On Sunday, a report from the South China Morning Post revealed a significant financial loss suffered by a multinational company's Hong Kong office, amounting to HK$200 million (US$25.6 million), due to a sophisticated scam involving deepfake technology. The scam featured a digitally recreated version of the company's chief financial officer, along with other employees, who appeared in a video conference call instructing an employee to transfer funds.
Due to an ongoing investigation, Hong Kong police did not release details of which company was scammed.
Deepfakes utilize AI tools to create highly convincing fake videos or audio recordings, posing significant challenges for individuals and organizations to discern real from fabricated content.
[...] The scam was initially uncovered following a phishing attempt, when an employee in the finance department of the company's Hong Kong branch received what seemed to be a phishing message, purportedly from the company's UK-based chief financial officer, instructing them to execute a secret transaction. Despite initial doubts, the employee was convinced by the presence of the CFO and others in a group video call and proceeded to make 15 transfers totaling HK$200 million to five different Hong Kong bank accounts. The realization of the scam occurred approximately a week later, prompting a police investigation.
[...] Acting senior superintendent Baron Chan Shun-ching of the Hong Kong police emphasized the novelty of this scam, noting that it was the first instance in Hong Kong where victims were deceived in a multi-person video conference setting. He pointed out the scammer's strategy of not engaging directly with the victim beyond requesting a self-introduction, which made the scam more convincing.
Related Stories
[ Editor's Note: We first covered this story here https://soylentnews.org/article.pl?sid=24/02/05/1626236 but this now has some additional information and quietus' own take on it. ]
This one screams for a movie adaptation, but fast.
In February this year, Hong Kong police announced that a major firm had been victim of a successful impersonation attack.
Now the Financial Times has revealed the firm involved was Arup engineering -- builder of, among others, the Sydney Opera Building, the Gherkin in central London, Guangzhou Opera House, and others.
What happened was that an employee in the finance department was invited for a video conference with the CFO and other 'senior officers'. During that video conference, this employee was given the order to funnel a total of $25 million (US) to 5 local bank accounts through 15 transactions, which the employee duly did. After what were quite possibly a couple of sleepless nights, she decided to check with her higher-ups, which (one presumes) resulted in a few heart arrythmias.
Turns out that everybody else on that video conference call was a digital fake.
The current working hypothesis is that the scammer(s) used past online conferences to train AI to digitally recreate a scenario where the CFO ordered money transfers. So that adds public video postings as an additional headache to CIOs, CFOs and just about anyone who has decision power over rather large amounts of money. As if phone and Whatsapp scams aren't already bad enough.
Now, remember: this is news because it hit a big company. But let your schadenfreude not stand in the way of a bitter realisation: the inescapable economic trend is that what was once reserved for the rich, will be made accessible for the ordinary people too.
In a few years time, we'll be looking back with tender nostalgia to those Nigerian princes and their eternal banking problems.
(Score: 3, Interesting) by JoeMerchant on Tuesday February 06 2024, @10:57AM (15 children)
If the CEO and CFO appear to you personally and instruct you to transfer funds against procedure, you should remind them of the procedure, refuse and report the attempted violation to the proper channels, which may include the police and the press if the proper internal channels seem to be non responsive.
The CEO may be your boss, but the shareholders and the regulations the company operates under are his. If this kind of whistle blower action gets you blackballed and n the industry, the industry needs to be taken to task by the regulatory structure.
🌻🌻 [google.com]
(Score: 5, Insightful) by Barenflimski on Tuesday February 06 2024, @12:56PM (5 children)
Simple in concept. Tough in the real world.
This situation would make most people extremely offset, leaving their guard down. Its hard to tell the bosses you don't trust them.
Some formal procedures, and a few exercises to practice and enforce said procedures would go a long way here.
(Score: 4, Interesting) by JoeMerchant on Tuesday February 06 2024, @01:19PM (4 children)
I have definitely worked in places where you would never second-guess the boss...
I have also worked in a few larger and/or more mature organizations where the bosses are constantly training the entire workforce to flag any direction by management that goes against any of the regulations, or ethics training.
Maybe in today's world you can defuse a hothead boss by saying: "I'm sorry, but I don't believe you'd tell me to do something like this, I will need to be sure this video conference isn't being deep-faked before taking action..."
Definitely a couple of steps more advanced than reporting a phish e-mail to IT, but... the world we are living in is starting to demand this. Five years ago it was fake Facebook accounts stealing pictures of your friends and their kids or pets to convince you to "friend" the fake account. No surprise that convincing live video is possible when millions of dollars are at stake.
🌻🌻 [google.com]
(Score: 4, Informative) by Barenflimski on Tuesday February 06 2024, @03:39PM (3 children)
I've seen big companies do it right. I've seen big companies do it wrong. I've seen little companies do it right. I've seen little companies do it wrong.
I've seen companies that have training up and down, left and right. They leave training and nothing changes.
After my career, I'm tempted to just keep my mouth shut unless it somehow directly affects me. Speaking up rarely got me anywhere.
(Score: 2) by JoeMerchant on Tuesday February 06 2024, @05:33PM (2 children)
>I'm tempted to just keep my mouth shut unless it somehow directly affects me.
I agree. I got into one incident about 20 years back where it did directly fall on me to "make things right" with finance when a manager in another department ignored all the rules...
If you're on the spot being asked to transfer funds without "proper channels" authorization, that's directly affecting you - and likely to bite you sooner or later.
🌻🌻 [google.com]
(Score: 3, Insightful) by Barenflimski on Tuesday February 06 2024, @09:25PM (1 child)
Damned if you do. Damned if you don't.
(Score: 2) by JoeMerchant on Tuesday February 06 2024, @10:38PM
When this guy started repeating "it's better to ask forgiveness than permission" we knew something wasn't right on his end.
I don't think I've ever known any other corporate drone who got demoted for bad behavior. If I recall correctly, he was "Senior Manager" and as a result of his - not yet exposed as bad behavior - activities he was promoted to Director. Then the dirt came out, we cleaned it up for him as best we could, and a general 10% RIF went around for other reasons and instead of being laid off he was demoted two notches to "Manager" in connection with the RIF, but those of us who had to scramble to come up with $80K budget to cover his mess know...
🌻🌻 [google.com]
(Score: 5, Informative) by Opportunist on Tuesday February 06 2024, @01:59PM (8 children)
Great idea. Lemme see how this pans out...
CEO: Transfer $large_sum to $completely_unfamiliar_account.
Worker: Sorry, that's against procedure.
CEO: You're fired.
Worker: Board? The CEO fired me because I followed procedures, could you...
(*sound of crickets*)
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 06 2024, @03:24PM (7 children)
ftfy version(?) in any sane public company (privately held companies may be another story)--
CEO: Transfer $large_sum to $completely_unfamiliar_account.
Worker: OK, procedure is for me to call/email you back using your known internal phone/email address and confirm this in writing.
Case study--
When the small company I worked for contracted to work with General Motors engineering, c. 1980, we worked under a "blanket" PO. This basically pre-allocated a sum of money that we could invoice against, with only a general indication of our areas of expertise and qualifications.
To allocate those funds, many of the GM engineers and others low on the pecking order had purchasing power with minimal or no oversight. These GM employees were all instructed to use a simple form called an "AVO" to request and define work tasks. In practice it was a 4 x 6 inch pad, of pink sheets set up to make two carbon copies. It had the heading Avoid Verbal Orders. Iirc, it also had a sequential number and lines for the date, requestor, contractor and work description. One of the carbon copies went to purchasing and it was their job to track the spending, as a service to the engineers.
From our perspective this worked remarkably well, the engineers that needed something done quickly could issue orders (within their pre-determined spending limit) and once we hashed out what they wanted they could get us started on a task in a minute or two. This avoided all sorts of delays related to going back to the purchasing department for quotes, authorization, etc., and really sped up any development process. At the same time, it avoided the perennial problem of verbal orders gone wrong--"He told me to do it" leading to a big invoice and lots of finger pointing.
(Score: 3, Touché) by Opportunist on Tuesday February 06 2024, @04:47PM (1 child)
So you want to add "lecturing the CEO" to the list of things he'll fire you for?
Please detach yourself from the idea that you're dealing with someone who gives a fuck about any processes, especially not ones that he himself created. They are for you. Not him.
(Score: 2) by JoeMerchant on Tuesday February 06 2024, @05:31PM
Well, you don't actually appeal to the board, if it's a publicly traded company you can appeal to the SEC and a number of other regulators...
I worked at a place where one of the managers played fast and loose with getting pre-approval for about $80K of spending... we found the money in another department after the fact and smoothed over the event, but apparently if that got out we could have been in significant hot water for not following our funds allocation (and accounting) procedures, accruing debt "off the books" for a number of quarters, etc.
🌻🌻 [google.com]
(Score: 4, Touché) by vux984 on Tuesday February 06 2024, @10:22PM (4 children)
"CEO: Transfer $large_sum to $completely_unfamiliar_account.
Worker: OK, procedure is for me to call/email you back using your known internal phone/email address and confirm this in writing."
Suppose this was on a teams chat/conference? Then the CEOs office 365 account is plausibly compromised.
Then a verification procedure using his corporate email -- is also plausibly compromised and redirected to the hacker.
And if the organization has integrated teams into their phone system, then the known internal phone is plausibly compromised and redirected to the hacker too.
(Score: 2) by cereal_burpist on Thursday February 08 2024, @03:24AM (3 children)
True. But emails should (at least) be digitally signed with a smartcard/etc, and (ideally) encrypted with a smartcard. The hackers could reply with the CEO's compromised account, but without having his smartcard the email would be flagged as unsigned.
I don't have experience with MS 365, so maybe it doesn't support these security features. Knowing how Microsoft treats security...
(Score: 2) by vux984 on Thursday February 08 2024, @11:21PM (2 children)
I guess, that perhaps that will help the less than 0.1% of organizations using smart cards for email encryption.
"Knowing how Microsoft treats security..."
Pretty much nobody treats it right. And even smartcards have issues... the two most common are people losing them or them failing; and with all the remote work going on, unless you just put people on vacation until you can get them re-provisioned, there are almost inevitably processes to work without them.
I have a client using smartcards for access to an app, and there is a dedicated help desk in place to give 1 day at a time exceptions to people who forgot it/lost it/or are just having technical trouble with it, because what is the realistic alternative? Every day a few people in the organization just can't do any work? That's not going to fly.
(Score: 2) by cereal_burpist on Friday February 09 2024, @05:50AM (1 child)
It works for the U.S. Dept of Defense (military personnel, federal employees, and contractors). Whether you're a Private or a Colonel, if you lose your CAC you can't even log in. And (in some cases), you can't enter your building or secure area.
Yes, it's not perfect. But knowing the consequences makes people treat their tokens as they treat their smartphone/wallet/keys: Losing or forgetting them means you're going to have a bad day or two.
(Score: 2) by vux984 on Friday February 09 2024, @06:57PM
Sure, it works for the Department of Defense, and for them enduring the inconvenience of that level of enhanced security is deemed worth it (and it's a reasonable conclusion).
But the calculus on what is reasonable is simply NOT going to be the same at an amazon fulfillment centre, or a burger king, or shoe store, or a gym, or meat packer, residential and commercial HVAC services provider, a Staples, chain of pet groomers, etc...