A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.
The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.
“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.
Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.
However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.
Damn, that’s a pretty intricate scam,though. The deep fake part is bullshit, but I mean knowing who all to have on call and what to say.
Must have been an insider or ex employee.
At some point someone’s going to train an LLM on material from successful scams to generate new scams, then wire the money to server farms to run more copies of itself.
Can’t wait for self-replicating scam bots
Maybe they’ll finally try to sell me an extended warranty on a car I actually own.
Thats an ingenious idea…
This story sounds suss, but I want it to be true because
Oh thats a good social engineer, nice
The worker mysteriously quit his job after a few days to go live on a tropical island. He was last heard as saying “Yeah the boss totally told me to transfer the money to this account, that AI is so lifelike”.
Ohhhh, that’s why I have to take those monthly security training quizzes, lol. I haven’t seen one on AI deepfakes though, I’m sure they’re coming.
Perhaps it should be a company policy that any demand to pay by phone/text/video conf must be authenticated by the office worker hanging up and calling the appropriate company officer on a non-published phone number. The workers immediate supervisor should also be involved in anything out of the ordinary. With a well known policy that calling the company officer will never result in any trouble for the office worker.
The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office.
A surprise teleconference resulting in the transfer of $25 million dollars? You can bet your ass I’m going to verify that transaction by calling the CFO on his direct line before any money is sent.
You aren’t your run of the mill AP clerk I’m afraid
I’m surprised there was no further validation or approval for that kind of money beyond “find the right person and socially engineer them.”
