Workflow Playbook · AI Workflows · Updated June 25, 2026
Deepfake CFO Wire Fraud: A Verification SOP for Finance Teams
A cloned voice or a fake video of your CFO can now ask for an urgent wire and sound exactly right. Fear is not a control. This is the practical desk kit: a deepfake-resistant payment-authorization SOP your team can adopt this week, a red-flags table for the "CFO on a video call" request, and a way to use Claude to draft your firm's AI-fraud policy and staff training memo in an afternoon.
The one rule that stops most of these attacks: no payment instruction, and no change to payment details, is ever authorized off a single call, video, or message. The request must be confirmed out of band, by calling the requester back on a known number from your own records, never a number supplied in the request, and confirming a pre-agreed code phrase. Above a set dollar threshold, two named people approve independently. Urgency is treated as a red flag, not a reason to move faster. Build that into a written SOP, train to it, and the realistic deepfake becomes a request that simply fails your process.
Key Takeaways
- The control that beats a deepfake is procedural, not technical: out-of-band callback on a known number plus a named code phrase, every time, with no exceptions for senior people.
- Urgency, secrecy, and a request to change payment details are the three pressure tactics in nearly every case. Train your team to treat all three as stop signals.
- The Arup case, in which finance staff sent about 25.6 million dollars across 15 transfers after an all-deepfake video call, shows the threat is real and already operational. The figures here are attributed to the security and news sources cited, not to The Leveraged Years.
- You can use Claude to draft a firm AI-fraud policy and a staff training memo in an afternoon, then a human reviews and owns the final version. The SOP and the training artifact are the deliverables fear-based coverage never ships.
Why this threat is different
Finance teams have always faced wire fraud. What changed is that the impersonation is now convincing. Generative AI can clone a known voice from a few seconds of audio and produce a live-looking video of a named executive. The request that used to arrive as a slightly-off email now arrives as your CFO's face and voice on a video call, asking you to move money quickly and quietly.
The most-cited example is the Arup case, reported by CFO Dive and Eftsure: a finance worker at the engineering firm joined what looked like a video call with the company's chief financial officer and other colleagues, all of whom were deepfakes, and went on to send about 25.6 million dollars across 15 transfers in Hong Kong. That was not a careless person. That was a normal process meeting an attack the process was never designed to stop.
The broader picture, attributed to the security sources cited at the foot of this piece, is that this is now a top operational risk for finance functions. Deepfake activity is estimated to have risen roughly 162 percent in 2025. Reported figures put deepfake-fraud losses above 200 million dollars in the first quarter of 2025, and around 44 percent of finance professionals report having faced a deepfake-driven fraud attempt. Treat those as the cited sources' numbers, not ours. The takeaway does not depend on any single statistic: the impersonation is good enough that your people cannot reliably tell real from fake by sight or sound, so the defense cannot rest on them recognizing a fake. It has to rest on a procedure that does not care how convincing the request looks.
The same AI that can fake your CFO can also harden your controls. The answer to a convincing fake is not a sharper eye. It is a procedure the fake cannot pass.
Red flags: a CFO on a video call asking for an urgent wire
Before the SOP, give your team a shared map of what an attack actually looks like in the moment. The pattern is consistent across reported cases. The point of this table is that each red flag has a specific control that neutralizes it, so the team is never relying on a gut feeling alone.
| Red flag | What it looks like | The control that stops it |
|---|---|---|
| Manufactured urgency | "This has to go out in the next hour or we lose the deal." Pressure to skip the usual steps. | Urgency is itself a red flag. The SOP timeline does not compress for any request. Speed is never a reason to bypass verification. |
| New or changed payment details | A request to send to a new account, or to update a known vendor's or executive's banking details. | No payment-detail change is ever made off a single call, video, or message. Confirm the change out of band on a known number before touching the record. |
| Pressure for secrecy | "Keep this between us, it's confidential, do not loop in the team." Isolation of the target. | Dual control above the threshold makes secrecy impossible. A second named approver must independently confirm, so no payment is a private decision. |
| A contact channel chosen by the requester | A phone number, link, or person to "verify with" supplied inside the request itself. | Out-of-band callback on a known number from your own records only. Never a number, link, or contact provided in the request. |
| Authority that discourages questions | A senior person, on camera, implying that asking for verification is insubordinate. | The SOP applies to everyone, with no seniority exception. Following the process is the job, not a slight. |
| "Just confirm on this call" | The request asks you to treat the live video or voice itself as the verification. | A live call is never the verification. The code phrase plus a callback on a known number is, because a deepfake can pass the call but not the out-of-band check. |
Read the right column as the actual defense. Every one of these attacks is engineered to make a person feel that following the process would be slow, rude, or career-limiting. The fix is to make following the process non-optional and explicitly expected, so no one has to find the nerve to challenge a fake CFO in the moment. They just run the SOP.
The deepfake-resistant payment-authorization SOP
This is the centerpiece. It is a numbered procedure your team can adopt as written, adjusting the threshold and the named roles to your firm. It is deliberately boring. Boring is what survives contact with a convincing fake. Print it, post it by the AP desk, and train every person who can touch a payment to follow it without exception.
- Receive the request and stop the clock. Any instruction to send a payment, or to change payment details, triggers the SOP, regardless of who appears to be asking or how urgent it sounds. Do not act on the live call, video, or message. Acknowledge that you will confirm through the standard process, and say so plainly. The request is now paused until it clears verification, and that pause is the policy, not a personal hesitation.
- Call back on a known number only. Verify the request by contacting the requester out of band, using a phone number from your own internal directory or vendor records that you held before this request arrived. Never use a number, link, email, or contact supplied in the request itself, because the attacker controls that channel. If you cannot reach the requester on a known number, the payment does not proceed. This single step defeats most deepfake attacks, because the fake can hold a video call but cannot answer your call to the real person's known line.
- Confirm the named code phrase. On that out-of-band call, exchange a pre-agreed code phrase that your team has set in advance and never shares over email, chat, or any inbound request. A correct code phrase from the real person on a known number confirms identity in a way a deepfake cannot fake. A request that cannot produce the code phrase is stopped, no matter how convincing the face on the screen was.
- Apply dual control above the threshold. Set a dollar threshold appropriate to your firm. Any payment at or above it requires two named, authorized approvers who confirm independently, not one person twice and not a junior staffer acting alone under pressure. The two approvers verify the request separately, so a single isolated target can never release the funds. Secrecy and isolation, the attacker's favorite tools, stop working the moment two people must agree.
- Refuse any payment-detail change off a single channel. Treat a request to add a new payee or change an existing payee's banking details as its own high-risk event. No such change is ever made on the strength of one call, one video, or one message. Confirm the change by out-of-band callback on a known number, and where possible against a second piece of evidence you already hold, before the record is touched. Many large losses are not new payments at all. They are a quiet edit to a trusted vendor's account details.
- Treat urgency as a stop signal, not a reason to rush. Build into the SOP, in writing, that urgency increases scrutiny rather than reducing it. The verification timeline does not compress for an emergency. If a request cannot survive a known-number callback and a code phrase because there is "no time," that is the clearest sign it is an attack. A genuine executive will respect the process. An attacker needs you to abandon it.
- Log it and report anything that fails. Record that the SOP was followed, who verified, and how. Any request that fails verification is reported to security or management immediately, not quietly dropped, because a failed attempt is intelligence: it tells you that you are being targeted and lets you warn the rest of the team. The log also protects the staff who correctly stopped a payment.
Notice what the SOP does not rely on. It does not ask anyone to detect a deepfake. It does not depend on a person being brave enough to doubt a senior face on a screen. It moves the decision off the channel the attacker controls and onto a channel they do not: your own known number, your own code phrase, and a second named human. That is why it works against an impersonation good enough to fool the eye and the ear.
The desk card (paste-ready, tape it to the workstation)
The SOP only works if it is in front of the person when the call comes in. Print this card and tape it where payments get approved. It is the SOP compressed to what you do in the moment, plus the exact words to say when you are being pushed.
Before you move any money: stop and run this
- Hang up. The live call is never the verification.
- Call back on a known number from our directory, never a number from the request.
- Ask for the code phrase. No correct code phrase, no payment.
- At or above [threshold], a second named approver confirms independently.
- New or changed bank details? Confirm out of band before touching the record.
- Urgency means slow down, not speed up. Report anything that fails to security.
What to say in the moment
To the "CFO" on the call: "Understood. I will confirm this through our standard verification and call you right back on the number we have on file." Then hang up and call the known number.
When pushed to skip steps: "Our policy applies to every payment with no exceptions, including mine. I cannot release this until it clears verification. That protects you as much as the firm."
When escalating to a manager: "I have a payment request that failed our callback or code-phrase check. I have paused it and I am reporting it as a possible deepfake attempt." You will never be penalized for verifying.
Use Claude to draft your policy and training in an afternoon
The SOP above is the control. The second deliverable is getting it adopted, which means a written firm policy and a staff training memo. This is exactly the kind of structured drafting where AI saves real hours, as long as a human owns the final version. Here is the workflow, with example prompts you can adapt. The prompts are written so you give de-identified context only, and a person reviews every line before it becomes policy.
First, draft the policy. Open Claude and give it your real parameters without any client or vendor names. Example prompt: "You are helping a finance leader draft an internal AI-fraud and payment-verification policy. Our context, de-identified: a finance team of about a dozen people, wire payments, a dual-control threshold I will set, and a known-number callback plus code-phrase verification process. Draft a one-to-two page policy covering: scope, the verification procedure, the dual-control threshold, the rule that urgency increases scrutiny, the rule that no payment-detail change happens off a single channel, reporting of failed attempts, and a statement that the policy applies to everyone with no seniority exception. Keep it plain and specific. Flag anything you are unsure about rather than inventing detail."
Second, draft the training memo. Example prompt: "Using the policy above, write a short staff training memo for the finance team. Explain in plain language why deepfake impersonation makes a live call unreliable as verification, walk through the red flags of urgency, secrecy, and payment-detail changes, and state clearly that following the verification process is expected and protected, never insubordination. Include three or four realistic example scenarios and the correct response to each. Do not include any real names or account details."
The human review caveat
Claude gives you a strong first draft fast. It does not give you a finished policy. A named human, your finance leader or controller, must read every line, set the actual dollar threshold and the named roles, confirm it fits your firm and your jurisdiction, and check it against any regulatory expectations before it is adopted. The model drafts; a person decides, sets the numbers, and signs. For the regulatory context that should inform that review, see the companion piece on verification controls and supervisory expectations linked below.
What AI does not replace
AI can draft the policy and the training memo, and it can help you pressure-test the wording. It cannot run the control. The defense against a deepfake CFO is a disciplined human procedure: a person who calls the known number, confirms the code phrase, and holds the line on the dual-control threshold even when a convincing face on a screen is pushing for speed and secrecy. AI also does not own the judgment in the gray cases, the relationship with the executives whose names get faked, or the accountability for the funds. Used well, AI helps you build and teach the procedure faster. The procedure itself, and the discipline to follow it under pressure, stays human.
Our methodology
How we built this, and where the numbers come from
The SOP and the red-flags table in this piece are a practical control set assembled from the reporting on real cases and standard payment-verification practice. The security statistics, the estimated 162 percent rise in deepfake activity in 2025, the figure of more than 200 million dollars in deepfake-fraud losses in the first quarter of 2025, and the roughly 44 percent of finance professionals reporting a deepfake-driven attempt, are attributed to the cited security sources, not to The Leveraged Years. The Arup case figures, about 25.6 million dollars across 15 transfers, are as reported by CFO Dive and Eftsure. The Leveraged Years just launched, and we will not present any of these as our own survey data or invent numbers we do not have. Confirm the SOP fits your firm policy, your jurisdiction, and any regulatory expectations before adopting it.
Frequently asked questions
What is the single most important control against a deepfake CFO wire request?
An out-of-band callback on a known number. Verify any payment instruction by calling the requester back on a phone number from your own internal directory or vendor records, never a number supplied in the request. A deepfake can hold a live video call, but it cannot answer your call to the real executive's known line. Pair that callback with a pre-agreed code phrase and a deepfake-resistant verification becomes routine.
Why is the live video call itself not enough to verify the request?
Because the live call is exactly what the attacker controls and has faked. In the reported Arup case, finance staff were on a video call with what looked like the CFO and several colleagues, and all of them were deepfakes. Treating the call as proof is treating the attacker's own channel as verification. The verification has to happen on a separate channel the attacker does not control: your known number and your code phrase.
What dollar threshold should trigger dual control?
Set it to fit your firm's normal payment sizes and risk tolerance; there is no single correct number, so we will not invent one. The principle is what matters: above the threshold you choose, two named and authorized people must approve independently, never one person acting alone under pressure. Set it low enough that the payments an attacker would target are covered, and make it a written rule with no seniority exception.
Can I really draft a fraud policy and training with Claude?
You can draft them in an afternoon, and that is a real time saving, but a human owns the final version. Give Claude de-identified context and your chosen parameters, have it produce a policy and a training memo, then your finance leader reads every line, sets the actual threshold and named roles, checks it against your jurisdiction and any regulatory expectations, and signs off. The model drafts; a person decides and is accountable.
How do I get senior people to follow the SOP without it feeling like distrust?
Make it explicit in the policy that the verification process applies to everyone with no exceptions, and that following it is expected and protected rather than insubordination. Attackers rely on staff feeling that challenging a senior request is rude or risky. When the SOP states plainly that a callback and code phrase are simply how every payment works, no one has to find the nerve to doubt a face on a screen. They are just doing the job as written, and the real executives know it protects them too.
Part of TLY's AI Workflows
This is a workflow playbook in TLY's AI Workflows, where we test how senior professionals actually use AI and report honestly on what works and what does not.
Go deeper: The Leveraged CPA and Finance course teaches the full operating system for putting AI to work in a finance practice without giving up control. Join The Leverage Club ($49) for the practitioner community and ongoing playbooks. Not sure where to start? Take the 2-minute AI leverage quiz.