A multi-national company was recently defrauded of HK$200 million (US$25.6 million) after scammers used sophisticated deepfake technology to impersonate senior executives and dupe employees in Hong Kong.
The scammers digitally recreated the likeness and voice of the company's actual chief financial officer and other high-level staff to conduct an elaborate video call. Posing as headquarters executives, they convinced the Hong Kong employees to make a series of large money transfers, claiming it was for a confidential corporate transaction.
According to Acting Senior Superintendent Baron Chan of the Hong Kong Police Force, this appears to be the first local case involving the use of deepfakes for fraud on such a massive scale.
How the Scam Unfolded
The scam began in mid-January when a finance staffer received a phishing message that appeared to come from the company's real UK-based CFO. The message claimed a secret financial transaction was taking place and instructed the employee to join an online video call for further details.
Although initially doubtful, the employee's concerns faded when they logged into the video conference and saw familiar faces - the CFO, other finance personnel from headquarters, and outside associates. All of them had been flawlessly impersonated with deepfake technology, their voices and mannerisms identical to the real executives.
Over the short video call, the fakes issued directives to wire HK$200 million into 5 local bank accounts in 15 installments. Their authoritative positions meant the employee followed the transfer orders without realizing anything was amiss. It was not until they later inquired with the actual UK headquarters that the fraud came to light.
Sophisticated, Multi-Prong Attack
Inspector Tyler Chan Chi-wing of the Hong Kong police highlighted the complexity of this scam. Not only were multiple deepfake personas created, the fraudsters combined online deception tactics like phishing sites, instant messaging, and one-on-one video calls to maintain the charade.
By keeping interaction with the employees limited, they minimized chances of the AI-generated fakes being detected through conversation. The impersonations focused more on appearing familiar and rapidly issuing commands.
Inspector Chan stated two to three individuals were approached in the company using similar tactics. While one employee unfortunately fell victim, the others managed to detect the scam before any financial loss occurred.
Deepfakes Present Growing Threat
Authorities say this case demonstrates deepfakes have moved beyond being an online curiosity and now pose a serious financial crime threat. Their potential misuse will likely only expand as the technology becomes more accessible.
However, Inspector Chan assured that with proper awareness and vigilance, most scams can still be recognized before harm is done. Warning signs he suggested looking for include refusal to converse normally, sudden requests for money transfers, and an overall sense that things do not seem right. Validation from other sources is also essential when faced with highly unusual directives or changes in procedure.
By maintaining skepticism and asking questions, individuals and corporations can mitigate emerging high-tech fraud efforts. With potentially significant financial losses at stake though, authorities emphasize extreme caution is warranted.