Deep Fake Scams Growing in Global Frequency and Sophistication, Victim Warns (cnn.com) 19
In an elaborate scam in January, "a finance worker, was duped into attending a video call with people he believed were the chief financial officer and other members of staff," remembers CNN. But Hong Kong police later said that all of them turned out to be deepfake re-creations which duped the employee into transferring $25 million.
According to police, the worker had initially suspected he had received a phishing email from the company's UK office, as it specified the need for a secret transaction to be carried out. However, the worker put aside his doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.
Now the targeted company has been revealed: a major engineering consulting firm, with 18,500 employees across 34 offices: A spokesperson for London-based Arup told CNN on Friday that it notified Hong Kong police in January about the fraud incident, and confirmed that fake voices and images were used. "Unfortunately, we can't go into details at this stage as the incident is still the subject of an ongoing investigation. However, we can confirm that fake voices and images were used," the spokesperson said in an emailed statement. "Our financial stability and business operations were not affected and none of our internal systems were compromised," the person added...
Authorities around the world are growing increasingly concerned about the sophistication of deepfake technology and the nefarious uses it can be put to. In an internal memo seen by CNN, Arup's East Asia regional chairman, Michael Kwok, said the "frequency and sophistication of these attacks are rapidly increasing globally, and we all have a duty to stay informed and alert about how to spot different techniques used by scammers."
The company's global CIO emailed CNN this statement. "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes.
"What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months."
Slashdot reader st33ld13hl adds that in a world of Deep Fakes, insurance company USAA is now asking its customers to authenticate with voice. (More information here.)
Thanks to Slashdot reader quonset for sharing the news.
Now the targeted company has been revealed: a major engineering consulting firm, with 18,500 employees across 34 offices: A spokesperson for London-based Arup told CNN on Friday that it notified Hong Kong police in January about the fraud incident, and confirmed that fake voices and images were used. "Unfortunately, we can't go into details at this stage as the incident is still the subject of an ongoing investigation. However, we can confirm that fake voices and images were used," the spokesperson said in an emailed statement. "Our financial stability and business operations were not affected and none of our internal systems were compromised," the person added...
Authorities around the world are growing increasingly concerned about the sophistication of deepfake technology and the nefarious uses it can be put to. In an internal memo seen by CNN, Arup's East Asia regional chairman, Michael Kwok, said the "frequency and sophistication of these attacks are rapidly increasing globally, and we all have a duty to stay informed and alert about how to spot different techniques used by scammers."
The company's global CIO emailed CNN this statement. "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes.
"What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months."
Slashdot reader st33ld13hl adds that in a world of Deep Fakes, insurance company USAA is now asking its customers to authenticate with voice. (More information here.)
Thanks to Slashdot reader quonset for sharing the news.
Re: (Score:2)
I'm not sure ending Work From Home would have any effect on a guy in Hong Kong thinking he's speaking with senior management in England.
Seriously, people ... (Score:3)
... just do somewhat competent fact checking and identity checking. It is not hard. Oh well. Yes, I know, many of you cannot even do simple things competently. Might have to do with the fact that you all think you are pretty smart without actual evidence to that effect.
Re: (Score:2)
Re: (Score:2)
Yes. That is the one thing that really helps. Technology cannot solve this problem at this time.
Some time ago I did a small emergency consulting job where somebody tried the "Boss Email" scam. My advice was to call somebody on the other side you know to verify, and then spend a few minutes or so in smalltalk to verify it is actually them. Obviously that only works with a personal connection. That time it got caught by a smart administrative assistant, but it was pretty well done with the criminals reading e
Re: (Score:2)
That costs time, money, and human resources. Something that "AI" can't do, but companies desperately want to do.
The easiest counter-measure to deep fakes right now is to simply do all video chats in 4K. Because deepfakes can only produce 512x512 video on high end consumer GPU's. To fake the video and the audio requires TWO, and to do it in real time requires a THIRD.
Your average scammer is not going to have $15,000 to build a workstation just to defraud grandmas out of $100 a pop. Big businesses targets are
Re: (Score:2)
AI deepfakes are easily defeated if you just think about it.
If you are somewhat smart and somewhat educated and use both those smarts and that education, yes. The problem is that most people go through life essentially on autopilot and while living mostly in a fantasy world they made up. Just look at, say, ye old multilevel marketing scam (a.k.a. pyramid scheme): You can explain how these work to a smart kid and then they will not fall for it. But whenever anybody makes one, tons of people fall for it, time and again. Sadly, things a smart person can "easily" do are
Authenticate with voice (Score:3, Insightful)
Am I missing something here? Because in a world of deepfakes this makes no sense.
Re:Authenticate with voice (Score:4, Insightful)
I think that's exactly the point. How can USAA guarantee it is secure?
They state in their webpage that "Voice ID has features that defend against artificially generated voices."
I guess we'll se about that.
Re: (Score:2)
Just correcting: "we'll see about that"
Welcome to the age of (Score:2)
you can't believe anything anymore.
Social engineering to the tune of $25M?? (Score:4)
However good the fake videos and voices in that call, if I was in charge of that much money, you'd better send me solid written evidence and proof that the bank account number is legit before I authorize a $25M transfer.
Re:Social engineering to the tune of $25M?? (Score:5, Interesting)
However good the fake videos and voices in that call, if I was in charge of that much money, you'd better send me solid written evidence and proof that the bank account number is legit before I authorize a $25M transfer.
It wasn't a single transfer. The criminals were smart enough to spread it out over 15 different transactions. The link to the CNN article is mangled, so here is the correct link [cnn.com].
Also, as the article relates, the criminals, impersonating the CFO and other higher ups from the UK, told the guy this was a secret issue. While it's easy for us to say I want something in writing, when you're on the other side of the world believing you are talking to one of the people who run the company and who no doubt has control over job prospects, AND you're from Hong Kong where conformity is prized, you do what you're told. Yes, additional checks should have been made, but it's always hindsight to say what should have been done when it seems to reasonable after the fact.
Re: (Score:2)
Yes, additional checks should have been made, but it's always hindsight to say what should have been done when it seems to reasonable after the fact.
Hindsight is exactly the problem here. There should have been a policy in place for how to handle a request like this, and since there is no legitimate reason for that level of secrecy then following that policy should have prevented it.
Re: (Score:2)
and since there is no legitimate reason for that level of secrecy
Wasn't there? How do you know? The CFO and other executives said there was. Who are you to question them?
Again, we can say in hindsight questions should have been asked and confirmation done, but that's because we have all the pieces. If you're only given one piece you are in the dark.
Re: (Score:3)
If you're only given one piece you are in the dark.
If you're not given a clear policy to follow that prevents this from happening then your leadership is a pack of incompetents.
This is the same thing I already said, of course, but I'm hoping that by rewording it I find words which are within your vocabulary.
Re:Social engineering to the tune of $25M?? (Score:5, Insightful)
Hindsight is exactly the problem here.
I'm sorry but that's just not true.
You can't get me to spend $10,000 simply by getting me on a video call and telling me it's super secret, even if it's the CEO and I have absolute proof that it's him. He'll have to sign me a paper, and he'll have to give me an account number that's either in our list of approved accounts.
It's not cultural differences, it's plain common sense: if I'm fired for refusing to pay something someone legit requested me to pay, I can drag my former employer to court for unfair dismissal - whereas if I'm social-engineered into paying crooks, I'm responsible and I can be dragged to court.
Besides, even if 15 totally legit officers ask me to do dodgy payments, it may very well be that all 15 officers are up to no good. It's my duty to refuse what they ask if it doesn't pass the sniff test.
I might have a hard time saying no to higher-ranking employees socially, but I won't say yes. As I said, ultimately, I believe the company wants me to be a barrier against fraud, and my work duty is to the company, not its officers. And a judge will side with me on that one if it comes to that.
Re: (Score:2)
you'd better send me solid written evidence and proof that the bank account number is legit before I authorize a $25M transfer.
CEO: You better start seeking another job, boy, because you're FIRED!