Deepfake Scammer Steals $25 Million in First-of-its-kind AI Heist

Sophisticated Deepfake Scam

A multinational company's Hong Kong office recently experienced a substantial financial loss of HK$200 million (US$25.6 million) due to an elaborate deepfake scam. The scam involved the use of deepfake technology to digitally recreate the company's chief financial officer and other employees in a video conference call. During the call, these fabricated individuals instructed an employee to transfer funds.

This incident marks the first time in Hong Kong that deepfake technology has been used in a large-scale scam, where all participants in the video conference, except for the victim, were not real people but rather simulated images and voices created using publicly available video and audio footage. The Hong Kong police are currently investigating the case, but no arrests have been made yet.

The Uncovering of the Scam

The scam was discovered after an employee in the company's finance department received a phishing message from what appeared to be the company's UK-based chief financial officer. The message instructed the employee to carry out a secret transaction. Despite initial doubts, the employee was convinced by the presence of the CFO and other individuals in a group video call. As a result, the employee made 15 transfers totaling HK$200 million to five different Hong Kong bank accounts. The scam was only realized about a week later, which prompted a police investigation.

Acting senior superintendent Baron Chan Shun-ching of the Hong Kong police highlighted the uniqueness of this scam, noting that it was the first instance in Hong Kong where victims were deceived in a multi-person video conference setting. The scammer's strategy of not directly interacting with the victim, apart from requesting a self-introduction, made the scam more convincing.

Addressing Deepfake Scams and Enhancing Security Measures

This high-tech theft raises concerns about the misuse of AI technology and the challenges it poses in discerning real from fabricated content. In recent times, scammers have been employing deepfake technology, particularly audio deepfakes, to deceive individuals and swindle them out of money.

To combat deepfake scams, the Hong Kong police have provided recommendations for verifying the authenticity of individuals in video calls, such as requesting them to perform specific actions or answer identity-confirming questions. In corporate environments, one potential solution is to equip employees with encrypted key pairs, establishing trust through in-person meetings and using authenticated keys for remote communications.

Furthermore, the Hong Kong police plan to enhance their alert system to include warnings for transactions connected to known scams, expanding the coverage to include a wider range of electronic and in-person transactions by the second half of the year.