A deepfake phishing scam cost a multinational company more than $25 million after an employee was fooled by digital impersonations of his colleagues during a conference call.
Hong Kong police said at a news conference Friday that the employee at the unnamed company’s Hong Kong branch initially suspected phishing when he received an email last month purporting to come from the chief financial officer. of the company based in the United Kingdom, CNN reported.
However, after attending a video conference and seeing convincing deepfakes According to the CFO and other colleagues, the employee believed the request to perform a secret transaction was legitimate.
The financial agent ultimately transferred HKD$200 million, the equivalent of approximately US$25.6 million, to five different bank accounts in 15 transactions, following the instructions of his fake colleagues. according to The Straits Times.
The scam was revealed a week after the first contact, when the employee contacted the company’s headquarters directly. The case remains under investigation and no arrests have yet been made, police said.
“Employees today may still assume that live audio or video cannot be tampered with and act without question on requests made of them by colleagues or leaders – as we saw in this recent case,” said Nick France, chief technology officer at Sectigo, in an email to SC Media. “Security teams should view this as a new threat to their organization and update their practices and training accordingly. »
Would you fall for this deepfake scam?
Authorities said publicly available images of the CFO and other employees were used to create deepfake images, and that the victim was the only person on the conference call who was not a deepfake.
Two or three other employees from the same company had also been approached by the scammers, although details of those interactions were not released by police.
During the video call, the employee said he was asked to introduce himself but did not interact directly with anyone else during the meeting, authorities said. The deepfake’s colleagues and the CFO gave instructions to the victim, after which the call was abruptly terminated.
The employee reported that live footage and voices of other participants in the call seemed real and recognizable to him. Police noted that this case was the first in Hong Kong to involve multiple deepfakes in a single video call.
“It was a complex crime. There are ways to apply cybersecurity protection to thwart these types of phishing on collaboration tools like Teams, Slack, and Zoom. However, this must be combined with physical security protocols and training because these types of crimes are evolving and technology is lagging behind,” Patrick Harr, CEO of anti-phishing company SlashNext, told SC Media.
Research suggests that many people are not yet ready to spot deepfakes. A survey carried out by iProov in 2022 showed that 43% of respondents did not think they could tell the difference between a real video and a deepfake, and only 29% of respondents initially knew what a deepfake was.
In addition, a study published in June 2023 in the Journal of Cybersecurity showed that participants asked to distinguish between AI-generated human faces and real human faces had an overall accuracy rate of 62%.
Deepfake spear phishing, a new standard for cybersecurity?
Deepfake scams are becoming more common, with identity verification company Onfido detect a 3000% increase in deepfake fraud attempts between 2022 and 2023. Gartner predicted 30% of businesses will lose confidence in facial biometric authentication solutions by 2026 due to deepfake injection attacks.
Deepfakes have also successfully stolen large sums of money from organizations in previous scams. In 2020, the director of a Japanese company’s Hong Kong branch sent $35 million to fraudsters after the scammers used AI to clone the parent company’s director’s voice during a call telephone. according to Forbes.
In 2021, Chinese fraudsters raked in the equivalent of $75 million through fake tax invoices by fooling government-run facial recognition systems with deepfakes, the South China Morning Post reported.
Last year, Hong Kong police said they arrested fraudsters using AI deepfakes and stolen ID cards to make dozens of fraudulent loan applications and bank account registrations, with deepfake scams leading to a total of six arrests in total.
Cybersecurity experts say businesses need to consider advanced spear phishing tactics like deepfakes when updating security training programs and managing permissions for money transfers.
“There should be multiple levels of approval before money is transferred, even when the CFO requests the transfer,” Harr said. “Businesses can require that all corporate video communications take place over approved and secure collaboration channels and employees should be trained to question unusual behavior, such as requests to use new bank accounts or requests which seem to fall outside the usual process.”
“Adhere to the principles of “least privilege,” so employees only have access to the accounts and systems they need to perform their roles. Confirm payments and access to critical data with additional confirmations, even if you know the face on the screen,” France added.
France concluded: “Update training programs to ensure that not only are users aware of the possibility of completely falsified video, but they must be encouraged and empowered to raise concerns, or request additional verification or confirmation before taking business-critical actions. »