Arup hit the headlines for the wrong reasons when the firm was targeted by criminals who succeeded in pulling off a major fraud. “Fraudsters use deepfake technology to trick employee into paying millions” ran one headline, but the story is more subtle than that. Clearly, media attention was driven by the fact that the fraudsters used manipulated videos and voicemails to convince people they were talking to genuine colleagues. But as Arup’s Chief Information Officer, Rob Greig, pointed out, the interesting part is that the criminals did not penetrate the firm’s IT networks or disrupt business operations. Rather, they used “technology enhanced social engineering” to convince people to process transactions.It was a sophisticated, preplanned attack that used tactics such as phishing, vishing and smishing, all backed by fake documentation and a false sense of urgency. At its heart, though, this was an old-fashioned payment scam with a modern makeover. Since the incident, the firm has reviewed every aspect of its systems and processes. Among the key lessons learned is that cybersecurity alone is not enough. Building real resilience requires a culture of critical assessment and the ability to spot red flags across the organization. The most important lesson, though, is that industry, the police and public authorities all need to find better ways to share information and frustrate the fraudsters.CASE STUDY 1 Old scams and new technology – ArupFinally, GenAI lowers the barriers to entry into the cybercrime arena in terms of cost and required expertise. GenAI is expected to streamline the process from the exploitation of vulnerabilities to the deployment of malware, scaling up operations that were previously reliant solely on human capabilities.By understanding the complexity of the cyberthreat landscape as well as the behaviour and motivations of cybercriminals, organizations can better assess the risks facing them and then tailor and prioritize security strategies to enhance resilience against such threats. The complexity of today’s cyber threats and evolving criminal methodologies requires a unified response. This response requires coordination not only from the global law enforcement community, but with cybersecurity experts who provide their own talents, experiences and expertise. In 2024, INTERPOL’s Cybercrime Directorate supported several regional and global cybercrime operations that were very successful in large part due to these collaborations. As we move into 2025, our team will continue to pursue new partnerships and strengthen existing ones to have even greater impact disrupting cybercriminal activity. Neal Jetton, Director, Cybercrime Directorate, International Criminal Police Organization (INTERPOL)As global leaders, we see cyber challenges as more than just a threat – they’re a chance to make a real difference in how we protect people and businesses. Malicious cyber activity takes a significant toll on the most vulnerable populations, so we must urgently drive ecosystem-level solutions that bring everyone together, from small local companies to big global corporations. By collaborating like never before, we can turn the tables in 2025, make systemic change and create digital defences that work for everyone. Philip Reiner, Chief Executive Officer and Founder, Institute for Security and TechnologyWhen augmented with GenAI, threat actors can create convincing impersonations of the voice, video, images and writing styles of senior leaders. When these deepfakes are maintained over prolonged interactions with targeted staff, they can be used to defraud organizations or help attackers gain access to their IT systems. Accenture’s research has noted a 223% rise in the trade of deepfake-related tools on dark web forums between Q1 2023 and Q1 2024.15Additionally, 55% of CISOs polled during the Annual Meeting on Cybersecurity 2024 stated that deepfakes pose a moderate-to-significant cyberthreat to their organization. With staff remaining the real target of deepfake attacks, as well as phishing campaigns in general, organizations will need to rethink how they train and protect everyone, from employees to the C-suite and board, about new patterns of cybercrime. Global Cybersecurity Outlook 2025 16