Deepfaked video conference call makes employee send $25 million to scammers
A deepfake video conference call paired with social engineering tricks has led to the theft of over US$25 million from a multinational firm, the South China Morning Post has reported.
The scheme and the deepfake video conference call
The attack started with messages sent to several of the firm’s employees, but it seems that only one – employed in the finance department of the company’s Hong Kong branch’s – was ultimately bamboozled.
According to the SCMP, the employee’s suspicion were raised when they received the message, purportedly by the company’s UK-based Chief Financial Officer, asking the employee to carry out a secret transaction. But they have been later quelled by a group video conference to which the employee was invited.
Present in the video conference were the company’s CFO, other company staff and even outsiders – or so it seemed.
In reality, the fraudsters used previous video and audio footage and artificial intelligence technology to create the illusion these individuals were present on the call and make these digital recreations “speak” to pull off the illusion.
Baron Chan Shun-ching, a superintendent with Hong Kong Police’s cyber security division, told the SCMP that “during the video conference, the scammers asked the victim to do a self-introduction but did not actually interact with the person. The fake images on screen mainly gave orders before the meeting ended abruptly.”
After the call, the scammers delivered additional instructions via IM, emails and one-on-one video calls. As instructed, the employee sent a total of HK$200 million to five local bank accounts.
Several other employees at the same company branch have also contacted by the scammers, the Hong Kong police said, but did not share how those interactions unfolded.
Deepfakes are getting more difficult to spot
AI-generated deepfakes (whether audio or video) are increasingly being leveraged by scammers and other crooks.
They are using artificial intelligence to impersonate family members in distress, impersonate individuals to open bank accounts or make fraudulent purchases in their name, apply for loans, obtain remote IT jobs, and (as in this case) trick executives and employees into transfering company money.
Most people overestimate their deepfake detection skills. This is all new territory, and deepfakes are getting more realistic and more difficult to spot by the day.
“We want to alert the public to these new deception tactics. In the past, we would assume these scams would only involve two people in one-on-one situations, but we can see from this case that fraudsters are able to use AI technology in online meetings, so people must be vigilant even in meetings with lots of participants,” Chan Shun-ching said during a press event.
The Hong Kong Police has advised the public to ask questions during these meetings, ask the participants to move, and confirm requests made during those calls via alternative communication channels.