Finance worker loses $39m to deepfake scam

How did the deepfake scam happen?

Senior Superintendent Baron Chan Shun-ching of the Hong Kong police detailed the incident. Initially sceptical, the worker dismissed a suspicious email from someone claiming to be the firm’s UK-based chief financial officer – this wasn’t a reckless employee, but instead seems to be a case of a cautious sceptic who was alert to the possibility of phishing.

But the worker’s doubts subsided after the extremely realistic video call.

Tip of the iceberg: malicious deepfakes on the rise

Chan said the ruse was part of a broader pattern of deepfake-assisted frauds.

Hong Kong authorities reported six arrests related to similar scams. Investigations revealed that eight stolen Hong Kong identity cards facilitated 90 loan applications and 54 bank account registrations. Fraudsters used AI-generated deepfakes to deceive facial recognition systems on at least 20 occasions.

The misuse of deepfake technology extends beyond financial deception, with recent incidents – like the sexually suggestive material of Taylor Swift that went viral – highlighting its potential for creating damaging and deceptive content.

Generative AI is ramping up scam attempts

Deepfake videos aren’t the only way scammers leverage generative artificial intelligence (AI). AI is largely acting as an accelerant for existing scam tactics, but it’s also creating brand new threats altogether:

• Voice impersonation scams. New generative AI technology allows malicious actors to recreate a real person’s voice using only a few seconds of audio. This recreation can then be used to swindle targets out of money or information, or potentially bypass voice authentication processes.
• BECs and phishing attacks. Business email compromise (BEC) tactics and phishing messages often rely on well-timed, carefully written emails or text messages to trick targets into making the wrong payment or giving up sensitive information. Large language models (LLMs) help fraudsters craft, test and scale these messages, radically improving the efficiency of common cybercrime tactics.
• Malicious code and new attack strategies. Some LLMs are specifically designed for illicit activity – their creators say they can generate malicious code or even help cybercriminals find new vulnerabilities or devise new attacks.

What can finance leaders do about deepfake threats?

To manage this new risk environment, finance leaders need to think creatively, stay informed and implement technology-driven processes. Crucially, this should involve a combination of solutions rather than relying only on training or financial controls that were designed during a pre-digital era.

Leaders will need to reassess three major areas:

1. Processes. Your control procedures are some of your most critical defences when it comes to scams – whether they’re using old or new tactics. Pressure-testing can help you determine which processes (or people) may be most vulnerable to new AI-assisted scams.
2. People. In the Hong Kong example, it’s clear the employee was aware of phishing risks but trusted a video call that turned out to be fake – if the worker had been trained to scrutinise video authenticity, they might have taken a few extra steps to verify the request, demonstrating the vital importance of staff awareness and training.
3. Technology. Fight fire with fire – cybercriminals will keep leveraging the latest technology to work faster and smarter, so finance leaders will need to do the same. Look for solutions that equip employees with additional information and automate previously manual steps in your control procedures, which can reduce the risk of a human making mistakes. After all, it’s impossible to expect humans to never make mistakes, so technology should be doing some of the heavy lifting.