Years of security awareness training have prepared you to spot red flags when they land in your inbox. Misspelled URL? Phishing! Urgent ask? Not good! Suspicious attachments? Alert IT!
But what if your CFO and colleagues on a video call told you the message was legitimate, despite the warning signs?
A recent phishing scam played out just like this, except the call was made up of convincing deepfake versions of the victim’s colleagues. The employee — persuaded that the request was real after coming face-to-face with the CFO — transferred about $25.6 million to 5 different (threat actor-controlled) bank accounts.
In this blog post, we’ll explore what happened, share how you can prevent it, and hopefully convince you that, yes, you’ll be able to trust again (within reason).
In mid-January, scammers sent a phishing email to three finance employees at a multinational company. The initial email, seemingly sent from the company’s UK-based CFO, referenced a confidential transaction. One of the employees, despite initial doubts, agreed to attend a video conference to discuss the details.
The employee joined the call to find familiar colleagues, several outsiders, and the CFO in attendance. Not a single person present, aside from the victim, was the real person. The employee reported to police that the deepfakes looked and sounded authentic. Note: It’s believed that these deepfakes were constructed using publicly available video and audio.
The employee was asked to do a self-introduction, but never directly interacted with any of the deepfakes during the call. The scammers gave the employee orders from a script and moved on to the next phase of the attack.
The scammers kept in touch via instant messaging, emails, and more one-on-one video conferences with deep-fakes. These provided detailed instructions to facilitate the theft and applied further pressure to the victim. Over the course of 15 different transactions, the employee sent a total sum of $200 million Hong Kong dollars (about $25.6 million USD).
The rise of deepfakes is a legitimate concern. A study published in the Journal of Cybersecurity found that participants could only differentiate between AI-generated and human faces with 62% accuracy. The New York Times reported on a new trend of deepfake voice calls targeting bank accounts and credit card companies, which is expected to only get more severe as AI technology advances.
It’s totally reasonable to be concerned about the role deepfakes will play in cybersecurity, but the basics of phishing attacks are still here, too. In the case we detailed above, the use of AI steals the show. However, it’s the tried-and-true behavior of a scammer — persistence — that resulted in over $25 million in gains.
Threat actors did everything possible to apply pressure on the individual to transfer the funds even after the deepfake conference call, and this continued sense of urgency ultimately led to a breakdown of existing security protocols. The social in social engineering is still the crucial aspect of phishing attempts — deepfake technology is just another tool. That’s why we believe that much of the existing advice to prevent scams still applies even in this brave new world, as we’ll discuss below.
While deepfakes are new, scammers' overall strategy for phishing attacks hasn’t changed much. Apply pressure, create urgency, and ultimately, convince someone to transfer funds. To protect themselves, businesses should apply most of the same procedures and controls that we already recommend for all kinds of social engineering. The emphasis is even stronger on the basics of sound security controls and processes.
The finance employee reported a “moment of doubt” but went forward with transferring funds after the threat actor’s continued persistence and a convincing conference call. However, if the employee trusted their gut at that moment and reported the initial suspicious email to their security team, the other phished employees could have been an early warning sign that something not quite right was happening. In these types of situations, it’s okay to slow down and ask for a second opinion.
Always use a known method of contact with the individual to verify the legitimacy of a transaction. Even if you think you already spoke to the CFO — in a call or video conference — use an established phone number or separate communication channel to confirm.
When it comes to high-dollar wire transfers, play it extra safe. New technologies are emerging that can add additional phishing-resistant verification of a user’s identity. The same technologies that we love about passkeys can be used to verify the authenticity of a CFO asking to perform a wire transfer. These biometric and ID verification checks will help reduce the chance of human error.
Empower employees to ask for additional validation! If they feel that in doing so, they are stepping out of line or pushing back, they might avoid taking the extra steps. But if the C-Suite is clear that they want their employees to be as cautious and proactive as possible, employees will be more likely to verify transaction requests.