Scammer Poses As CFO in Deepfaked Meeting On Zoom, Steals $25 Million

Slashdot reader Press2ToContinue shared this report from WION: : The Hong Kong branch of a multinational company has lost $25.6 million after a scammer used deepfake technology to pose as the firm's chief financial officer (CFO) in a video conference call and ordered money transfers, according to the police, in what is being highlighted as first of its kind cases in the city.

The transaction was ordered during a meeting where it was found that everyone present on the video call except the victim were deepfakes of real people, said the Hong Kong police, on Friday (Feb 2)...

Scammers in this case used deepfake technology to turn publicly available video and other footage of staff members into convincing meeting participants.

Re:Just Give Up

[Opportunist]

Maybe you shouldn't work in a C-Level position, then.

Everyone else can work from home, it's not like they can cause a multi-million scam to work if they do. But get the C-Levels back to their offices. That way the all important shareholder value can be kept up by keeping the offices relevant without weighing down people who actually have to do work.

So crappy processes?

[gweihir]

With no second sign-off and the first one either on paper in person or certified by a second person or verified with a call-back on the phone? That is just incredibly dysfunctional. Not saying you need this process for small stuff like $1000, but for $25M? Seriously?

Re:So crappy processes?

[93 Escort Wagon]

They're not even identifying the company involved. How much you wanna bet it's some crypto firm?

Re:So crappy processes?

[gweihir]

Did not even think of that. I sort-of do not regard these as real companies and more like criminal enterprises. You are spot-on, of course.

Re:So crappy processes?

[93 Escort Wagon]

It'll be funny if I'm totally off-base and it turns out to be someone like Barclays...

Re:So crappy processes?

[fahrbot-bot]

They're not even identifying the company involved. How much you wanna bet it's some crypto firm?

If the Universe had a sense of irony, the company would be Zoom. :-)

Re:

[fahrbot-bot]

They're not even identifying the company involved. How much you wanna bet it's some crypto firm?

If the Universe had a sense of irony, the company would be Zoom. :-)

Or... a company that makes deepfake software. :-)

Re:

[quonset]

They're not even identifying the company involved. How much you wanna bet it's some crypto firm?

The Chinese absolutely do not want to identify the firm because that would mean losing face. Even though it's a multinational firm, the crime took place in Hong Kong.

They have enough problems with their plunging stock market [cnn.com]. The last thing they want is for these large companies to lose confidence and start withdrawing business.

Re:

[Neuroelectronic]

I'm sure a big part of the problem is all Chinese look the same. Imagine how much worse this problem gets with deep fakes.

Re:

[Anonymous Coward]

I am sure you are just joking but many rednecks do think that way. Chinese no more look the same than white Americans. It is just the experience of the observer.

Re:

[phyrz]

I mean that's not entirely true. White Americans have various hair and eye colors that don't exist in Chinese populations. Also a wider range of complexions. Objectively theres a larger range. Subjectively Chinese people are probably more finely attuned to the differences that do exist.

Re:

[Anonymous Coward]

it actually is true. Most western cultures are simply Attuned to focusing on different attributes, To Japanese and Chinese most Americans look the same too as in reality there is very little variety in hair color and most people don't use eye color as a primary attribute.

Re:

[AmiMoJo]

Chinese people have a very wide range of complexions too. Some are almost white, some are more yellow, and some are darker than many people of African descent. Remember that China alone is huge, with a large variety of climates.

Hair and eye colour is certainly true.

Re:

[vbdasc]

"Sum Ting Wong" - level racist, congratulations. And almost as funny.

Pig Butcher

[echo123]

According to this Darknet Diaries podcast episode [darknetdiaries.com], Pig Butchering is the highest grossing cyber crime for the last few years. The interviewed guest elaborates on this industry, and such techniques.

Honestly, I didn't think it was possible to pull off the level of deepfake as described in this particular crime (TFA). Now we know where the bar is, and the bar is quite low in terms of skillz and resources it seems. I thought a live video call would expose a Pig Butcher. After listening to the podcast I thought the best a Pig Butcher (with a bad English/accent) could manage technically was to send the victim deepfaked video recorded messages from an app like Signal, (and just using Signal implies a certain degree of trust). One of the common excuses for using such recorded video messages instead of something live, is very low bandwidth or shaky internet, like when traveling between airports.

The Pig Butcher always involved earning trust of the Pig, over time, then taking all the assets and disappearing. Incredibly, the podcast episode describes how one skilled IT expert lost tens of thousands of dollars, (hated himself for it), then used the same techniques on the Pig Butcher to get all his money back.

Re:

[echo123]

This morning NBC News did a report on a much more common form of Pig Butchering [invidious.private.coffee]: dating scams. People get taken for millions, their entire 401ks all the time.

Re:So crappy processes?

[fuzzyfuzzyfungus]

That's what amazes me.

Maybe I'm just old; but "Signature Authority List" is supposed to mean what it says(possibly blue pen if you really are old; cryptographic if you aren't); it doesn't mean "verbal authorization in a video chat that may or may not even be being recorded somewhere with retention policies set".

I'd be more sympathetic if this were one of the low-value ones where someone impersonates the CEO and tells a random executive assistant or other fairly low-on-the-food-chain employee to make a relatively petty cash transfer to the scammers: you have to feel bad for the person who doesn't want to hassle the big boss, even if they have doubts; but someone with approval authority in the multiple millions is someone whose job description(implicitly or explicitly) is to be slightly prickly about actually approving things.

Re:

[gweihir]

Exactly. Some form of hard to attack transaction confirmation scheme. Can even be an administrative assistant or two just confirming the order came from the right person or the like and having verified that personally. Add someone in accounting verifying there is actually a valid business relationship and the account numbers are correct. The point is, there needs to be some complexity level in the interaction needed to trigger this and several people should know each other and there should be documentation

Re:

[Opportunist]

Most likely the same reason CEO-frauds still work. Aka "how DARE you question my authoratahh, I told you to do it, now dance monkey!" when some underling dares to ask whether the outlandish request really came from the boss. Logical consequence: Next time they will do the most harebrained transaction without asking twice.

It pays to have a CISO with some balls who told the local fiefdom chieftains of our banks (read: the regional bank managers) that their pride takes a backseat when it comes to security and

Re:

[gweihir]

I have actually only ever analyzed two cases personally, one successful (supplier in Asia, time-pressure from customer and some cultural misunderstandings and the volume was not in any way a real financial problem for them - still shook them pretty bad) and one failed because a smart administrative assistant noticed the crappy english and crappy French and escalated. That one would have probably gotten caught later as well.

What I have not yet seen is bosses that got angry when somebody wanted a second-chann

Re:

[Opportunist]

I had to deal with a few such cases. I guess they happen more often with banks.

People here are trained to ONLY respond to requests that come from verified internal accounts. Of course the scammers try to pretend something along the lines of "this is my private account because I'm on vacation", and that actually happened once and the target of the scam rightfully refused to cooperate and, also according to protocol, sent the reply to the internal (genuine) account of the bank manager with the request to veri

Re:

[tlhIngan]

With no second sign-off and the first one either on paper in person or certified by a second person or verified with a call-back on the phone? That is just incredibly dysfunctional. Not saying you need this process for small stuff like $1000, but for $25M? Seriously?

Or even a simple paper trail email,even.

I mean, someone can make a call via Zoom and that's it? You would think you would want more than that. You would want a recording of the call and preferably an email about it to confirm the details (did yo

Re:

[gweihir]

Indeed. And also, a single person can transfer $25M? What if somebody threatens their loved ones or does some kidnapping or something else?

Good.

[Gravis Zero]

I'm all for companies being destroyed by their own executives being unwilling to invest is good security. Consider it an evolutionary fitness test.

Re:Good.

[PoopMelon]

No matter how strong your security is, social engineering will always be the biggest threat

Re:

[sinkskinkshrieks]

Agreed. The key is not to hire people who lack either critical thinking skills or a sense of humor.

Re:

[dargaud]

Yeah, but maybe you'll change your tune when it's your parents receiving a video call from 'you' and saying you need a loan to buy the house of your dreams, or bail money to get out of a nigerian jail (yeah, you went there on vacation, remember?). It's gonna get nasty.

vTubers

[ThunderBird89]

Ever since vTuber tech appeared a few years ago, I've been waiting for something like this to happen. The ability to do real-time motion mapping with a moderately-powerful laptop onto a custom 3D model was just begging to be souped up with image generation and real-time voice modification and used for nefarious purposes.

Re:

[sg_oneill]

Yep, and theres a good chance the criminals knew they where going to spend a bunch of mil on this and spent some decent cash on extensively training one of the deepfake models to create an essentially flawless model.

Usually deepfakes fail the uncanny valley test fail the uncanney-valley test but those tend to be trained on maybe $10-$20 worth of compute time. But for a crime like this, someone could easily spend $10K to create something virtually indistinguishable and it'd be almost impossible to tell.

The N

Re:

[Alcari]

On top of that, there's a lot of quality you can compensate with crappy video. If your "CFO" is one guy sitting mostly still in front of a pinhole laptop webcam, or is 1% of the screen at a giant meeting table, that compensates for a whole lot of poor training in your model.

Re:

[Bob_Who]

Yep, Things are about to get weird.

I can't wait until we hear about an Army of deepfake "Benghazi s" marching down the streets of Iowa and Mississippi in order to lure all the children with pizza (chuck e cheese attack) in a a fleet of Godless and gas-less deep fake Tesla loaded with abortion pills laced with fentanyl and Lib-Tard Zombie repellent.

Re:

[ThunderBird89]

Exactly. If you know you're going to order a cool 25 million transferred, 1-5-10 thousand dollars of CPU time is very good investment by anyone backing you.

I'm calling it:

[greytree]

An inside job, AI wasn't important, employee just needed something to put off the investigators.

My wife and I have arranged a sign/countersign

[Beryllium Sphere(tm)]

If I get a call with her voice saying she's lost her passport and wallet and needs me to wire money, we have a solid way to authenticate.

Plot twist

[sinkskinkshrieks]

It was taken to fund a Netflix special with the same plot as the real life theft.

Surely this is an inside job

[BrookSmith]

Surely this is an inside job for them to know internal personnel and processes.