A deepfake phishing scam cost a multinational company more than $25 million after an employee was fooled by digital imitations of his colleagues on a conference call.
Hong Kong police said at a press conference Friday that the employee at the unnamed firm’s Hong Kong branch initially suspected phishing when he received an email last month purporting to be from the company’s UK-based chief financial officer, CNN reported.
However, after attending a video conference and seeing convincing deepfakes of the CFO and other colleagues, the employee believed the request to carry out a secret transaction was legitimate.
The finance worker ultimately transferred $200 million HKD, the equivalent of about $25.6 million USD, to five different bank accounts across 15 transactions, following the fake colleagues’ instructions, according to The Straits Times.
The scam was revealed one week after the initial contact, when the employee reached out directly to the company’s headquarters. The case is under investigation and no arrests have yet been made, police said.
“Employees may still assume today that live audio or video cannot be faked, and act on requests they are given by colleagues or leaders without question — as we have seen in this recent case,” said Nick France, chief technology officer at Sectigo, in an email to SC Media. “Security teams should see this as another threat to their organizations and update their practices and training accordingly.”
Would you fall for this deepfake scam?
Authorities said publicly available footage of the CFO and other employees was used to create the deepfake images, and the victim was the only person on the conference call who was not a deepfake.
Two or three other employees of the same company had also been approached by the scammers, although details about these interactions were not disclosed by police.
During the video call, the employee said he was asked to give a self-introduction but did not directly interact with anyone else in the meeting, authorities said. The deepfake colleagues and CFO provided the victim with instructions, after which the call was ended abruptly.
The employee reported that both the live images and voices of the others on the call seemed real and recognizable to him. Police noted the case was the first in Hong Kong to involve multiple deepfakes in one video call.
“This was an elaborate crime. There are ways to apply cybersecurity protection to thwart these types of phishing on collaboration tools like Teams, Slack and Zoom. However, it needs to be combined with physical security protocols and training, because these types of crimes are morphing and technology is lagging behind,” Patrick Harr, CEO at anti-phishing company SlashNext, told SC Media.
Research suggests many people are not yet prepared to spot deepfakes. A survey by iProov in 2022 showed 43% of respondents did not believe they could tell the difference between a real video and a deepfake, and only 29% of respondents initially knew what a deepfake was.
Additionally, a study published in June 2023 in the Journal of Cybersecurity showed participants asked to distinguish between AI-generated and real human faces had a 62% accuracy rate overall.
Deepfake spear-phishing a new normal for cybersecurity?
Deepfake scams are becoming more common, with identity verification company Onfido detecting a 3,000% increase in deepfake fraud attempts between 2022 and 2023. Gartner predicts 30% of companies will lose faith in facial biometric authentication solutions by 2026 due to deepfake injection attacks.
Deepfakes have also proved successful in stealing large amounts of money from organizations in previous scams. In 2020, a branch manager of a Japanese company in Hong Kong sent $35 million to scammers after they used AI to clone the voice of the parent company’s director in a phone call, according to Forbes.
In 2021, fraudsters in China raked in the equivalent of $75 million via fake tax invoices by fooling government-run facial recognition systems with deepfakes, the South China Morning Post reported.
Last year, Hong Kong police said they caught scammers using AI deepfakes and stolen ID cards to make dozens of fraudulent loan applications and bank account registrations, with deepfake scams resulting in a total of six arrests overall.
Cybersecurity experts say businesses need to account for advanced spear-phishing tactics like deepfakes when updating security training programs and managing permissions for money transfers.
“There should be multiple approval levels before money is transferred, even when the CFO is requesting the transfer,” said Harr. “Companies can require all corporate video communications happen on approved collaboration channels that are secure and employees should be trained to question unusual behavior like requests to use new bank accounts or requests that seem out of the usual process.”
“Adhere to the principles of ‘least privilege,’ so employees only have access to the accounts and systems they need to perform their roles. Confirm payments and access to critical data with additional confirmations — even if you know the face on the screen,” France added.
France concluded: “Update training programs to ensure not only users are aware of the possibility of fully-forged video, but that they should be encouraged and empowered to raise concerns, or ask for additional verification or confirmation before taking business-critical actions.”