In today's digital age, distinguishing between genuine interactions and deceptive manipulations is increasingly challenging, especially within the professional sphere. Picture the unsettling scenario where you're unable to tell if your supervisor, giving instructions over Zoom, is truly there or just a highly convincing digital imitation. The introduction of deepfake technology into virtual meetings adds a perplexing layer, forcing us to question the genuineness of our remote interactions with colleagues.

A striking example of this burgeoning menace occurred in Hong Kong, where a financial employee was tricked into sending more than US$25 million to fraudsters. These con artists, skillfully impersonating the company's CFO and other executives using sophisticated deepfake technology in a video call, executed one of the most significant cases of corporate fraud leveraging this technology. The scam targeted a finance employee through a series of deceptive tactics, including a counterfeit video conference call featuring deepfake renditions of the employee's colleagues.

An initial dubious email raised suspicions, but the scammers' realistic appearances and convincing dialogue during the call persuaded the employee to go ahead with the transaction. The Hong Kong Police Force, while keeping the identities of the company and the employee confidential, disclosed the scam's details at a press conference to alert the public about this novel form of fraud. According to the Cyber Security and Technology Crime Bureau, the scam began with an email from someone claiming to be the company's CFO in the U.K., discussing a "confidential transaction" that required urgent attention. Despite the employee's initial doubts, the scam gained legitimacy through a video call where the employee saw what seemed to be familiar faces and the CFO, all of whom were actually intricate digital fabrications crafted using AI. The employee only recognized the deceit a week later, after consulting with the company's headquarters, despite ongoing communications with the scammers through various means.

The scammers' adept use of deepfakes led the employee to carry out 15 financial transactions to five different local bank accounts, as directed during the call. The Hong Kong Police Force indicated that the scammers probably prepared by downloading videos of the actual individuals and employing AI to mimic their voices for the video conference.

Corporate IT departments have long been engaged in an unyielding effort to educate employees about phishing scams' perils and the dangers posed by unsolicited email attachments. The objective is to bolster defenses against that single moment of oversight that could permit hackers to breach an entire network.

Nevertheless, the advent of AI-powered video manipulation tools signifies a shift away from what were once considered secure communication mediums. This rapid advancement of deepfake technology thrusts us into a new era of increased doubt, where our capacity to differentiate between reality and complex digital illusions is severely tested.

In the case of the Hong Kong fraud, the scammers likely used real-time deepfake technology to create a digital avatar that flawlessly mirrored their movements and responses during the video call. Such sophisticated deepfake applications have been implicated in various online deceit forms, including fraudulent romantic schemes.

How to protect yourself and your business:

This, naturally, begs the question: What can I do to protect myself from this type of attack?

The steps here are similar to protection from any other impersonation attack but because this particular incident was targeted at a financial branch, we’ll go a bit deeper into how to set up prevention protocols to help secure your business. 

If the call/zoom/text is initiated by anyone but you, reach out to the person from the contact info you have or is available to you through company resources

Any time you get a call or initiated contact involving A. Money or B. something of urgency, kindly let the person on the line know that you’ll call them right back and use the number or contact info in your phonebook or company directory. 

We are mainly talking about workplace fraud in response to the incident noted above but this is a great practice in daily life. There are scams going on right now where the perpetrators will get enough audio to clone someone’s voice then contact a relative with a dire need for the transfer of money. In those cases, hanging up and calling the cell phone of the impersonated relative would quickly avoid the scam from moving forward. 

Whether at work or at home, the first line of defense is to hang up and reach out to the person who the caller claims to be through the contact info you have already. 

Identify a call and response transaction

This may sound like spycraft but considering that the events resulting in this article resulted in ~$25Million in losses for the company, it is well worth considering. Any time a financial transaction is the subject of the conversation, the parties involved should have a previously agreed upon call and response exchange.An example could be the person who received the call asking something like “what’s the best David Bowie album?” with the correct answer being something that isn’t a David Bowie album like “mashed potatoes”, making it both a secret and impossible to guess. 

Even the most intricate deep fake would not be able to fill in the blank for a pre-arranged exchange of this sort. 

Establish a standard format for financial requests

Create a workflow for all financial transactions where any movement of money goes through an approved set of steps. Make sure that all transactions have to go through a uniform process so that any request to move money around outside of that process sends up immediate red flags. Make it as easy as possible for employees to spot possible fraud. 

Have accountability gates and backups where financial matters are concerned

No single person should have the ability of moving millions of dollars around without some form of oversight. This is also true for things like payroll, if only one person knows the passwords to the system that pays your people, what happens if that person is hit by a bus? Always have redundancy and accountability when it comes to financial matters. A quick call to a colleague to sanity check a large financial request takes seconds but falling victim to a multi-million dollar fraud scheme will cost even more in recovery, both financially and in reputation. 

REACH OUT TO THE ACTUAL PERSON!

Just because it’s the easiest and quickest way to prevent susceptibility to this type of attack, we’re going to say it again. If someone calls you saying that they are Bob Smith but you have Bob Smith’s phone number in your phone and this call didn’t come from that number, politely tell them that you’ll call them right back and call the Bob Smith that’s in your phone book. Ask them if they called with the request to move $25Million around, then go from there.  

This isn’t everything

Unfortunately attackers are working every day to try and trick hard working people and companies out of their money so these steps aren’t a complete defense against this type of scam. Bad actors can clone sim cards and take over the phone number that you have in your phonebook for the person they are claiming to be but that level of intricacy is rarely seen in everyday cases and if you’re a financial manager for a big enough company that you are in the crosshairs of this complicated of an attack you should probably have some of the other steps in place to prevent against this type of thing. For most people and small businesses though, these processes should go a long way to helping you avoid this type of attack.