note:

At the federal level, the TAKE IT DOWN Act requires covered platforms to remove nonconsensual AI-generated intimate content within 48 hours of a valid takedown request. Separately, in February 2024, the FCC ruled that AI-generated voices qualify as “artificial” under the Telephone Consumer Protection Act, making unauthorized voice-cloning calls unlawful.

New state legislation is expected to reach beyond individual creators and distributors to include generative AI platforms, payment processors, and hosting providers that facilitate deepfake production or dissemination. Businesses that use AI tools may increasingly fall within the scope of these laws as a result.

Both Florida and New York, in particular, have active or pending deepfake legislation that includes civil liability provisions, making them especially relevant to businesses operating in those states.

How Businesses Can Remain Several Steps Ahead of Deepfake Liability

While it may seem daunting, there are several steps businesses can take now to protect themselves from liability exposure later, starting with developing appropriate policy and governance documentation. Leadership should work with skilled counsel to develop AI “acceptable use” policies that explicitly address synthetic media, deepfake creation and distribution, and verification protocols.

Similarly, and given the emerging workplace harassment litigation, employee handbooks and codes of conduct should be updated to expressly prohibit the creation or distribution of deepfake content targeting coworkers or company leadership, and AI vendor contracts should be reviewed to ensure provisions address liability allocation, indemnification, and compliance with applicable deepfake laws.

Insurance policies should also be given careful consideration particularly because, as of January 1, 2026, cyber insurance carriers began excluding AI-generated deepfake fraud from standard social engineering coverage. This shift requires that savvy businesses work in tandem with counsel to actively review current cyber, crime, and errors and omissions policies for deepfake-specific exclusions or gaps and explore endorsements currently available in the market.

In less than two years, deepfake technology went from novelty to documented, quantifiable, and legally complex business risk. The legal framework governing it is expanding rapidly (albeit unevenly) across jurisdictions, insurance carriers are actively withdrawing coverage businesses assumed they had, and liability exposure is broad. Proactive legal strategy is the best protection for businesses hoping to escape unscathed.

This blog post is for informational purposes only and does not constitute legal advice. Reading this post does not create an attorney-client relationship. The information contained herein reflects general legal developments and may not apply to your specific circumstances. You should consult a licensed attorney regarding your particular situation.