‘New deception tactics’ | Employee costs company $25 million after scam call with deepfaked CFO

Employee costs company $25 million after scam call with deepfaked CFO

An employee at a global organization paid scammers $25 million following a meeting with the company’s Chief Financial Officer (CFO) and other colleagues that turned out to be entirely deepfaked.

The worker is based in Hong Kong and works for the company’s finance department.

They joined a video call after receiving a message from a scammer posing as the company’s London-based CFO, they joined a video call.

Initially, the employee was concerned that the CFO’s behavior appeared to be out of character, reports the South China Morning Post. Their concerns were eased when several other colleagues whom they recognized joined the call.

Looking for more

Despite not taking part in the meeting conversation, they received several orders from the deepfaked CFO to make a series of money transfers. After the call ended, the victim of the scam then made 15 transactions into five local bank accounts, totaling HK$200 million or around $25 million.

Baron Chan Shun-ching, Acting Superintendent of the Hong Kong Police Force stated the deepfake was created using publicly available audio and video.  "I believe the fraudster downloaded videos in advance and then used artificial intelligence to add fake voices to use in the video conference," he reports.

The employee realized he was the victim of this elaborate scam after he went on to contact the head office of the as-yet-nameless corporation.

According to the South China Morning Post, the police are yet to make an arrest, but investigations are ongoing. The police have previously made six arrests in connection with other such scams.

‘New deception tactics’ prompts greater discussion about deepfakes

The scam lasted a week before the victim raised any concerns to the head office. But the employee, argues Chan, was dealing with a new type of scam.

"We want to alert the public to these new deception tactics,” he says.

AI-enabled audio deepfake scams have been threatening organizations for several years. In 2019, the CEO of a British energy company paid a scammer £200,000 following a fake audio call with someone he believed to be his boss.

In 2021, another employee based in Hong Kong but working for a global company authorized the transfer of $35 million after speaking to a director whose voice had been cloned.

This latest high-profile case represents a development in the sophistication of deepfake scams for employers to be aware of. “In the past, we would assume these scams would only involve two people in one-on-one situations, but we can see from this case that fraudsters are able to use AI technology in online meetings, so people must be vigilant even in meetings with lots of participants," says Chan.

The police shared that they have investigated 20 cases of AI-enabled deepfakes and offered advice to employees and employers.

The advice included encouraging workers to regularly check and confirm details through the company’s standard communication channels, and to ask specific questions during video calls to determine whether the participants are real or who they claim to be.

There have been calls for greater legislation on deepfake videos in recent months after music star Taylor Swift was the victim of deepfake pornography which went viral on social media before being removed by platforms such as X and Telegram. A bipartisan bill from a group of US Senators was introduced on Tuesday that proposes to criminalize the creation of nonconsensual AI-generated sexually explicit images.

Fears have also arisen that deepfake technology will be used to impact the forthcoming U.S. election. In January 2024, a fake robocall impersonating Joe Biden encouraged voters in New Hampshire not to vote in a primary.

The Swift, Biden, and Hong Kong employee cases indicate that deepfake technology is both becoming more sophisticated and more mainstream in its use.

The Human Resources Professionals Association (HRPA) is among those to have released guidance to employers in the past year, writing that “as deepfake technology becomes more sophisticated and available to cybercriminals, businesses will be more at risk of fraudulent financial transactions.”

You are currently previewing this article.

This is the last preview available to you for 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.