Deepfake attacks surge as criminals target trust, not systems - ITWeb

What happened

At the 2026 ITWeb Security Summit, cyber security expert Yunus Scheepers detailed how organizations are increasingly vulnerable to deepfake attacks that target human trust rather than technical infrastructure. A prominent example involved the global engineering firm Arup, where a finance employee was tricked into transferring $25 million after participating in a video conference call. The employee believed they were speaking with the company’s CFO and other executives, but every other participant on the call was a deepfake. The stolen funds were moved across five separate bank accounts in five transactions, and the money has not been recovered.

A similar attempt was made against an executive at Ferrari by someone impersonating CEO Benedetto Vigna. This second attempt failed when the targeted employee questioned the caller by asking about a specific book recommendation from the previous week. Upon being challenged, the caller ended the communication immediately. These incidents demonstrate that criminals are leveraging AI to craft highly convincing representations of known associates, utilizing open-source intelligence and dark web data to increase the authenticity of their social engineering efforts.

Scheepers noted that these attacks exploit the limitations of digital communication, which restricts human interaction to only two senses: sight and sound. Because these senses can be digitally manipulated, employees are often forced to rely on instinct. The critical difference between the Arup and Ferrari cases was the employee's willingness to challenge authority. Organizations are now being urged to move beyond simple awareness programs toward active training, which includes simulated scenarios to test reactions. Establishing a culture of psychological safety where staff feel empowered to verify unusual requests is described as a vital defense against the rising tide of AI-powered deception.