Early this week, news broke of a finance worker at a multinational firm being tricked by deepfake technology to wire out $25 million to a scammer posing as the company’s CFO. Cybersecurity experts are sounding the alarm about the evolving tactics of malicious actors, but what really happened here and, more importantly, what can we learn from it? Nametag’s Head of Product Marketing Noah Blier and VP Business Development Leonard Navarro hopped on a call to discuss in detail. Watch the recording, or read on for a summary.
An unsuspecting finance employee received an email purportedly from the company's CFO, requesting a significant financial transaction. Upon expressing skepticism, the employee was lured into a Zoom call involving multiple supposed company executives, including the CFO. Unbeknownst to the victim, all participants on the call were deepfakes: highly-sophisticated, AI-generated personas. The worker proceeded to transfer $25 million to five bank accounts in 15 transactions. The scam was only identified several days later, when the employee became concerned over the transfer and checked with the corporate head office.
How did the attackers succeed?
The hack on the currently unidentified Hong Kong-based multinational finance firm sheds light on an important frontier of cyber threats: deepfakes. This cutting-edge method involves the creation of highly realistic but entirely fabricated videos using artificial intelligence.
Unlike traditional phishing attempts, where employees may receive suspicious emails prompting them to take unauthorized actions, this attack leveraged deepfake videos to deceive the victim. Albeit unprecedented, deepfake attacks aren’t new and they’re only going to continue gaining prominence. It’s believed that 37% of organizations were hit by deepfake voice or deepfake video fraud in 2022. In 2023, deepfake phishing and fraud surged by an astounding 3,000%.
“Traditional visual verification, doing it via video call, is not sufficient anymore. It’s onerous and can take hours to get set up, but as this attack shows, it’s also not secure.”
The platforms that companies use for visual verification often allow users to change video inputs and the user on the other end of the line would have absolutely no clue. So while video-based verification methods may seem secure, they are actually highly vulnerable to manipulation and exploitation by sophisticated threat actors.
“I can have a device attached to my laptop that's some video streaming device or a live AI generator that I've spoofed to make look like a camera. Zoom thinks it's a camera. They’re not doing any tests. So from your end, it just looks like you and I are talking, and I’m telling you to wire $25 million externally and you wouldn’t know.”
How could this attack have been mitigated?
If the [organization’s] process for approving this high value transaction had included a Nametag step for verification, this would not have happened.”
This attack should serve as a wake-up call for businesses worldwide to bolster their cybersecurity defenses in the face of increasingly sophisticated threats.
By leveraging mobile device capabilities and attestation features, solutions like Nametag help organizations enhance their security with a flow similar to KYC but with higher fidelity and reusable identity verification for customers and employees alike.