My hacker story occurred not too long ago at the Hong Kong office of an undisclosed multinational corporation. The hackers pulled off a first-of-its-kind scam that leveraged a phishing email as the initial attack vector followed by a deepfake video call.
In this instance, there was enough information to establish a perceived authority for a finance worker who transferred a total of HK$200 million in 15 transactions to five different Hong Kong bank accounts until the scam was detected.
Watch the full video here:
The Hong Kong police reported that the initial phishing email had led to an online meeting about urgent financial transactions. The scammers had carefully crafted a conversation between multiple senior individuals of the corporation, including the CFO.
The only real person who dialed into that meeting, though, was the finance worker, who subsequently transferred the money. Everyone else, including the CFO, was a deepfake. The entire conversation was pre recorded. No natural interaction took place. Yet, the finance worker believed he had been given the mandate for the transfer by senior management.
We do not know many more details about the event, but the scam appears to follow the standard playbook. A phishing email impersonates the CEO, asking a finance worker to attend an urgent meeting for the discussion of important financial transactions.
During that meeting, senior officials discuss the necessity of the transactions based on which the finance worker concludes that transactions must be executed. There was a sense of urgency, a feeling of obligation or need to comply, a strong motivation to act, and only one single way out of the situation. The classic social engineering recipe.
I do not think anyone should allow themselves to lean back and say, well that would not have happened in our organization. Our company culture is such that we must and will always check a larger transaction with leadership through an additional channel. And that might even be true. However, let’s not be tricked to assume that skilled scammers will not get to us. They are excellent at what they do, and they will find a way to get to you.
Using deepfakes is a great idea, and truth be told, the entire cybersecurity community could not wait to hear about the first successful deepfake use for social engineering. It was only a matter of time. We no longer live in a world in which we can tell apart fake from real by a robotic voice or twitching eyes in fake videos. Deepfakes are almost perfect imitations of conventionally recorded videos.
There is another truth out there. This scam might have been avoided by proper employee training. Always stop and think. Trust but verify is the premise. Use your chain of command to check transactions, especially when requests appear unlikely or unusual.
We are headed towards a future in which we can no longer tell apart fake from original. Democratic societies and private organizations will equally suffer when trust in video, sound, and text is fundamentally lost. We must be prepared for incidents such as the one mentioned here.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
