A few days ago, a fraud case involving HK$200 million occurred in Hong Kong. The scammer pretended to be the CFO of a multinational company's overseas headquarters and instructed the branch finance staff to join a confidential meeting. Using deepfake technology, the fraudster created a virtual video and provided "investment" guidance during this session. As per these instructions, the staff transferred a significant sum to various accounts without proper confirmation. Subsequently, when they contacted their colleagues at the UK headquarters, it became clear that they had been defrauded. They promptly reported this incident to the police after realizing what had transpired.
The rise of Deepfake technology has made what we previously referred to as "P-photos" even more difficult to defend. In the past, photos could be altered using Photoshop, leading many to question their reliability and usability as evidence. For ordinary individuals outside of Hollywood, distinguishing between real and fake imagery through such techniques is challenging.
Nowadays, with the rapid advancement of technology and network speed, along with improved computer performance and the widespread acceptance of online meetings following the COVID-19, hackers have greater flexibility in using fraudulent techniques. As a result, employees are at an increased risk of being deceived, making defense against such tactics more challenging.
With the rapid advancement of technology, it is becoming increasingly challenging to distinguish deepfake transformations, akin to the concept depicted in Matrix, the movie. Additionally, identifying participants at a conference by instructing them to perform certain actions can be very difficult. Consider a junior staff member who lacks opportunities to address executives but requests them to make gestures – this could signal disinterest in their job responsibilities.
This time, the scam is not a phishing the whole company staff, but it clearly targets the victim. The approach involved telling the victim that it was a confidential meeting and sending them a link to join, among other tactics. Can any clues be found from the emails received or from the ID of the person who logged into the meeting?
However, is there a non-technical way to prevent this scam from happening?
The author has not yet determined if the victim's company followed established procedures for transferring money. Normally, regardless of the amount, approvals are required for money transfers to ensure compliance with permissions and internal auditing controls. Smaller amounts can be approved by fewer people, while larger amounts require more signatures. Additionally, it's important to verify your own signature to prevent unauthorized use (there have been cases where executives' emails were hacked and funds were authorized). When approved by overseas headquarters, consider using an electronic signature solution like Docusign to safeguard against process interruption due to potential individual errors.
I am surprised that one person could have had access to such a large amount of money without proper oversight from an internal control or risk management perspective. If this individual had not fallen victim to a scam or been in a state of delirium, they could have potentially sent the funds to various accounts in an unregulated manner. This situation highlights insufficient risk management within the enterprise and ineffective regulation of staff authority.
In some cases, the CEO/CFO/COO of certain enterprises the author has worked with have to sign at least one signature before any payment above HK$1000 can be made. This requirement may seem strict, but it helps reduce the risks faced by the company.
