Deepfake CFO tricks Hong Kong biz out of $25 million A Hong Kong-based finance professional at a multinational was reportedly swindled out of $25 million (HK$200 million) of company money when scammers created a deepfake of his London-based chief financial officer in a video conference call. The Hong Konger joined a vidchat in which his CFO appeared – but appeared a little off. …
Banks require dual control on everything in the states.
A vault door has two combinations, known by 2 people and a time lock so it can only be opened during business hours.
Wire transfer requires an officer level second person to sign off and they have to input their code or usb dongle and pin to do the transfer.
This process is audited and approved by the board.
Something stinks from the board down.
Exactly - I think back to the case where Citibank accidentally wired $900M USD instead of about $8M USD back in 2020 to several lenders. They intended to make a $8M USD interest payment, but someone at Citi accidentally paid off the entire Revlon loan.
Oopsie.
That took a lawsuit that Citi lost (weird NY State law at play) but they won on appeals.
First, it's not stated that the company itself was a financial institution, only that the victim worked in the finance department.
Second, I think you underestimate today's existing controls in the finance sector. Payments can only be made to referenced accounts, which require extensive KYC procedures and multi-level validations. If someone pretending to be a client asks you to change their payment details, you are supposed to call them back on a trusted phone number (e.g on the company's website) to validate the legitimacy of the request. I've seen multiple occurences of email or phone scam attempts being foiled by users following procedures and engaging their brains. I'm afraid non-banking institutions don't operate yet at the same level.
Not sure this still happens now, but I always found it bizarre that a financial institution would call you trying to sell you something, then get upset that you wouldn't provide your personal details "for security purposes" when they were the ones making an unsolicited cold call to you. Why would you tell someone you don't know and who you didn't call you own personal details?
Indeed. If corporations have such wonderful controls, how did businesses lose $26B USD to BEC between 2016 and 2019?
BEC (the name is increasingly becoming inaccurate, but whatever) attacks have been a major source of IT-crime loss to businesses for years. Using conferencing platforms isn't new either. The "deepfake" bit here caught media attention, but nothing else about this story is at all novel.
Exactly! Every firm should have procedures that need to be followed to transfer any amount of money, especially to new bank accounts. However, if workers are used to having management bypass procedures at their own whim, then these sorts of failures will be extremely common.
Procedures are useless if those at the top also dont adhere to them... But that often doesnt fit with the C-suites belief that they are above the rules of the lowly plebs...
I'm not so sure.
We did a security test at my last place where the security team used my name and account to try to persuade people to do things they know they shouldn't. I was the COO and I'm naturally very calm, but this character was very demanding. A large number of people complied at all levels of seniority.
Their explanation was that because I never demanded anything in that way before, they assumed that it must have been a really bad emergency, so breaking rules was therefore justifiable.
My day off was somewhat ruined though as I got a lot of phone calls that day from people wanting to know what the emergency was!
Our IT department does quite a lot of phishing awareness trainings, and for a while they have been sending out emails to try and trick people. They've upped the ante in the last month by sending messages purporting to come from people within your department or to whom you are in regular contact.
Now I should preface this by saying that I work in Germany, but I am not German, and my German grammar is atrocious. (I blame that on German grammar being a dog's dinner, but that's neither here nor there)... A colleague received one of these phishing emails purporting to come from me. He claims he knew instantly that the email hadn't come from me - the grammar was too good!
Considering all the phishing emails I've had from Nigerian Princes and their atrocious grammar, I'm not quite sure how to feel that my bad grammar identifies my emails as legitimate instead... :P
In the days before check imaging, the sorter guy was standing herd over the thousands of checks as they were being sorted into each of the many pockets.
With the speed of a ninja master he hits the stop button, fishes out a single check. Got it! This is a fake check!
Ok, why do you think it is a fake check, it went thru the sorter without stopping?
The response was “ it is fake because their checks always jam the sorter. The fake is too good”
The company I work for (and, incidentally, one of the nicest employers I've ever worked for in 40+ years of mostly contracting) has an explicit "speak up culture" that should catch this sort of thing.
We also have a system of security emails and other communication designed to educate people in how to spot phishing and the like.
I suspect this is one case where doing the right thing is good business sense
Yes that's the downside of seeing things through techie goggles...to him and us, they aren't much of a threat. To a troop of tyre swinging chimp execs, very much a threat it seems.
This all goes to show that in the business world, it's not the cream that floats to the top, it's turds...turds float to the top. Gigantic, unflushable fucking turds. Fucking chimpy primate turds.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
