The $25.6 Million Wake-Up Call That Should Frighten Every Hong Kong Business Owner
In February 2024, a finance worker at a multinational firm in Hong Kong joined what looked like a routine video call with the company's UK-based CFO and several colleagues. By the end of the meeting, he had authorised 15 transfers across five local bank accounts totalling US$25.6 million. Every face on that call was a deepfake. The real CFO was nowhere near a video conference that day. Hong Kong police described it as the largest deepfake corporate fraud in the city's history.
If a company with internal controls, IT teams, and a compliance department can be fooled, what defends a 12-person trading firm or a family-run logistics business in Kwun Tong? In 2026, the answer is uncomfortable: very little, unless the boss understands what AI deepfake fraud actually is and how it works.
What Is AI Deepfake Fraud?
AI deepfake fraud is a scam in which criminals use generative AI tools to clone a real person's face, voice, or both, then impersonate that person to trick employees, suppliers, or family members into transferring money, sharing passwords, or approving false transactions. The technology is no longer a Hollywood prop. Commercial voice-cloning services need 20 to 30 seconds of source audio. Face-swap video tools can run in real time on a consumer laptop.
For a Hong Kong SME boss, the relevant version is short: it is a phone call, WhatsApp voice note, or Zoom meeting that sounds and looks exactly like your CFO, your client, or your spouse, asking for a payment that never normally happens. By the time the staff member realises something is wrong, the money is in a mule account in mainland China or Cambodia.
How Do Deepfake Scams Actually Work?
A deepfake scam blends three off-the-shelf components: harvested source material, a generative model, and a social-engineering script. Criminals scrape voice samples from LinkedIn videos, YouTube interviews, conference recordings, or even your "About Us" page. They feed those samples into a voice-cloning model. Then they call your accountant pretending to be you, often during a known stressful window, such as a Friday afternoon before a long weekend.
The three stages of a typical attack:
1. Reconnaissance. The attacker studies the target's public footprint, identifies the boss, the accountant, and the supplier relationships. LinkedIn, Instagram Reels, and company videos are the main sources.
2. Cloning. Voice cloning needs as little as 20 seconds of clean audio. A 90-second YouTube interview is usually more than enough. Face swap for video calls requires a few photos and 30 seconds of facial movement.
3. Execution. The attacker creates urgency, names a real ongoing project, instructs a payment "before the bank closes", and provides a new account number. The victim recognises the voice and complies.
Why Are Hong Kong SMEs Especially Vulnerable?
Hong Kong SMEs sit at the intersection of three weaknesses that scammers love. First, approval workflows are usually informal. A WhatsApp message from the boss is treated as final approval. Second, the finance function is often one or two people who know the founder personally and would never question a direct request. Third, cross-border payments are routine. A wire to a new supplier in Shenzhen, Hanoi, or Dubai does not raise eyebrows.
According to Deloitte's 2024 Financial Crime forecast, AI-enabled fraud losses are projected to rise from US$12.3 billion in 2023 to US$40 billion by 2027, a 32% compound annual growth rate. Sumsub reported a 1,740% year-on-year increase in deepfake fraud incidents in the Asia-Pacific region in 2023 alone. Hong Kong, with its high English-Cantonese-Mandarin code switching and concentration of cross-border SMEs, ranks among the most targeted markets globally.
What Are the Three Most Common Deepfake Attacks on Small Businesses?
Most SME-targeted deepfake fraud falls into three patterns. Knowing the pattern is half the defence.
1. The CEO voice-clone payment request. The accountant receives a WhatsApp voice note that sounds exactly like the boss: "I'm in a meeting, please wire HK$380,000 to this account today, supplier deal, will explain later." The voice is correct down to filler words and Cantonese tone.
2. The supplier invoice swap. An existing supplier's video or audio is cloned and used to inform your team that the supplier has changed bank accounts. The next invoice payment, sometimes a six-figure sum, lands in the criminal's account.
3. The deepfake video conference. A fake Zoom or Teams call assembles deepfaked versions of multiple people, the boss, the lawyer, the China office manager, all instructing the victim to act fast. This is the Arup-style attack and is no longer rare. Sumsub identified more than 50 documented cases of fake video conferences against Asia-Pacific firms in the first half of 2025.
What Are the Practical Defences a Hong Kong SME Boss Can Put in Place This Week?
Most defences cost nothing and need no IT team. They rely on process, not technology.
Defences any SME can deploy in seven days:
1. Set a callback rule. Any new payee or any change of bank details requires a callback to the requester on a known phone number, not the number provided in the request. No exceptions, no matter how urgent the message sounds.
2. Create a family or company codeword. Agree on a phrase that only insiders know. Use it during any unusual voice or video request. A deepfake cannot answer a question that was never published online.
3. Cap urgent transfers. Set a written policy that any payment above a threshold, for example HK$50,000, requires written approval from two named people. The threshold is yours to choose, the principle of dual approval is non-negotiable.
4. Train staff to challenge urgency. Every deepfake scam relies on the victim acting before they think. Coach finance staff to say "I will call you back in 5 minutes" and mean it.
5. Reduce your public voice and face footprint. Be cautious about long-form public interviews, founder videos, and "company culture" reels. Each clip is potential training data for a clone.
Common Misconceptions That Get SMEs Into Trouble
"We are too small to be targeted." Sumsub's 2025 fraud report found that 41% of deepfake attacks now target firms with under 50 employees. Smaller companies are easier targets because controls are weaker, not because criminals overlook them.
"My staff will spot a fake voice." A 2024 University College London study found that humans correctly identified AI-cloned voices only 73% of the time, dropping to 60% when stress and urgency were added. Voice recognition is not a reliable defence.
"Banks will reverse the transfer." Cross-border deepfake fraud rarely gets recovered. In the Arup case, only a small fraction of the US$25.6 million has been frozen, more than two years after the incident. Treat every transfer as irreversible.
Frequently Asked Questions
Q: Is it illegal in Hong Kong to make a deepfake?
Creating a deepfake is not itself a crime in Hong Kong, but using one to commit fraud, identity theft, or sexual offences is prosecutable under existing laws. The Privacy Commissioner's office has flagged deepfake misuse as an enforcement priority for 2026.
Q: Can I tell a deepfake voice from a real one?
Sometimes, yes. Listen for unnatural breath patterns, missing background ambience, robotic tail-ends on sentences, and inconsistent emotion. But high-quality clones in 2026 are often indistinguishable. Rely on process, not your ears.
Q: Is there AI software that detects deepfakes?
Yes. Tools such as Reality Defender, Sensity, and Pindrop offer real-time detection for voice and video. Coverage is improving but is not 100%. Use them as a layer, not a single line of defence.
The Quiet Truth Behind Every Deepfake Scam
Every successful deepfake attack ends the same way: a person inside the company makes a decision they would not have made if they had paused for two minutes. The technology is impressive, but the failure point is always a workflow that does not allow time to verify. Fixing that workflow is cheaper than any cyber-insurance premium, and it is the single highest-leverage move a Hong Kong SME boss can make in 2026.
The risk will not slow down. Voice cloning is now available as a US$5-a-month consumer service. Real-time face swap for Zoom is open-source. The defence has to live inside your own company, in the rules you set, the codewords you create, and the calm you train your team to maintain when a message screams "urgent".
UD has spent 28 years helping Hong Kong businesses navigate the technology cycles that look impossible from the outside. AI brings unprecedented productivity, and unprecedented new attack surfaces. Cutting through that complexity, calmly and with someone who has seen every wave before, is what UD is built for. UD stands with you, making AI human.
Ready to Build Your Defences Without the Cybersecurity Jargon?
Deepfake fraud will not announce itself. Building the right verification workflow, the right staff training, and the right detection tools takes a sober second pair of eyes. Our team will walk you through every step, from a one-hour risk assessment to a deployment that fits your business, no jargon, no oversell.
