Introduction
News broke in February of a finance worker at a Hong Kong company tricked by video deepfakes to wire out $25 million to scammers posing as the company’s CFO. Cybersecurity experts are sounding the alarm about the increasing use of AI deepfakes by threat actors. But what really happened, and what can we learn from it? Nametag’s Head of Product Marketing Noah Blier and VP Business Development Leonard Navarro hopped on a call to discuss in detail. Watch the recording, or read on for a summary.
What happened?
An unsuspecting employee based in Hong Kong received an email purportedly from the company's CFO, requesting a significant financial transaction. Upon expressing skepticism, the employee was lured into a Zoom call involving multiple supposed company executives, including Arun's CFO. The trick? All of the participants on the call were live video deepfakes. The unsuspecting worker proceeded to transfer $25 million to five bank accounts in 15 transactions. The scam was only identified days later, when the employee became concerned and checked with the corporate head office.
Read on: AI deepfakes and the future of security
How did the attackers succeed?
This Hong Kong deepfake attack, later confirmed as British engineering group Arun, sheds light on an important frontier of cyberthreats. Unlike traditional phishing attempts, where employees may receive suspicious emails prompting them to take unauthorized actions, this attack broke new ground by using a video deepfake on a live video call. As it turns out, it's trivial to switch your video input to an emulator streaming a live or recorded video deepfake.
Ultimately, the Hong Kong deepfake attack succeeded because AI-generated content is now almost impossible for humans to spot. People tend to think we're good at identifying deepfakes, but studies show that we're not. After MGM got breached last year, Okta's CSO recommended adding a visual verification step at the helpdesk. But the Hong Kong deepfake attack shows that this is no longer sufficient: we can no longer trust what we see and hear.
Learn more: AI deepfake attacks explainer and timeline
The rise of generative AI and freely-available deepfake tools has given fraudsters a new "superpower". Deepfake attacks reached unprecedented volumes in recent years and are only increasing in frequency. It's believed that 37% of organizations were hit by deepfake voice or deepfake video fraud in 2022, but in 2023, deepfake phishing and fraud surged by an astounding 3,000%.
“Traditional visual verification, doing it via video call, is not sufficient anymore. It’s onerous and can take hours to get set up, but as this attack shows, it’s also not secure.”
The platforms that companies use for visual verification often allow users to change video inputs and the user on the other end of the line would have absolutely no clue. So while video-based verification methods may seem secure, they are actually highly vulnerable to manipulation and exploitation by sophisticated threat actors.
“I can have a device attached to my laptop that's some video streaming device or a live AI generator that I've spoofed to make look like a camera. Zoom thinks it's a camera. They’re not doing any tests. So from your end, it just looks like you and I are talking, and I’m telling you to wire $25 million externally and you wouldn’t know.”
How could this attack have been mitigated?
If the [organization’s] process for approving this high value transaction had included a Nametag step for verification, this would not have happened.”
This attack should serve as a wake-up call for businesses worldwide to bolster their cybersecurity defenses in the face of increasingly sophisticated threats.
By leveraging mobile device capabilities and attestation features, solutions like Nametag help organizations enhance their security with a flow similar to KYC but with higher fidelity and reusable identity verification for customers and employees alike.
