Summary:
Scammers allegedly stole $25.5 million from a multinational company in Hong Kong by using a deepfake video call to deceive an employee into transferring the funds. The employee apparently attended a video conference call with deepfake recreations of the company’s chief financial officer and other employees who instructed him to transfer the funds.

The news was reported by The South China Morning Post, however the local authorities did not name the company. “Everyone present on the video calls except the victim was a fake representation of real people. The scammers applied deepfake technology to turn publicly available video and other footage into convincing versions of the meeting’s participants.” reads the post published by The South China Morning Post.

Security Officer Comments:
The scammers were able to find publicly available footage of the company’s employees and used it to create deepfake versions of the participants during the meeting. They then sent emails to the finance department urging the employee to participate in a video call with the UK-based CFO to receive instructions for the transaction to be performed. The employee executed the money transfers during the meeting and transferred around HK$200 million to five bank accounts, with 15 transactions.

The employee discovered the scam a week later and notified the company and local authorities.

“Hong Kong police senior superintendent Baron Chan said that during the video call, the employee was asked to do a self-introduction, but did not interact with anyone else.” reported the website The Star. “The “fake” colleagues gave orders to the victim, and the meeting ended abruptly after, added Chan.”

The police revealed that the scammers also targeted other employees of the company with the same technique, but the attempts failed.

The investigation is still ongoing, the police have yet to identify the gang behind the scam

Suggested Corrections:
We have heard reports of scammers using audio clips from voice mail messages to mimic C-Suite employees in social engineering attacks. This latest report shows a concerning level of sophistication and a concerning new attack vector for businesses to defend against.

Perhaps having a chain of command to approve transactions and additional verification procedures could have prevented this attack. Organizations globally will need to more heavily scrutinize requests from employees and supervisors, and employ additional mitigation procedures to accommodate these emerging technologies.

Link(s):
https://securityaffairs.com/158651/cyber-crime/cyber-heist-with-deepfake-tech.html