In January 2024, a finance employee at Arup, a multinational engineering firm, joined a video call with several colleagues, including the company's CFO. The call looked normal. The faces were familiar. The conversation made sense. At the end of it, he authorized $25.6 million in transfers across 15 transactions.
Every person on that call was a synthetic. The faces were generated from publicly available video footage. The voices were cloned from recordings anyone could find online. The attackers didn't need a single malicious link or a spoofed email domain. They needed footage, time, and the reasonable assumption that nobody on the receiving end had ever seen something like this before.
That was the $25M assumption.
The exploit wasn't technical. It was unfamiliarity.
What made the Arup attack work wasn't sophisticated tooling. The underlying technology was, and still is, widely accessible. What made it work was that the target had no frame of reference for what a convincing synthetic looked like in real time.
That's the actual vulnerability. Not a gap in perimeter security. Not a missing patch. A gap in experience.
And it's not unique to Arup. In May 2024, WPP's CEO Mark Read was impersonated in a Microsoft Teams call that combined an AI voice clone with YouTube footage of him. The target was an agency leader asked to set up a new business and hand over money and personal details. The scam failed, but Read sent a company-wide warning afterward: "We all need to be vigilant to the techniques that go beyond emails to take advantage of virtual meetings, AI and deepfakes." A wave of AI-generated voice fraud, synthetic CFO calls authorizing wire transfers, and vendor impersonations over the phone have been documented across industries from financial services to healthcare.
The pattern is consistent: the target was smart, the organization was well-resourced, and the attack worked (or nearly worked) anyway. Because the employees had never experienced it before.
Most organizations are trying to describe their way out of this.
The common response to deepfake fraud risk has been education: awareness emails, a slide in annual training, a link to a news article. And these aren't bad impulses; indeed, awareness matters.
But describing what a deepfake looks like is not the same as showing someone one. You can explain in precise detail what it feels like to lose your footing on ice, and it still won't prepare someone for the actual sensation the first time it happens. Pattern recognition: the thing that protects people under pressure – only develops through prior exposure.
The Arup employee wasn't uninformed. He likely knew deepfakes existed. He just hadn't seen one that looked like this and wasn’t expecting it.
The training gap isn't knowledge. It's experience.
For most security teams, building that experience wasn't actually possible.
This is the part that hasn't been talked about enough. Security teams that wanted to run a deepfake simulation after all these incidents found that the practical path to doing so was nearly impossible.
Vendors who claimed deepfake simulation capability were routing requests through manual production teams. You'd file a ticket, provide a photo and some context, and wait. Three weeks. Sometimes six. The finished asset would arrive, static and unmodifiable. It couldn't be localized for a different office. It couldn't be updated when the scenario evolved. By the time it was ready, the urgency that prompted the request had usually faded.
The result: most organizations have never run a deepfake simulation. Not because they don't want to. Because the infrastructure to do it simply wasn't available to them.
That's what Frame Deepfake Studio changes.
Frame's Deepfake Studio is a fully self-serve tool for creating AI-generated deepfakes – video and audio – without a production team, without a vendor ticket, and without waiting.
Upload one photo and a short voice clip: a conference recording, an all-hands segment, anything with a few seconds of audio. Frame generates a full-scene deepfake: realistic facial expressions, natural movement, a background you set with a text prompt (office, airport lounge, conference room, wherever the scenario calls for). The generation takes minutes. The output is multilingual. One character can speak in any language Frame supports (currently 70+ and growing).
Everything is generated inside Frame's own infrastructure, using Anthropic, OpenAI, and AWS. No third-party video generation labs. No data going to unknown processors. The platform prompts for consent before any likeness is created.
The deepfake is directly embeddable in Frame's Content Studio as a simulation lure, a training intro, an executive security awareness message, or anything else your program needs. You control it.
Prepare your workforce for the deepfake attacks hitting them today.
A peer firm gets hit with a deepfake wire fraud on a Tuesday. By Wednesday afternoon, your security team can have a simulation running against your own employees, built around your actual leadership, with your actual scenarios, in the languages your teams work in.
That's the shift. The attacker's advantage has always been novelty: the assumption that your people have never encountered this before. Deepfake Studio makes that assumption harder to rely on.
Prior exposure is the only reliable defense against a social engineering attack built on unfamiliarity. Now building that exposure is something your team can do in an afternoon.
