Finance worker pays out $25M after video call call with deepfake CFO

A lot of upper midscale hotels in the USA are owned by Indians from India whose last name is Patel.<p>Pretty much every single hotel gets a call from Mr. Patel at night asking to wire money due to an emergency. A lot of hotel employees fell for it and wire money. These employees even drill open the safe. Some even wire money from their personal account.<p>This scam is mostly social engineering without any AI&#x2F;Deepfake. It&#x27;s going to be a fun time ahead for everyone.

I think &quot;power distance&quot; (a cultural thing - both national culture and corporate culture) might play a role here. In some cultures, you do whatever the big boss asks you to do, regardless of procedure.<p>(Media reporting suggests this can also be true at some US hardware tech companies).

&gt; “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,”<p>This could be totally real, but also could one employee saying &#x27;the CFO was on a call&#x27; and claim deepfake to make it an excuse?<p>I guess it was a matter of time before this occurred. How long before scammers do bulk video calls to parents&#x2F;grandparent pretending to be the kids saying they are in trouble and need $$$ ASAP.<p>The even better question, is how can this be stopped or reduced and is there a new business there?

In France there had been cases of employees wiring money convinced that they were talking to their CEO&#x2F;CFO&#x2F;lawyers over the phone. Many cases were due to a Franco-Israeli gang arrested in 2022&#x2F;2023 that managed to make at least 38M Euros out of it. They impersonated CEOs without the help of deepfake AI. See <a href="https:&#x2F;&#x2F;www.europol.europa.eu&#x2F;media-press&#x2F;newsroom&#x2F;news&#x2F;franco-israeli-gang-behind-eur-38-million-ceo-fraud-busted" rel="nofollow">https:&#x2F;&#x2F;www.europol.europa.eu&#x2F;media-press&#x2F;newsroom&#x2F;news&#x2F;fran...</a>

<i>“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,”</i><p>This sounds like it required quite a bit of preparation, i.e. collecting data for each deep-faked participant including image&#x2F;voice samples.<p>If it&#x27;s reaching this level of sophistication already then I suspect a new participant validation scheme is on its way for sensitive meetings.

I have no idea how something like this can even happen. In a company of that size it should be actually impossible for a transaction like this to occur without clearly documented processes to ingest, review, authorise and pay transactions.<p>I have clients where anything over even quite a low set limit (say €10k) requires multi-party authorisation - and it&#x27;s very common for the person entering payments to be unable to authorise payments. That&#x27;s just good practice.<p>A payment should not be able to be queued without a PO number. If the payee is new, the bank details need to be verified by phone. Once approved as a destination account, that payee is set up in banking, and authorised by a finance clerk and someone more senior. At the point a payment is requested the PO and other details should be double checked against what is in the system. If there&#x27;s a match, then the payment can be queued for authorisation. The person entering payments and the people approving payments should be entirely different - and it should be people, not a single person. When payments are entered, the payments should be reviewed by first authorisation - a finance manager, for example - and once that authorisation is conducted, depending on payment limits, another authorisation or authorisations will be carried out.

A Boston-based finance worker also sent $6M to scammers back in 2023. Surely some social engineering was involved, but nothing about deepfake was mentioned: <a href="https:&#x2F;&#x2F;apnews.com&#x2F;article&#x2F;technology-boston-law-enforcement-2e9e3a4a9d9d5e35fd3699741df63dde" rel="nofollow">https:&#x2F;&#x2F;apnews.com&#x2F;article&#x2F;technology-boston-law-enforcement...</a><p>Deepfake was used in the 2023 MGM casino breach to convince tech support staff to do things that compromised their MFA<p>Now we&#x27;re seeing a combination of these for significantly higher gains.

&gt; Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out. However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.<p>this is the real problem. why oh why, after suspecting an email as phishing, would you then go on to even click ANYTHING, let alone join a video call?<p>insanity. either stupidity or he&#x27;s lying about suspecting the email. how many corporate security trainings does it take? this is just about 101. &quot;if asked to do a secret task by a suspicious email, DONT do it&quot;

This should like bad company processes all around. For a sum this high, you need more than just a video call. Get an email (if the tech team setup DMARC correctly, sending phishing from company-domain is near impossible). Talk through company chat (Slack, Teams, etc). Call a couple high ranking on their cell.

What is the chance that a CFO gets in touch with a deepfake specialist and they split the profits? I’m not saying that this is what happened, I’m more focused on future scenarios.

Just because I am curious, and have not seen any software capable of fooling me in this regard, yet, what would somebody use to do this? Is this an already existing product that can create video representations of people I know so well it would fool me?

I have known two publicly traded companies that fell victim to similar sorts of scams (someone impersonating the cfo or ceo over the phone). One was defrauded out of a seven figure sum, the other got lucky and a bank involved stopped the transaction to verify again. I don&#x27;t know how the first was able to keep it quiet, I only knew because I chatted with the people in question. I suspect that the deepfake angle makes it easier to admit that they were defrauded in this way.<p>Talking about how something like this can happen in a big company is fun and all, but the scary thing is is that it is _so much easier_ to do these sorts of scams with deepfakes. Which means they will be deployed against &quot;softer&quot; targets, like you and me, and your parents and grandparents.

There really ought to be a stronger sign of confirmed identity in business calls. Something cryptographic. Every single day I end up in business calls randomly scattered across teams, WhatsApp, FaceTime, zoom, and a half dozen other systems. Instead we get stupid cartoon avatars and the ability to put a funny backdrop behind us.

Many comments are saying how finance companies should do more authentication for large transfers and the common response for that is a few million transferred is routine in that field and authentication of transactions the size of the onr quoted in the article would be impractical. The response to that then is if 25M doesn&#x27;t matter enough to verify in some way then companies shouldn&#x27;t cry when it&#x27;s stolen. Then losing a few million here and there which apparently isn&#x27;t worth authenticating the transfer of is just the cost of business. It&#x27;s either worth the extra controls or it&#x27;s like snacks in the rec room, not worth worrying about.

This opens also the possibility to steal money and then pretend that you were fooled by AI impersonating your boss to give you orders that you can&#x27;t refuse. Sending fake videos of your boss to yourself. Create a smog curtain and give the police a digital hare to chase that does not exist. Wow. Looks like the plot of a new Netflix series.

I would suggest that every CFO agrees some kind of secret challenge response with their staff and other execs.

Was expecting this to happen soon and I guess soon is now. Will Zoom, MS start to compete on participant authentication features they are probably going to add?

&gt; Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer.<p>It wasn&#x27;t just a fake call, and he had a paper trail of the order...at this point it&#x27;s pretty hard to prevent this from happening, short of having every order double checked by some other independent entity.

Honestly, half the time I am interviewing random contractors around the world. I get a feeling they use OpenAI to answer questions. I have thrown out the typical “leet hacker” bullshit questions and rote memorization type stuff. Gone back to simply quizzing them on their own resume, digging into the finer details of what they did. Can’t deep fake experience, yet.

Looks like an elaborate embezzling scheme to me.

i reckon we&#x27;re going to see this used for pump &amp; dumps too at some point, ala a deepfake of some big pharma exec talking about acquiring some small biotech.

i&#x27;m not sure which i think is more likely:<p>1) a multiperson zoom of deep fakes fooled the worker 2) the worker was in on it as an inside man and the deep fake story is cover

Are we going to have to start using code phrases like in the Renaissance and in popular fiction?<p>Don’t write a check unless you hear me mention aardvark or Mad King Ludwig.

Wouldn&#x27;t only a CFO have the ability to move 25MM

I literally thought the title meant a Venture Capitalist, not Video Call smh

War using AI begins :O

VC usually means venture capital(ist) so the title is very confusing.

@dang can you change the title to:<p>Finance worker pays out $25M after vid call with deepfake CFO<p>Edit: maybe not zoom