← Back to Blog

The $25 Million Video Call That Fooled Everyone: How AI Is Breaking Social Engineering Wide Open

April 8, 2026

In January 2024, an employee at a multinational corporation in Hong Kong joined a video call with his company's UK-based chief financial officer and several colleagues. They discussed a confidential transaction. The CFO gave clear instructions. Over the course of the meeting, the employee made fifteen separate transfers totaling roughly $25.6 million.

Every person on that video call except the employee was a deepfake. The faces, voices, gestures, and backgrounds were all synthetically generated from publicly available video of the real executives.

This is not a theoretical future threat. It already happened. And the technology that made it possible is getting cheaper and more accessible every month.

Social engineering — manipulating people into giving up information, access, or money — has been the most effective hacking technique for decades. The 2020 Twitter hack that compromised Barack Obama and Elon Musk started with a phone call. The Target breach that exposed 40 million credit cards started with a phishing email to an HVAC vendor. But artificial intelligence is transforming social engineering from a craft practiced by skilled individuals into an industrial operation that can be automated, personalized, and deployed at scale.

The bad grammar that used to be your best phishing indicator? Gone. The assumption that a voice on the phone belongs to the person it sounds like? No longer reliable. The belief that seeing is believing on a video call? Dangerously outdated.

Your Brain Was Designed to Be Hacked

The reason social engineering works is not that victims are stupid. It is that human cognition runs on shortcuts — and those shortcuts are exploitable by anyone who understands them.

Psychologist Robert Cialdini identified six principles of influence that govern how people are persuaded: authority, urgency, reciprocity, social proof, liking, and commitment. Social engineers have turned this academic research into an operational manual.

Authority is the most exploited principle. When an attacker calls a help desk and says "This is John from the IT security team, I need you to reset the password on this account immediately," the help desk employee complies because authority is a cognitive shortcut. In most situations, deferring to legitimate authority is the correct response. Your boss does have the right to assign you tasks. The IT department does need to reset passwords sometimes. Social engineers manufacture the signals of authority — titles, uniforms, jargon, confidence — without possessing the actual authority they imply.

Urgency compounds the effect. "Your account has been compromised — we need to verify your credentials immediately." Time pressure discourages the target from pausing, thinking, and verifying. An authority figure making an urgent request is nearly irresistible.

The neuroscience backs this up. The amygdala activates when we perceive social disapproval or conflict. Refusing a request, questioning someone's authority, or challenging a social norm triggers a mild threat response. The brain treats social noncompliance as a form of danger. Refusing a social engineering attempt is not psychologically free. It costs something — and most people pay the cost of compliance instead.

This is why smart people fall for social engineering. Intelligence is not a defense because social engineering does not target intelligence. It targets behavior. A CEO with an MBA from Harvard is just as susceptible to authority bias as a first-year employee. In some cases, more so — because senior leaders are accustomed to receiving urgent requests and making rapid decisions.

The Billion-Dollar Fraud Nobody Talks About

Ransomware dominates the headlines. But the single most financially destructive form of cybercrime is Business Email Compromise — BEC — and most people have never heard of it.

The FBI's Internet Crime Complaint Center tracked over $2.9 billion in BEC losses in 2023 alone. Between 2013 and 2023, cumulative BEC losses exceeded $50 billion worldwide. That is more than ransomware, data breaches, and tech support scams combined.

BEC is social engineering in its purest form. In 2015, Ubiquiti Networks sent $46.7 million to criminals because an email that appeared to come from a senior executive requested wire transfers for a confidential acquisition. No malware. No firewall breach. No zero-day exploit. An employee received an email, believed it was from a colleague, and followed the instructions.

The anatomy is always the same: reconnaissance, email compromise or spoofing, a plausible financial request, and psychological pressure. The attacker combines urgency ("I need this done before end of day"), authority (the request appears to come from the CEO), secrecy ("Keep this between us — this is a confidential transaction"), and unavailability ("I'm in a board meeting — please handle this via email"). That last element blocks the most effective verification method: a phone call.

What makes BEC devastating is that the attacker is not asking the target to do something abnormal. Wire transfers, vendor payments, and direct deposit changes happen in normal business operations every day. The attacker simply redirects them. Toyota Boshoku lost $37 million. FACC, an Austrian aerospace manufacturer, lost $47 million — and fired both its CEO and CFO afterward.

Every one of these organizations had standard financial controls. Approval hierarchies. Accounting processes. Audit procedures. What they did not have were verification procedures specifically designed to catch social engineering.

What Actually Works as a Defense

The goal is not to make people immune to social engineering. That is impossible. The goal is to make people 10 percent more skeptical, 10 percent slower to respond to urgent requests, and 100 percent more willing to report something that feels wrong. That modest shift, applied across an entire organization, dramatically reduces the attack surface.

Three concrete changes that matter:

Kill the urgency loophole. Any financial request that combines urgency with a directive to bypass normal procedures should trigger automatic verification through an out-of-band channel — a phone call to a known number, not the number in the email. This single policy would have prevented every major BEC case described above.

Make verification safe and normal. Employees who question suspicious requests should be praised, not punished for slowing things down. If your culture treats verification as insubordination, you have built an organization optimized for social engineering.

Assume voice and video can be faked. Post-2024, voice calls and video calls are not reliable identity verification on their own. Establish code words or challenge-response protocols for high-value requests. It sounds paranoid until you remember the Hong Kong case.

The deepfake technology is only going to get better. The defenses that work are not technological — they are procedural and cultural. Training that acknowledges anyone can be fooled. Processes that make verification frictionless. And a culture where questioning authority is treated as a security feature, not a personality flaw.

From the Catalog

Browse all
Loop Engineering
Loop Engineering
Designing Self-Running AI Agent Systems: From Manual Prompting to Autonomous Loops That Build, Verify, and Iterate While You Sleep
The AI-Native CIO
The AI-Native CIO
How the Executive Role Is Being Rewritten by Artificial Intelligence
Ship It With AI
Ship It With AI
How Non-Technical Founders Are Building Real Products
Belle Starr
Belle Starr
The Bandit Queen