The $25 Million Meeting
In January 2026, a Swiss entrepreneur received a phone call from a trusted business partner. The voice was right. The cadence was right. The relationship was real this was someone he knew, whose speech patterns and conversational rhythms were familiar across years of working together.
The request was urgent: transfer several million Swiss francs to an Asian account for a time-sensitive deal. Over two weeks, multiple calls followed. Multiple confirmations. Multiple transfers.
The voice was never real.
The fraud was discovered only after the transfers had cleared. Swiss authorities opened an investigation. The entrepreneur was sophisticated, experienced, and personally acquainted with the person being impersonated. None of that mattered. Researchers at Queen Mary University of London have confirmed what this case demonstrates operationally: the average listener can no longer distinguish between a deepfake voice and a real human being. Traditional authentication — recognizing a familiar voice is now a vulnerability, not a control.
The Swiss case is the current cycle. The anchor case is still 2024. And it involves a video call.
The Arup Heist: What Actually Happened
In early 2024, an employee at Arup a multinational engineering firm received an email purportedly from the UK-based CFO requesting a confidential transaction. The employee paused. That instinct was correct. The email felt off.
Then the attackers initiated a video conference call.
The employee joined to find not just the CFO but multiple colleagues participating naturally in the meeting faces they recognized, voices they knew, comportment that matched their expectations of those people. The meeting proceeded. The authorization was given. Twenty-five million dollars was transferred to attacker-controlled accounts.
Per the Hong Kong Police Force: attackers used pre-recorded video manipulation to impersonate multiple participants simultaneously. The employee did everything right felt the suspicion, sought verification, escalated to visual confirmation. The visual confirmation was fabricated.
This is the distinction that matters for your organization’s controls. The employee was not careless. The control failed.
Presentation Attacks and Injection Attacks
Understanding why the Arup controls failed and why the next generation of attacks is more dangerous still requires one technical distinction that most security frameworks haven’t fully incorporated.
A presentation attack is AI-generated media presented to a human in real time to deceive. The deepfake video call at Arup was a presentation attack. The Swiss voice cloning fraud was a presentation attack. The target is human trust.
An injection attack is AI-generated content embedded into systems or processes to bypass automated or procedural checks. The target is not human judgment it is the process itself.
The most dangerous vector for 2026 is not the video call. It is the injection attack on identity verification systems. Attackers are no longer holding deepfake images up to cameras. They are using custom tooling to inject synthetic video streams directly into the application’s data pipeline — after the camera, at the software layer — bypassing liveness detection entirely because the camera never sees the fake.
MITRE ATLAS published a formal case study in December 2025 documenting exactly this attack chain. An attacker obtains a facial image from social media or a data broker dossier. Real-time face-swap software generates a live deepfake. Open Broadcaster Software streams the synthetic video. An Android application called Virtual Camera: Live Assist replaces the device’s default camera feed with the deepfake stream. The banking application’s KYC system sees the synthetic face not the camera. Liveness detection, designed to catch someone holding a photograph to a screen, does not detect an injection upstream of its own input.
iProov’s Identity Verification Threat Report documented a 300% increase in face-swap attacks on face biometric systems used for KYC since 2023. A Latin American identity verification platform serving top-tier banks and fintechs blocked more than 500,000 AI-generated synthetic identities in the first six months after deploying deepfake detection technology. Before deployment, those identities were passing KYC not failing it.
The quote from Parya Lotfi, CEO of DuckDuckGoose, states the problem precisely: deepfake identities are no longer failing onboarding. They are completing it. By the time the manipulation is discovered, those accounts are already active across payments and financial ecosystems.
The Monetary Authority of Singapore published formal guidance in September 2025 explicitly warning that criminals may use generative AI to circumvent customer due diligence measures through AI-created forged documentation, injection of false identities or beneficial ownership information, and altered video or call content submitted for remote identification. The regulator specifically calls out non-face-to-face transactions and customers outside the primary jurisdiction as elevated risk scenarios precisely the environments where cross-border M&A due diligence operates.
The Data Room Is the Next Attack Surface
The Arup heist was a video call. The Swiss entrepreneur fraud was a phone call. What your M&A due diligence process has not yet fully accounted for is the attack that doesn’t involve a call at all.
AI-generated due diligence documents are already passing initial human review. This is documented, not hypothetical.
In 2025, two separate Deloitte engagements one in Australia, one in Canada produced final deliverables containing AI-generated content that passed internal review processes before submission. The Australian case involved fabricated academic references and an invented court quotation in a government consultancy report. The Canadian case included multiple false citations to nonexistent studies, some attributed to real academics who had never authored such work. In both cases, review processes focused on narrative coherence, not factual integrity. The content was syntactically correct and stylistically consistent. The fabrications were invisible to reviewers looking for calculation errors and logical inconsistencies.
The failure mode has a name: AI slop introduces content that is syntactically correct but epistemically false. Traditional quality assurance frameworks were not designed to catch it.
Per a Kroll/FTI joint study, AI-generated due diligence packages passed initial review by 68% of junior analysts and 41% of mid-level managers in 2025 red team testing. Detection required forensic AI tools capable of metadata analysis, style inconsistency scoring, and cross-reference validation against external sources. Post-discovery forensic review averaged $1.8 million to $3.2 million per deal, plus valuation adjustments and integration delays.
The Singapore MAS guidance explicitly identifies manipulation of transaction records, injection of false beneficial ownership information, and AI-created forged documentation as vectors criminals are actively using or developing. The plausible M&A deception scenario is not a future risk. It is a present capability gap.
A target company’s financial statements, customer contracts, or regulatory compliance certifications can be augmented with AI-generated content. The documents appear legitimate — correct formatting, plausible numbers, internally consistent narrative. Sampling-based due diligence, designed to catch human errors and deliberate omissions, does not detect fabrications that are syntactically indistinguishable from authentic documents. The assumption that provided documents are real is now a liability embedded in standard due diligence process design.
What $40 Billion Looks Like as a Line Item
Deloitte’s Center for Financial Services projects that generative AI could facilitate fraud losses reaching $40 billion in the United States alone by 2027. AI-enabled vishing incidents increased 340% year-over-year in 2025. Average loss per incident reached $3.1 million, up from $1.4 million in 2024. Seventy-one percent of successful voice cloning attacks used publicly available audio earnings calls, investor presentations, podcasts as the source material for cloning.
Real-time voice synthesis has crossed the latency threshold that makes deception operationally viable. Attackers now achieve less than 200 milliseconds of latency in voice conversion, making conversation indistinguishable from live human speech in real time. The source material for cloning a CFO, a deal partner, or a board member is available in every earnings call recording and investor presentation your organization has published.
The Giorgio Armani case, documented in February 2025, illustrates the coordinated campaign model. AI voice cloning technology impersonated executives to trick employees at multiple high-profile Italian companies into authorizing fraudulent transactions. Italian law enforcement opened investigations and immediately encountered the core challenge: existing legal frameworks do not adequately address AI-powered fraud because detecting the voice deepfake after the fact the evidentiary requirement for prosecution is technically difficult in ways that human voice fraud is not.
The fraud is ahead of the law. The fraud is ahead of most controls. And the fraud is increasingly targeting the specific transaction environments cross-border deal authorization, remote identity verification, document-heavy due diligence that M&A operations depend on.
The Control Redesign Your Process Needs
The controls adequate for 2022 are not adequate for 2026. The specific gaps that need to be closed:
Voice verification is no longer a valid authentication factor. Any process that relies on recognizing a familiar voice executive authorization calls, verbal confirmation of wire transfers, phone-based identity verification requires a secondary out-of-band confirmation channel that cannot be spoofed by voice cloning. The secondary channel needs to be agreed in advance and documented, not established in the moment of the call.
Video call verification requires liveness detection that operates at the injection layer, not the presentation layer. Standard video conferencing tools do not provide this. Organizations processing high-value transactions via video authorization should be evaluating platforms with injection attack detection capability, not assuming that seeing a familiar face on a screen constitutes verification.
Due diligence document authentication needs to move from sampling to systematic. AI-generated documents defeat sampling-based review because the fabrications are distributed consistently rather than concentrated in areas a reviewer would flag. Metadata analysis, cross-reference validation against external sources, and style inconsistency scoring are forensic capabilities that due diligence processes need to incorporate as baseline functions, not post-discovery remediation.
Identity verification for counterparties in M&A transactions beneficial ownership verification, director identification, customer due diligence needs multi-modal liveness verification as the FATF 2025 guidance now requires. Single-modal biometric checks are the verification equivalent of SMS-based MFA: a known bypass exists and is being actively exploited at scale.
The $25 million meeting is documented history. The $25 million data room is the near-term risk that most due diligence processes are not currently built to detect.
Next in The Familiar Fire: Who Pays When It Breaks — three cases filed in 2025 and 2026, zero clear answers on who is legally responsible, and an insurance market that has already decided it won’t be them.