A poor peon in the finance department of Arup Hong Kong got taken in by a deepfake of the firm’s chief financial officer, who told them to transfer $25.6 million to several “secret” accounts. We first discussed the heist on February 5, when the victim hadn’t yet been named.
The local police still have no leads. In today’s SB Blogwatch, we ponder Arup’s corporate governance.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Duct tape engineering.
What’s the craic? The Pinkun’s Cheng Leng, Chan Ho-him, Gill Plimmer and Kaye Wiggins report: Arup lost $25mn in Hong Kong deepfake video conference scam
“Financial stability”
UK engineering group Arup lost HK$200mn ($25mn) after fraudsters used a digitally cloned version of a senior manager to order financial transfers during a video conference. … Hong Kong police previously revealed what is one of the world’s biggest known deepfake scams, but did not identify the company involved. … The case highlights the threat posed by deepfakes — hyper-realistic video, audio or other material generated using artificial intelligence — when used by cyber criminals to target companies or governments.
…
[Arup Group] has annual revenues of more than [$2.7 billion]. … “We can confirm that fake voices and images were used,” the company said. … “Our financial stability and business operations were not affected and none of our internal systems were compromised.” … Arup’s east Asia chair Andy Lee stepped down in the weeks following the scam, [saying] he had “decided to embark on a new opportunity.” … Arup’s global chief information officer Rob Greig said … “I hope our experience can help raise awareness of the increasing sophistication and evolving techniques of bad actors.”
So it was 1% of revenue, or more than 10% of net profit. This is Kathleen Magramo: Arup revealed as $25 million deepfake scam victim
“Rising sharply”
A British multinational design and engineering company behind world-famous buildings … has confirmed that it was the target of a deepfake scam that led to one of its Hong Kong employees paying out $25 million. … Arup has 18,500 employees across 34 offices around the world. It was responsible for landmarks such as the Bird’s Nest stadium, site of the 2008 Beijing Olympic Games.
…
“Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes. What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months,” [CIO] Greig … said.
Did the Honkers po-po pinch the perp? The Grauniad’s Dan Milmo has bad news: Employee was duped into sending cash to criminals by AI-generated video call
“No arrests had been made”
Arup … famously provided the structural engineering for the Sydney Opera House including its distinctive concrete shells. Recent project involvements include the Crossrail transport scheme in London and the Sagrada Família in Barcelona.
…
Senior police superintendent Baron Chan [said] the employee had been invited on to a conference call. … Because the participants “looked like the real people”, Chan said, the employee then transferred a total of HK$200m to five local bank accounts via 15 transactions. The Hong Kong police force … said no arrests had been made so far but the investigation was ongoing and the case was being classified as “obtaining property by deception.”
How could Arup have protected itself? Superhero masto dons a cape: [You’re fired—Ed.]
When I’m on a company video call, the people I’m meeting with are logged into their company accounts, through the fancy company authentication system. Large warnings are displayed if there are any external participants. … Third-party video conference software is banned and blocked.
…
I am not in the finance department, but in software engineering and operations, two-party controls are everywhere. I can’t check in code without reviews. I can’t access production systems or make changes without approval from another team member. I would think that similar processes could be put into place for transferring tens of millions of dollars.
Or take a more analog approach? Here’s Revek:
You will have to make these business relationships somewhat personal. Where you can drop personal comments and questions in that the scammers wont know unless they have one on one knowledge.
Ah, but that takes training. Hrmbee sees both sides:
Operations and training are such an integral part of security. … Especially in these days of rapidly escalating sophistication with attacks and vectors, solid procedures are more critical than ever.
Unfortunately this also runs up against the other aspect of business which is one of speed and expediency. Prudent businesses should be looking continuously at what is happening internally and adjusting and retraining as necessary.
Wait. Pause. What if it wasn’t a deepfake? Alleging an allegation, laurencei finds it strange:
What I find strange about this is you don’t need it to be “deepfake.” Just an inside job.
If a large company allows a single employee to transfer millions to a new bank account/vendor that has no history on “their belief” the instruction came from … their boss, CFO etc., that company has major governance issues. … This company is just missing basic steps that would have protected itself here.
Whatever the truth is, that’s a lot of cash. Rosco P. Coltrane cuts to the chase:
Social engineering to the tune of $25M? However good the fake videos and voices in that call, if I was in charge of that much money, you’d better send me solid written evidence and proof that the bank account number is legit before I authorize a $25M transfer.
Meanwhile, RaavenEye doesn’t mince words:
It’s a multi-million company, but seems like it’s run by incompetents.
How is duct tape like a stack of pancakes?
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image source: Pedro Szekely
(cc:by-nc-sa; leveled and cropped)
Recent Articles By Author