A finance employee at a Hong Kong-based multinational company was recently tricked into transferring $25 million by scammers using a deepfake video of the CFO.
What Happened
- Scammers chose a big company with offices worldwide, knowing it had the money to target.
- They sent the finance worker an invitation for a video meeting.
- Threat actors used deepfake technology to make it look and sound like the CFO and other team members were on the call.
- The fake CFO talked about needing to send money fast for a company emergency.
- Believing the call was real, the finance worker sent 200 million Hong Kong dollars (about $25.6 million USD or $36 million AUD) to a bank account the scammers controlled.
The Hong Kong police have announced the arrest of six individuals linked to these scams. They uncovered the misuse of eight stolen Hong Kong identity cards in an elaborate scheme to apply for loans and open bank accounts. Deepfake technology was also used to bypass facial recognition security measures in over 20 instances.
Deepfake Phishing
Deepfake phishing is an advanced scam technique where fraudsters use artificial intelligence to create highly realistic videos or audio recordings. These fakes can mimic anyone’s appearance or voice, making it seem like you’re hearing from someone you know and trust. It’s a powerful method for tricking people into making financial transactions, sharing confidential information, or even just spreading misinformation.
Why It’s Concerning
- Authenticity – The technology is now so good, it’s hard to tell real from fake.
- Trust Exploited – Scammers leverage your trust in familiar faces to deceive you.
- Accessibility – As deepfake technology becomes more accessible, the frequency and sophistication of scams are increasing.
Preventive Measures
For Individuals:
- Be skeptical of unexpected requests, even from known individuals.
- Verify through known, direct contact methods before acting.
- Stay informed about the latest digital fraud techniques.
For Businesses:
Businesses should consider targeted strategies to specifically address and mitigate the risk of deepfakes and strengthen their identity and access management.
- Conducting Cyber Risk Audits that include the potential for deepfake attacks.
- Enhance security with a managed service covering internet protection, device hardening, malware defence, patching, admin controls, backups, multi-factor authentication, and training, aligned with Essential 8.
