The $25M deepfake heist that opened a $4B enterprise market

In February 2024, a finance worker at Arup, the global engineering firm with 18,500 staff across 34 offices, sat down to a video call with people she believed were her CFO and several colleagues. Each looked normal, sounded normal, behaved normally. By the end of the call she had been instructed to make 15 transfers totaling HK$200 million. That converts to roughly $25 million U.S. None of the people on the call were real. Every one of them was a deepfake.

That was the first publicly confirmed deepfake-mediated wire fraud at this scale. It is no longer the only one. What broke that day was the assumption every enterprise security stack quietly depended on: that a video call is harder to fake than a phone call. The market that has to form around that broken assumption is the Pain Point this week.

Enterprise security spent two decades hardening email, phone, and account credentials. Email got DMARC and DKIM. Voice got speaker verification. Account credentials got MFA, then biometric MFA, then phishing-resistant authenticators. Video calls got nothing.

That was a defensible position when generating a convincing real-time video impersonation required dedicated artists, hours of compute per second, and source footage that did not exist for most executives. As of 2026, every one of those constraints has eased. Producing a usable real-time video deepfake now requires minutes of consumer-grade compute and the source footage of any executive who has done a podcast, an earnings call, or a LinkedIn video.

The pain is not theoretical and it did not stop at Arup. In March 2025 a finance director at a Singapore-based multinational was contacted by someone posing as the company CFO and instructed to wire funds for a confidential acquisition. According to the FBI’s 2024 Internet Crime Complaint Center report, business email compromise alone cost U.S. organizations $2.77 billion across 21,442 reported incidents last year, and AI-enabled variants of BEC are the fastest-growing subtype. Industry monitoring put deepfake-enabled vishing attacks at a 1,600 percent quarter-over-quarter increase entering Q1 2025.

The defense stack is improvising. CFOs at Fortune 1000 companies are telling Treasury teams to reject any wire request originated on a video call without an out-of-band confirmation. Some are mandating “safe word” systems that have not been used in corporate finance since the 1980s. Vendors have not caught up.

Three forces converged into a single window.

First, the trigger event happened. Arup made deepfake BEC a board-level conversation overnight. Boards do not engage on emerging risks. They engage on losses they can name and a reporter has already covered. The Singapore March 2025 incident reinforced the pattern.

Second, the category received its first major institutional validation. Pindrop’s Pulse for Meetings was named to TIME’s Best Inventions of 2025. Reality Defender raised a $33 million Series A expansion in April 2025 led by Illuminate Financial with Accenture, IBM Ventures, and Booz Allen Ventures participating. GetReal, co-founded by Hany Farid, raised $17.5 million in Series A led by ForgePoint. Persona, which is identity verification adjacent, raised $200 million at a $2 billion valuation in April 2025 and reported blocking 75 million deepfakes in a single month.

Third, no clear winner has been declared. Pindrop owns the voice channel with $232 million raised across 14 rounds, but the workflow-integrated transactional category is open. The window to define it is now.

The opportunity has three layers, each with a different buyer.

The first layer is real-time deepfake detection inside video conferencing platforms. The buyers are Zoom, Microsoft Teams, Google Meet, Webex, and the secure-comms vendors selling to government and finance. Reality Defender, GetReal, Sensity, Resemble AI, and Pindrop’s Pulse for Meetings all compete here. Reality Defender is positioned strongly with deployments at tier-one banks, government agencies, and media companies, and 2025 recognition as a Gartner Market Leader, a WEF Technology Pioneer, and an inductee in JPMorgan’s Hall of Innovation. Contract sizes are large but the buyer pool is small and slow.

The second layer is enterprise authentication for high-trust events: executive video calls, treasury operations, M&A diligence rooms, insurance claim verification, and remote notarization. Buyers are CISOs and Treasury at $500 million-plus revenue companies. The product is workflow-integrated identity proofing tied to specific transactional decisions. Pindrop has the strongest voice-channel position with Pulse, which independent NPR testing found 99 percent accurate at less than 1 percent false positive rate, outperforming competitors by 40 percentage points. The video-channel equivalent for transactional workflows is up for grabs.

The third layer is consumer-grade defense for executives and high-net-worth individuals personally targeted. Smallest market today, highest unit economics.

Comparable acquisitions to anchor pricing intuition: Entrust acquired Onfido for $650 million in April 2024. Mastercard acquired Ekata for $850 million in 2021. ID.me reached a $2 billion valuation in September 2025 after a $340 million round. Persona reached $2 billion in April 2025. The deepfake-specific category has no public acquisition comp yet, which itself is a signal: the acquirers have not picked their winner.

The broader identity verification market is projected at $14.86 billion in 2025 growing to $43.38 billion by 2034.

The wedge most likely to produce a fundable company in 2026 is not detection itself. Detection is a feature. Microsoft AppSource already lists Sensity, UncovAI, and Reality Defender as third-party Teams add-ins. The wedge is workflow integration into a specific high-trust transaction.

Imagine a Treasury operation that wires money only after a video call. The status quo is Slack messages, callback policies, and prayer. The product opportunity is a thin layer between the video conferencing tool and the Treasury workflow that requires both parties to authenticate, runs inference on the live video stream, and creates an audit log. Sold to corporate Treasury, priced per protected transaction, integrated with TreasuryDirect, Kyriba, GTreasury, and the major ERPs.

The pattern repeats for M&A diligence rooms, insurance claim adjudication on video calls, and remote notarization. Detection plus workflow plus audit, sold to a transactional buyer with an existing fraud loss reduction budget.

The first customer is a mid-market financial services firm with a recent BEC scare and a Treasury function under board pressure. Sales cycle: 90 to 120 days. The first product can be built by a team of three engineers and one fraud-domain operator in nine months.

Platform fee plus per-protected-transaction usage. Not pure SaaS, not pure API metering. The platform fee covers integration, audit logging, identity directory sync, and ongoing model updates. The usage fee captures the value moment, which is the protected wire, the protected diligence session, or the protected claim.

ACV $75,000 to $700,000 depending on customer size. Gross margins 75 to 85 percent at scale, dragging to 65 to 75 percent in year one because of services drag during integration.

The alternative model worth considering is FDE-led professional services with embedded software, the Palantir model. This fits if early customers are the largest banks and federal agencies where deployment is genuinely custom. Higher ceiling per customer, slower path to scale. For most teams, platform-plus-usage is the cleaner wedge.

Detection accuracy is an arms race. Generation models improve every month and detection has to keep up. Pindrop reports 99 percent accuracy on audio today, but adversarial techniques against video and audio jointly are moving faster than peer-reviewed detection benchmarks.

Customer adoption is slow at the enterprise level. CISOs are exhausted, Treasury teams are conservative, and board pressure on this specific risk is recent. Buyers move when they have to.

Regulatory ambiguity is real. Several state attorneys general are drafting deepfake-specific liability frameworks. Federal action is unlikely before late 2026, leaving builders in a temporary gray zone.

The biggest non-obvious risk is platform absorption. Microsoft Teams already lists Sensity, UncovAI, and Reality Defender in its marketplace. Microsoft, Google, Cisco, and Zoom each can build deepfake detection natively. If any do, the third-party detection market for general meetings shrinks fast. The defensible play stays workflow-integrated and transaction-specific, where the platforms have neither the integration depth nor the appetite to compete.

The right mental model for this category is not “build a better deepfake detector.” It is “build the workflow integration that makes deepfake detection load-bearing for a specific transaction.” The product is not the algorithm. The product is what happens when the algorithm is wrong.

Builders should ask themselves: would my product still be valuable if my detection accuracy were only 90 percent? If yes, the workflow and audit log are doing the real work, and the business is defensible. If no, you are building a feature that platform incumbents will absorb the moment Microsoft Teams ships native detection.

Investors should ask the team: what is your customer’s regulatory or insurance compliance argument for buying you instead of waiting for Microsoft to ship the feature? If the team cannot answer in one sentence, the thesis is platform-absorption-vulnerable.

The common evaluation mistake here is treating detection accuracy as the product. The companies that win sell trust, audit, and deniability to a Treasury or CISO who needs to defend the decision they made on the call. Detection is a means.

Pricing intuition: the buyer is paying for sleep, not signal. Price for the consequence of a wire mistake, not the cost of inference compute.

Founders. Pick one transactional vertical (Treasury, M&A diligence, insurance claims, remote notarization) and build the workflow-plus-detection-plus-audit stack for it. The TAM looks smaller. The path to revenue is shorter.

Investors. Ask any startup pitching this category to name their first paying customer in the first 60 seconds. If they cannot, the market is theoretical for them. Then ask what their answer is to “why aren’t you a Microsoft Teams feature in 18 months.”

Operators in financial services. Issue a one-page Treasury policy memo this week. Wire transfers above a defined threshold cannot originate on a video call without out-of-band confirmation. Free, effective, board-defensible. If your team needs the template, reply to this email.

Acquirers. Watch for startups with three or more named enterprise reference customers signed in the past 12 months. Pindrop has Pulse for Meetings GA. Reality Defender has tier-one banks. The next public reference customer announcement at six-figure-plus ACV is the leading indicator.