Spearphish pivots to deepfake Zoom call, leads to swift exit of cash.
A poor peon in the finance department of a large company got taken in by a deepfake of the firm’s chief financial officer. They were told to transfer company funds to several “secret” accounts. And, after shaking off their doubts, they did: all $25.6 million of it.
It’s a taylor-made story—but is there nothing new? In today’s SB Blogwatch, AI’s the problem, not me. [You’re fired—Ed.]
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Green skywashing.
Bad Hoax Blood
What’s the craic? Harvey Kong broke the story—“Multinational firm’s Hong Kong office loses HK$200 million”:
“Suspicious”
A multinational company lost … US$25.6 million in a scam after employees at its Hong Kong branch were fooled by … a digitally recreated version of its chief financial officer ordering money transfers in a video conference call. … Everyone present on the video calls except the victim was a fake [but] looked and sounded like real people the targeted employee recognised.
…
The scammers were able to generate convincing representations of targeted individuals that looked and sounded like the actual people. … The employee followed instructions given during the meeting and made 15 transfers totalling HK$200 million to five Hong Kong bank accounts. … The person realised it was a scam upon making an inquiry with the company’s headquarters.
…
The force said it hoped members of the public were aware that scammers were now capable of using deepfake technology. … Senior Inspector Tyler Chan Chi-wing … suggested asking the person to move their head, posing questions to determine their authenticity and become immediately suspicious the moment money is requested.
ELI5, without mentioning Tay Tay, please. Mike Wheatley has a go—“Scammers used deepfake CFO on video call”:
“No surprise”
Deepfakes are videos that have been manipulated by computers … to make people appear to say or do something they never did, or to appear in places they weren’t. Thanks to advances in AI, deepfakes have become more convincing than ever before, and they’re often used to defame people in the public eye.
…
It’s no surprise that the technology is being abused by criminals in some very inventive ways to facilitate scams. The Hong Kong police said that it alone has come across more than 20 cases that involved the use of AI deepfakes to trick facial recognition systems. [They] recently arrested six people in connection with a scam that involved eight stolen Hong Kong identity cards. The scammers used the cards to create deepfakes that could fool facial recognition systems, and then applied for more than 90 loan applications and bank account registrations.
Surely we can fix this with technology? Karellen sounds slightly sarcastic:
It’s easy. We just generate our own key pairs, establish a web-of-trust by signing each others public keys at in-person meetups, and then use those signed keys to authenticate all the digital communication we do with each other.
You know, like we’ve been doing with our emails since PGP was developed in 1991. You can tell how simple the process is, by how ubiquitous it has become in a mere 30 years!
I note the police aren’t identifying the company. fahrbot-bot wishes this was true:
If the Universe had a sense of irony, the company would be Zoom.
Could it happen to you? It couldn’t happen to u/the_storm_rider:
LOL. Won’t happen to us: Our managers insist on people being in office 5 days a week for 12 hours, so no Zoom calls or anything.
How can organizations protect themselves? Here’s acdha:
Senior management needs to take the lead setting up policies that are efficient enough to not encourage people … to bypass them—and the culture that everyone in the company should feel comfortable telling the CEO, “I’m not allowed to do that.” This is possible but it has to be actively cultivated.
…
[It’s] a management responsibility: … Dominance culture is very common and it basically ensures this kind of stuff will keep happening, similar to how all of the phishing training in the world is largely cancelled out by not requiring partners and vendors to have better email practices. It might take that CFO featuring in a crime like this one to get their attitude to change.
OK, culture change—check. But what about process? gweihir has this thought:
With no second sign-off and the first one either on paper in person or certified by a second person or verified with a call-back on the phone? That is just incredibly dysfunctional. Not saying you need this process for small stuff like $1000, but for $25M? Seriously?
How realistic is that? Not very, according to u/PantsOnHead88:
My parents, friends and coworkers all still getting scammed by emails that are barely beyond the quality of Nigerian Prince pleas. … If high-quality deepfakes go mainstream, … it’s going to be a fools errand trying to keep everyone and their mothers from emptying their bank accounts at the drop of a hat.
Meanwhile, doubloon cuts to the chase:
Every process has exceptions. And there is no process stronger than the manager firing an employee for disobeying an order.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Marcin Wichary (cc:by; leveled and cropped)
Recent Articles By Author