Social Engineering Masterstroke: How Deepfake CFO Duped a Firm out of $25 Million
Check out this one line for a moment…“duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations.”
In a worrying display of social engineering sophistication, a multinational company was defrauded of $25 million through an intricately planned deepfake scam. This scam brilliantly utilized deepfake technology to impersonate the company’s Chief Financial Officer (CFO) during a video conference call, as reported by the Hong Kong police.
The scam unfolded when a finance worker at the company was lured into a video call, believing he was joining several colleagues for a meeting. In a revelation by the Hong Kong police, it was disclosed that the supposed colleagues were nothing more than deepfake fabrications. OUCH.
Senior Superintendent Baron Chan Shun-ching shared the details of this elaborate ruse with RTHK, Hong Kong’s public broadcaster. He explained how the finance worker initially harbored suspicions after receiving a message, allegedly from the CFO based in the UK, suggesting a secretive transaction. The message, which initially raised red flags as a potential phishing attempt, was soon overshadowed by the convincing deepfake video call. The presence of familiar faces, recreated with staggering accuracy, led the worker to dismiss his doubts.
Convinced of the authenticity of the meeting, the finance worker was manipulated into transferring 200 million Hong Kong dollars (approximately $25.6 million), as per the instructions given during the call.
This incident is among a growing number of cases where criminals exploit deepfake technology to conduct fraud. Hong Kong police revealed that six individuals were arrested in connection with such scams, highlighting the rising trend of using sophisticated artificial intelligence to deceive and defraud.
Further investigations uncovered that eight stolen Hong Kong identity cards, reported as lost, were utilized to apply for 90 loans and create 54 bank accounts over a three-month period. In an alarming twist, deepfakes were employed in at least 20 instances to fool facial recognition systems, impersonating the identities on the stolen cards.
The fraudulent activity came to light only after the finance worker verified the transaction with the company’s headquarters, exposing the deceit.
This case underscores the urgent need for heightened awareness and advanced security measures. As these tools become more accessible and their applications more sophisticated, the potential for their misuse in social engineering scams is clear. Get your users trained to spot scams like this. Start with a demo.
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW