In February 2026, a finance employee at a Hong Kong subsidiary of Arup wired $25 million to attackers after a video call with what appeared to be the company's CFO and several colleagues. Every face on the call was synthetic. The voices were synthetic. The mannerisms had been trained on YouTube earnings calls. This is not a hypothetical anymore. The FBI's Internet Crime Complaint Center logged $1.4 billion in deepfake-driven business email and voice compromise in 2025 alone. The defensive playbook that worked in 2023 — "call back on a known number" — is no longer sufficient because the known number can be spoofed and the voice on the other end can be cloned in real time. What Changed in 2026 Three things hit production-grade quality almost simultaneously: Real-time face-swap on consumer GPUs (sub-50ms latency) Voice cloning from <5 seconds of audio (ElevenLabs Flash v2, similar) Open-source models that match closed-source quality The threat actor's marginal cost dropped to near zero.…