Keep It Real: Avoid Falling for the Rise of Deepfake Phishing Scams

Years of security awareness training have prepared employees to spot common red flags that appear in phishing emails such as misspelled URLs, unusual and/or urgent requests, suspicious attachments, etc.

But what if the company CFO and colleagues on a video call confirmed the message was legitimate, despite the warning signs?

A recent phishing scam played out just like this, except the call was made up of convincing deepfake versions of the victim’s colleagues. The employee — persuaded that the request was real after coming face-to-face with the CFO — transferred about $25.6 million to 5 different (threat actor-controlled) bank accounts.

In this blog post, we’ll explore what happened and share how business can help prevent similar deepfake phishing scams.

A series of unfortunate events

Step 1: Suspicious emails

Scammers sent a phishing email to three finance employees at a multinational company. The initial email, seemingly sent from the company’s UK-based CFO, referenced a confidential transaction. One of the employees, despite initial doubts, agreed to attend a video conference to discuss the details. 

Step 2: A conference call 

The employee joined the call to find familiar colleagues, several outsiders and the CFO in attendance. Not a single person present, aside from the employee, was the real person. The employee reported to police that the deepfakes looked and sounded authentic. Note: It’s believed that these deepfakes were constructed using publicly available video and audio recordings.

The employee was asked to do a self-introduction, but never directly interacted with any of the deepfakes during the call. The scammers gave the employee orders from a script and moved on to the next phase of the attack. 

Step 3: Money transfers

The scammers kept in touch via instant messaging, emails, and more one-on-one video conferences with deepfakes. These provided detailed instructions to facilitate the theft and applied further pressure to the victim. Over the course of 15 different transactions, the employee sent a total sum of $200 million Hong Kong dollars (about $25.6 million USD).

Don't get too hung up on the new technology

The rise of deepfakes is a legitimate concern. A study published in the Journal of Cybersecurity found that participants could only differentiate between AI-generated and human faces with 62% accuracy. The New York Times reported on a new trend of deepfake voice calls targeting bank accounts and credit card companies, which is expected to only get more common as AI technology advances. 

It’s totally reasonable to be concerned about the role deepfakes will play in cybersecurity, but the basics of phishing attacks are still here, too. In the case we detailed above, the use of AI steals the show. However, it’s the tried-and-true behavior of a scammer — persistence — that resulted in over $25 million in losses.

Threat actors did everything possible to apply pressure on the individual to transfer the funds even after the deepfake conference call, and this continued sense of urgency ultimately led to a breakdown of existing security protocols. The social in social engineering is still the crucial aspect of phishing attempts — deepfake technology is just another tool. That’s why we believe that much of the existing advice to prevent scams is still actionable, as we’ll discuss below. 

How can businesses help protect themselves from phishing scams?

While deepfake technology is relatively new, scammers' overall strategy for phishing attacks hasn’t changed much. Apply pressure, create urgency, and ultimately convince someone to transfer funds. To protect themselves, businesses should apply most of the same procedures and controls that are already recommended for all kinds of social engineering. The emphasis is even stronger on the basics of sound security controls and processes.

Report suspicious activity

The finance employee reported a “moment of doubt” but went forward with transferring funds after the threat actor’s continued persistence and a convincing conference call. However, if the employee trusted their gut at that moment and reported the initial suspicious email to their security team, the other phished employees could have been an early warning sign that something not quite right was happening. In these types of situations, it’s okay to slow down and ask for a second opinion.

Out-of-band-authentication 

Always use a known method of contact with the individual to verify the legitimacy of a transaction. Even if you think you already spoke to the CFO — in a call or video conference — use an established phone number or separate communication channel to confirm. 

Technology-driven identity verification platforms

When it comes to high-dollar wire transfers, play it extra safe. New technologies are emerging that can add additional phishing-resistant verification of a user’s identity. The same technologies that are so effective with passkeys can be used to verify the authenticity of a CFO asking to perform a wire transfer. These biometric and ID verification checks will help reduce the chance of human error. 

Create a pro-cybersecurity culture 

Empower employees to ask for additional validation. If they feel that in doing so, they are stepping out of line or pushing back, they might avoid taking the extra steps. But if the C-Suite is clear that they want their employees to be as cautious and proactive as possible, employees will be more likely to verify transaction requests. 

This material is intended for general guidance and informational purposes only. This material is under no circumstances intended to be used or considered as specific insurance or information security advice. This material is not to be considered an objective or independent explanation of the matters contained herein.