For Businesses

Business Video Compromise, Explained

Published May 30, 2026 · 10 min read · By the ScamDrill Team
An over-the-shoulder view of a corporate video call grid on a laptop, where one participant's tile is subtly outlined and distorted, hinting at a deepfake.

Email fraud taught us not to trust the inbox. Business Video Compromise asks a harder question: what happens when you can no longer trust your own eyes on a video call?

On a January morning in 2024, a finance employee at the engineering firm Arup joined a video call. The chief financial officer was on it, calling in from the UK, along with several familiar colleagues. They discussed a confidential deal and asked the employee to move money. He had been suspicious of the email that set up the meeting, but the call put his doubts to rest. The faces were right. The voices were right. Over the next stretch he approved 15 transfers worth about 25.6 million dollars.

Every other person on that call was a deepfake. The CFO, the colleagues, all of them were AI-generated recreations built from clips and audio the company had published online. Hong Kong police later confirmed the worker was the only real human in the meeting, and Arup confirmed that fake voices and images were used. The money was gone before anyone realized what had happened.

That attack has a name now, even if it has not earned the headlines that “business email compromise” has. Fraud investigators are starting to call it Business Video Compromise, or BVC. It is the video-native cousin of the email scam that has drained companies for years, and in several ways it is more dangerous.

THE FAMILIAR ONEEmail CompromiseWhat's fakedA name and a writing styleYour guardCaution: moderateEVOLVESTHE DANGEROUS SIBLINGVideo CompromiseWhat's fakedFaces, voices, a whole meetingYour guardCaution: "but I saw them"ScamDrillscamdrill.com

BEC fakes a name in your inbox. BVC fakes the people on your screen.

What Business Video Compromise actually is

You probably know its older sibling. Business Email Compromise is the scam where an attacker poses as a trusted person, usually an executive or a vendor, and uses a convincing email to push an employee into wiring money or changing payment details. It is low-tech, unglamorous, and astonishingly effective. The FBI’s 2024 Internet Crime Report put business email compromise losses at 2.77 billion dollars in a single year, part of a record 16.6 billion in total reported cybercrime losses.

Business Video Compromise keeps the same playbook and swaps the channel. Instead of a fake email, the attacker delivers a fake person: a live or near-live deepfake of a face and voice the target already trusts, appearing on the platforms your workday already runs on. The goal is identical, which is to manufacture authority and urgency until someone authorizes something they should not. What changes is the evidence. An email asks you to believe a sender. A video call asks you to disbelieve your own senses.

How the scam works, step by step

The mechanics are no longer exotic, and that is the part worth sitting with. A BVC attack usually moves through five stages.

ANATOMY OF A VIDEO HEIST 1HarvestScrape publicvideo & voice 2Pretext"Confidential,urgent" setup 3The callDeepfake execson live video 4AuthorizeVictim wiresthe funds 5Cash outMule accounts,money gone The only human decision in the whole chain is step 4. That is where a verification habit stops the loss. ScamDrillscamdrill.com

A BVC attack is mostly preparation. The fraud only succeeds at the moment a real person says yes.

It starts with harvesting. Executives are public people. Earnings calls, conference keynotes, podcast interviews, and LinkedIn videos give attackers all the raw material they need. Research from identity-verification firm Onfido found that by 2024 a deepfake attempt was happening somewhere online roughly once every five minutes, and the tooling keeps getting cheaper.

Next comes the pretext, almost always wrapped in secrecy and time pressure. A confidential acquisition. A regulator who must be paid today. A deal that cannot be discussed with the usual approvers. Then the call itself, where the deepfakes appear and do the persuading. The victim authorizes the transfer, and the money is split across accounts and moved out of reach within hours.

The three faces of the threat

BVC is not one trick. It shows up in three distinct shapes, and most security training only addresses the first.

A The Phantom Exec A deepfake CFO or CEO joins a call and orders an urgent transfer. The Arup case B ? The Ghost Hire A fake candidate uses a deepfake to pass the video interview. The insider threat C The Face Swap A real contact's face is worn live, in real time, on Zoom or Teams. The newest twist ScamDrillscamdrill.com

Three shapes of the same problem: a fake executive, a fake employee, and a real meeting wearing a stolen face.

The first is the phantom executive, the Arup pattern, where a fabricated leader pressures a real employee. The second is the ghost hire, and it is the one most companies miss. In 2024 the security-training firm KnowBe4 revealed it had unknowingly hired a North Korean operative who used a stolen identity and an AI-doctored photo to sail through remote video interviews. The fake worker was caught only when company software flagged strange activity on the laptop. The advisory firm Gartner has projected that by 2028, one in four job candidates worldwide could be fake. The third shape is the live face swap, where free and open-source tools paste a convincing likeness over an attacker’s own face during a call, so a stranger can wear your colleague’s face while they talk to you.

$25.6M lost in the Arup deepfake video call, sent across 15 transfers in a single day.

Source: Hong Kong Police / CNN, 2024

Why video is so hard to resist

We are trained from childhood to treat a face as proof. A written request can be a forgery, but a person looking at you, nodding, answering questions in a familiar voice, feels like ground truth. That instinct is exactly what BVC weaponizes. The Arup employee was already suspicious of the email. The video call did not add information so much as it overrode his judgment.

This is also why the usual advice fails. Telling people to “watch for glitchy lips or weird lighting” sets them up to lose. The same trap appears in AI voice cloning scams, where a few seconds of audio is enough to fool a relative. Studies consistently find that people are near chance at spotting high-quality fakes, and the technology improves every month. Treating detection as the defense means betting your payroll on an eye test that humans reliably fail.

The tell that still works

Forget hunting for visual artifacts. The reliable weakness of a live deepfake is that it is reactive, not improvisational. Ask the person to do something unscripted: turn fully sideways, pass a hand slowly across their face, pick up a specific object and describe it, or answer a question only the real person would know. Real-time models still stumble on sharp profile turns and sudden, unrehearsed requests. The point is not to win a staring contest. It is to break the script.

What AI tools are changing

The reason BVC is moving from rare to routine is that the cost curve collapsed. Cloning a voice once took a studio and an engineer. Now it takes a short clip and a free account. Real-time face-swapping that used to demand a workstation and serious skill now runs from open-source projects that plug straight into Zoom, Teams, and Google Meet through a virtual camera. The Deloitte Center for Financial Services estimates that generative AI could push US fraud losses to 40 billion dollars by 2027.

Regulators have noticed. In May 2025 the FBI issued a public warning that criminals were using AI-generated voice messages to impersonate senior US officials and build trust before stealing credentials or money. When the bureau is publishing alerts about synthetic voices of named officials, the threat has clearly left the lab. The uncomfortable truth is that detection tools are losing the arms race, and any defense built only on spotting the fake is built on sand.

What to do about it

The good news is that BVC has a structural weakness, and it is the same one BEC always had. No matter how perfect the deepfake, the fraud still depends on a real human breaking a real process. Fix the process and the quality of the fake stops mattering.

THE VERIFY, DON'T TRUST PLAYBOOK 1Pause. Urgency plus secrecy is the signature of the scam, not of real leadership. 2Call back on a number you already had, never one from the request itself. 3Use a code word. A shared phrase no deepfake can know settles it in seconds. 4Require two approvers for any payment or banking change, no exceptions. ScamDrillscamdrill.com

You cannot out-stare a deepfake. You can out-process one.

Set a hard rule that money movements and banking-detail changes always require out-of-band confirmation, meaning a callback to a known number or a message on a separate, trusted channel. Agree on a verbal code word for sensitive requests, the same trick the FBI now recommends to families. Require two approvers for transfers above a threshold, so no single person on a single call can complete a payment. Extend the same skepticism to hiring, with live identity checks and a recorded reason for any candidate who avoids turning on their camera or doing simple on-camera tasks.

If it happens anyway, speed decides everything

Stolen funds can sometimes be frozen in the first hours but rarely after. A written incident response plan that names who to call and which bank to alert can be the difference between recovering money and losing it.

Most importantly, train the reflex rather than the eyeball. People do not rise to the occasion under pressure; they fall back on habit. The companies that shrug off BVC are the ones where verifying a strange request is muscle memory, practiced until it feels normal even when a vice president is on the screen telling you to hurry.

The bottom line

Business Video Compromise is not a new kind of crime. It is an old confidence trick in a terrifying new costume, and the costume is getting cheaper and more convincing by the month. The instinct it exploits, that seeing is believing, is one of the oldest we have. The defense is almost boring by comparison: slow down, confirm on a second channel, and build a process that no single face can override. In an era when anyone on your screen might be synthetic, the only thing worth trusting is the habit of checking.

Train the instinct, not just the inbox.

ScamDrill sends safe, realistic practice scams across email, text, and voice, so your team builds the reflex to verify before they act, even when the request looks and sounds completely real.

Start free today →

Keep reading

AI Voice Cloning: When the Call Sounds Like Family

The audio version of the same trick. A few seconds of speech is enough to clone a voice well enough to fool a relative.

Why Attackers Target Small Businesses

BEC and its relatives don’t just hit the Fortune 500. How social engineering finds the soft spots in smaller teams.

The Business Scam Incident Response Guide

If money already moved, the next hour matters most. A step-by-step plan for who to call and what to freeze.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.