Recently, cybercriminals utilized an AI deepfake to induce a finance department employee at a Hong Kong company to transmit wire transfers valued at HK$200M ($25.6M USD).
Since this incident is still under investigation, the Hong Kong police have redacted a number of details, such as the names of the victim company and employee. However, based upon news reports, here is what we know so far.
The company involved has a multinational presence. The finance employee was initially contacted by someone he thought was the UK-based CFO. We now know that the contact was made illicitly by fraudulent actors. The worker was apparently suspicious of the tenor of the CFO’s email requesting “secret transfers” of funds but still attended a video call with the CFO and other individuals he thought were his colleagues. As it turns out, the only real person on that video call was the victim. The call was, in fact, comprised of computer-generated images using the likeness/images of the CFO and several work colleagues known to the victim.
Based upon his interaction on the video call, the finance employee proceeded to initiate 15 separate wire transfers to five different bank accounts. It was not until a week later, when he followed up to check on the transfers, that he discovered the awful reality — the money was gone.
So how were the thieves able to pull off a seemingly elaborate and well-choreographed scheme such as this? Unfortunately, it’s not as elaborate as you may believe. The AI tools to create deepfakes are widely available. As the technology becomes more sophisticated, it’s going to be increasingly more difficult to discern fantasy from reality.
A deepfake involves an algorithm fed into a computer that allows the machine to “learn.” The algorithm can recreate not only a person’s voice but also inflection and intonation. It can duplicate a person’s mannerisms, making it difficult to discern from an actual video or phone conversation. It does require a source, however. Unfortunately, there is plenty for cybercriminals to harvest from on the internet.
Company Loses Millions on Deepfake Scam
Unlike decades ago, where only celebrities or political figures would have videos, movies or news clips posted online, we’re now a social media society. There are a multitude of social media platforms that contain our images, videos and voice imprints which thieves can potentially cull from. In the subject case, it is believed the scammers may have pulled a publicly available video from a local online newspaper to ultimately duplicate the video call.
If the deepfake technology is only to become more sophisticated, how can companies protect themselves from these ever-evolving scams? The primary focus for cybercriminals is financial gain. It is important that any company, large or small, have a well-developed protocol regarding the review and authorization for financial transactions.
While it may seem antiquated or low-tech, a preset internal series of security questions or passcodes is an excellent way to ensure that information is being provided to the genuine individual. As far as we know, no matter how sophisticated the deepfakes are, the scammers can only duplicate and produce publicly available information. Presumably, they would have no way of providing a confidential set of predetermined security responses or passwords.
Additionally, a callback to a trusted phone number is a good practice to implement. Email correspondence can be spoofed or hijacked, and calling a number on a potentially hijacked email thread can also be unsecure.
Finally, ensure that employees receive consistent cyber training and are taught how to not only spot scams but also the importance of following internal security protocols.
Cyber insurance policies may provide some protection against losses such as the losses in this example. Furthermore, NFP has access to resources we can share with you that will assist you in reviewing cybersecurity protocols and in guiding you through making security enhancements.
In addition, coverage for social engineering/fraudulent instruction losses such as this may be added to a company’s crime policy. When a social engineering/fraudulent transfer incident triggers coverage under the crime and cyber policies, we can assist in securing and maximizing coverage under both.
Significant losses like this one may have a negative impact on a company’s bottom line. Shareholders have sought to hold directors and officers accountable for a perceived failure to adequately assess or address cyber risks the company may face. In those instances, a directors and officers/company securities liability policy may help in defending against such litigation.
Questions? Contact:
Matthew G. Schott
Managing Director
Management, Cyber and Professional Liability
NFP Property & Casualty Services Inc.
P: 856.287.1496 | matthew.schott@nfp.com
Courney Maugé, Esq.
Senior Vice President, Cyber Practice Leader
P: 470.681.7596|courtney.mauge@nfp.com
Rick Cavaliere, Esq.
Senior Vice President, Cyber
P: 708.642.8577|rick.cavaliere@nfp.com
Kevin M. Smith
Senior Vice President, Management and Professional Liability
NFP Property & Casualty Services Inc.
M: 201.314.0801| kevin.m.smith@nfp.com
Jonathan Franznick
SVP, Head of Claims Advocacy
200 Park Ave. | Suite 3202 | New York, NY 10173
P: 212.301.1096 | M: 908.461.1389
jonathan.franznick@nfp.com