Learning from Financial Fraud Series Episode 10: Learning from Deepfake Scams

Announcer  00:03

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Jonathan Jeffery  00:18

Welcome back to the Learning from Financial Fraud series on the Treasury Update Podcast. In this series, we explore multiple major financial fraud cases. We dissect how each one occurred and was kept hidden for a period of time, and we’ll dissect how it was eventually discovered and get insight and guidance on how to prevent this type of situation from happening to you and your organization. I’m Jonathan, media production specialist at Strategic Treasurer, and I’m here with Craig Jeffery, managing partner, to discuss a deep fake scam. Welcome to the show, Craig.

Craig Jeffery  00:47

Thanks for having me.

Jonathan Jeffery  00:49

So we’ll get into the details of this scam in just a little bit. But do you want to walk us through what deep fakes are?

Craig Jeffery  00:55

They’re pretty interesting, something that we’re hearing a lot about lately, but seems kind of newer. What is it? So deep fake is usually leveraging some type of AI technology to spoof somebody, to fool somebody, to convince somebody of your identity or of some action. So, you know, I don’t know if anybody ever does any doom scrolling. They’re watching short video clips from any social media site, and maybe you see the last three presidents all joking, and they’re all talking to each other and telling each other jokes. Sure looks like them. It sure sounds like them, but they’re not sitting together doing those jokes. And so that’s using that type of technology for video and audio to make it look like they’re doing those things. So deepfake is using this for some type of fraud, convincing you that your mother, your brother, your son, your boss, your CEO, is instructing you to do something different. Usually leverages this type of technology where it takes their voice and creates the voice that’s needed or the video that’s needed to get you past your discomfort and act you know, something that benefits the criminals.

Jonathan Jeffery  02:11

I’ve seen this a lot with social media posts. Of there might be a celebrity or someone that is posting their their main channel or their main site, but then someone else comes in with a fake account that looks like them, and they would get people to sign up for giveaways and stuff. But this is the next advancement of that. And I was doom scrolling the other day, and I saw Warren Buffett was talking about it recently, because he had some stuff go out about him saying things, and he said his wife and his his wife and his daughter couldn’t tell the difference of him versus the deep fake. So they’re getting pretty good.

Craig Jeffery  02:46

You think about that, you know, well, Warren Buffett is like, why would you deep fake that? Well, let’s say, make some kind of investment recommendation. Well, now it’s gonna be like, Oh, Warren Buffett, the one of the most famous and investors, the guy from Omaha. Hey, I’m gonna follow him. He’s, he’s been awesome. So investing in the newest crypto, yeah, or whatever, yeah, whatever, the stuff that, even if he said it against it, but you’re like, I see him, I hear him. It’s a problem. It’s a new capability that, instead of a shallow fake, I guess, would be the the answer. It’d be something that’s much more, much more convincing today.

Jonathan Jeffery  03:19

Do you want to talk about the situation that happened to a Hong Kong based firm.

Craig Jeffery  03:24

This is a pretty significant deep fake scam. The criminals ended up netting around 25 million USD equivalent in this, in this theft and the scam method was, you know, a combination of phishing and deep fake technology. You know, the ultimate action that created the The loss was some of the leadership of the company appeared on a Zoom meeting, a zoom call with the people who were requesting to transfer the funds, or being told to transfer the funds. And that removed their hesitation. And so the result was they made a total of around 15 transfers. Or it’s reported that it was 15 transfers over $25 million so they really leveraged that tech to get past the hurdle this whole I need to call back, I need to validate and confirm things. It’s like, well, there it is. The CEO the CFO. They’re telling me to do something, and they’re not, but it looks like that, and this resulted in a $25 million loss.

Jonathan Jeffery  04:29

Doesn’t matter if they have dual factor authentication, if you control the dual factor authentication.

Craig Jeffery  04:36

Yeah, if you’re, if you’re, if you’re the person who’s going to release it, and you have those controls, and you just want to make sure you got good instructions, and now you believe instructions, and now you believe they’re good instructions, you’re going to follow through on that you got past one of the layers of security, which is the validation layer. You got bad validation, but it looked legitimate to you.

Jonathan Jeffery  04:53

Yeah, definitely. Do you want to walk us through the attack?

Craig Jeffery  04:57

It’s reported the criminals provide. Had phishing attacks and emails telling the employees that this transfer is needed. You need to make this transfer now, there was some follow up. The employees followed up and wanted to confirm it like they should. The criminals involved in this escalated the process and said, let’s get on a group video call. On the call, the criminals use deep fake video and audio to provide instructions about what was to be done. It was more, more or less one way communication, multiple people saying, Hey, here’s what’s going on. You need to take care of these things. Just very directive, and then the call, you know, the call ended, but that was sufficient to override the concerns of the people that were doing the transfer, because, hey, they got on a call, they saw their superiors in the organization give them instructions, and so they went and used their permissions to send, send this money out. It’s crazy that they got it to work. Well, you know, it’s, um, it’ll be harder to make it work the next time, but the tech will be better as well. Sometimes it’s easier to say, like, I would have caught that, you know, would you have if you follow through enough to say, I’m going to check with my CEO, and the CEO tells you to do it, and then are you going to call again, through another line and say, Hey, what’s going on? And they’re like, I just told you on the video to do that, I get you following up one time that was disruptive. Now this is the second time. Are you going to come into a blood sample? You can picture how people might be fearful of that. And so if there was any hesitation or questions, you would want to follow up a second way. Just very, very interesting to see how that works. You think about this for money. You can think about other implications as well that could be more geopolitical, but the ability to remove or break through one of the layers of security was deep fake helped them accomplish that. Yeah, I could see this happening with starting wars and stuff like that, making people angry based on fake information, or giving people orders to do something based on fake information, or convincing people to give up contact information into forms because they think it’s for a good cause or for somebody they trust when it’s not.

Jonathan Jeffery  07:13

Yeah, definitely. You already mentioned the losses, 15 transfers and more than $25 million sent out what happened after this to the company and the criminals?

Craig Jeffery  07:25

Yeah, so that’s a good question. So the companies at a loss here, I don’t think I have information on whether they have cyber fraud insurance that would cover this or not. You know, obviously reporting, it’s a bit of a blow, but it’s, it’s good that there’s disclosure. I’m sure they’re going to be super cautious about, hyper cautious about anything they have to do now, because when you’ve been fooled that deeply, you’re going to be suspicious of everything. You’ll be like the true skeptic. You know, it’s pretty it’s pretty wild. You think about the Tom Cruise movies, Mission Impossible, like they always, you know, some guys doing whatever, and he always reaches down into his like, below a shirt collar, and pulls off his head, which is a giant mask, and it’s somebody else under there.

Jonathan Jeffery  08:07

The og deepfake.

Craig Jeffery  08:09

Yeah. Like, okay, that’s pretty, pretty interesting on the CGI front. But you think about how much it takes to produce that in a movie. Now, a lot of those capabilities to do that with voice and to do calls and to spoof phone numbers coming in and being dialed is it’s so obtainable. It’s not restricted to just extremely large organizations. Many, many people can use that technology now. So law enforcement suggests that you know if you’re hearing and confirming this stuff via video, ask people to move their heads or answer questions that confirm their identity, I’m pretty sure that the moving the head part is going to be resolvable pretty quickly by deepfake technology, so that the head will move and will not just be the mouth, the simple mouth portion, it’s that’s just simply a matter of time before that’s pretty easy to do. And then next, you know, answering the questions that’s still hard to answer, questions in a normal way, especially questions that only the people would know, that wouldn’t be discoverable, you know, through the internet or someone gain access to their their email. The other things I would say is, you know, this additional out of band validation or some type of confirmation if there’s any suspected issues, like have your normal out of band, or if there’s any suspected issues, have additional methods of doing validation, and I think that’s you may have a set of codes or word phrases that can be used that are either Date Specific or they cycle through executives could use with them to provide an additional layer of confirmation. If it’s coming audibly or by phone, you’re not being able to stop by the office, especially if people are remote.

Jonathan Jeffery  09:52

It slows things down, like the was it the IRS login portal. They have to mail you something, and you have to wait for it to. Show up in the mail at your physical address and then use that code to get in dual factor authentication by snail mail.

Craig Jeffery  10:06

Yeah, there’s a there’s a time shift that we’re not expecting, right? That whole 10 days later you get it now you can act on it, versus it goes to a text it, it sends me a code through email or some other method.

Jonathan Jeffery  10:19

So aside from never trusting anybody, what else can you learn from this?

Craig Jeffery  10:25

Well, I think you have to trust you have to trust people. But you know, there’s this whole verification. You know, trust, but verify. So there is a healthy amount of being skeptical about processes. And certain things are flags obvious. Flags are less obvious flags, but follow the process the policies that you have as written. So if one confirmation is required, do it. If you’re still suspicious, go follow a second an additional out of band validation process, just to confirm those are really crucial. So you might have an extra out of band channel. I was mentioning that a little bit before, but you might want to have a confirmation or validation list of prompt and response items, in addition to some things that only those people would know, that wouldn’t be common knowledge, wouldn’t have been shared via email, there’s probably a range of things that you could do with that, but that’s probably something that’ll have to be developed over the next Few years for companies people that are dealing with anybody who provide approval. Maybe the CEO doesn’t have that, but there’s going to be something that the treasurer and the CFO are going to need to know and be able to share to convince each other that they’re talking with the right person. It’s almost a form of statecraft, but that will grow over time, but being skeptical, careful, not being afraid to use a second out of band confirmation makes sense.

Jonathan Jeffery  11:51

Thanks for sharing your thoughts on these there’s a lot to learn and to all of our listeners. If you want to listen to the last episode from the series, it was on payment server and network compromise. You can find a link down in the show notes. Thanks Craig.

Craig Jeffery  12:04

Thanks Jon.

Announcer  12:07

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.