Deepfake Scam Costs Company $25M
Rueben Medina
Head of Security
This incident is the largest recorded scam utilizing deepfake technology, highlighting how powerful the combination of traditional social engineering, persistence, and emerging AI technologies can be.
A Hong Kong-based multinational company lost a staggering $25 million to a deepfake scam, raising serious concerns about cybercriminals' evolving tactics and use of AI. This incident is the largest recorded scam utilizing deepfake technology, highlighting how powerful the combination of traditional social engineering, persistence, and emerging AI technologies can be.
The scam started as many often do; with targeted phishing emails. One targeted employee, a finance worker, was tricked into believing that they were communicating with the CFO and colleagues concerning the need to carry out a secret financial transaction. While the employee was initially hesitant, persistence combined with a deepfake video conference convinced the employee to move forward with the transaction.
Scammers used AI to realistically mimic the appearances and voices of the company's CFO and other employees. The targeted employee, a finance worker, was tricked into believing they were communicating with legitimate authority figures. It is believed these deepfakes were constructed using publicly available video and audio of the CFO and other senior executives. The scammers persuaded the employee to transfer $25 million to unauthorized accounts through this elaborate charade.
This incident signifies a worrying trend of deepfakes infiltrating the corporate world, exploiting trust and familiarity for malicious purposes. The sophistication of the scam highlights that, with enough resources, deepfakes can be created and deployed, blurring the lines between reality and deception.
Takeaways
to determine the authenticity of an individual on a video conference call, you can request the individuals to move their heads quickly or perform certain gestures that might disrupt the accuracy of the deepfake. You can also ask participants to answer questions that confirm their identities
Social engineering is still king. 98% of cyber attacks involve some form of social engineering. Despite applying advanced techniques using AI, this scam was perpetrated using tried and true social engineering methods.
Use secure communication channels. The employee in this situation did some due diligence in establishing double verification via video conference before going through with the fraudulent transaction. Unfortunately, with the advent of AI deepfakes, verification via video or phone may no longer be enough. Be sure to utilize other established secure communication channels using tools like Signal for encrypted messaging.
Trust your instincts. If something seems fishy, it usually is. For employees, make sure to use any tools at your disposal to confirm identity before taking action, and don’t give in to hierarchical pressures. For leadership, make sure to create an open, communicative, and non-judgmental environment where your employees do not fear punitive actions for following protocol.
Defense in Depth. Consider using secondary (even tertiary) channels that require MFA to be sure participants are who they claim to be. Additionally, to determine the authenticity of an individual on a video conference call, you can request the individuals to move their heads quickly or perform certain gestures that might disrupt the accuracy of the deepfake. You can also ask participants to answer questions that confirm their identities.
Risk Transfer. When all else fails be sure that you have the appropriate insurance coverages in place whether it be a stand-alone crime policy or a cyber insurance policy that offers cybercrime coverage.
Looking for more insights on the topic of social engineering and phishing scams? Check out a previous article on the topic here. You can also learn more on the subject by watching our Fireside Chat with Mullen Coughlin, the FBI, and the US Secret Service.
Disclaimer: Elpha Secure does not receive commissions, maintain affiliations, or assume liability for any consequences or damages resulting from the use of the third-party security software products or platforms mentioned in this article. These products and platforms are referenced by Elpha Secure solely for informational purposes. Elpha Secure hopes you found the general information provided in this article informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in place of consultation with your own legal, insurance, and security advisors. If you like to learn more about Elpha Secure, click here.