If a $25 million digital heist in Hong Kong is any indication, it’s time for businesses to start worrying about thieves wearing their employees’ faces.
The South China Morning Post reported in February that a finance worker at a multinational firm’s Hong Kong branch wired HK$200 million (approximately $25.6 million) after scammers targeted him with video and audio deepfakes of other company personnel.
In both scope and complexity, the heist appears to outdo prior reported incidents such as a 2022 effort to impersonate an executive at cryptocurrency exchange Binance. The thieves reportedly not only impersonated the firm’s chief financial officer, but in at least one instance lured a victim into a video meeting populated entirely by deepfaked colleagues in an attempt to convince them to conduct a secret transfer.
Baron Chan Shun-ching, an acting senior superintendent with the Hong Kong Police Force’s Cyber Security Division, told the SCMP the agency had investigated previous incidents involving deepfakes but this incident was on another level.
“This time, in a multi-person video conference, it turns out that everyone you see is fake,” Chan said.
Deepfake technology has advanced rapidly in recent years, with convincing real-time voice and video cloning being one of the latest developments. At DEF CON 31 in Las Vegas, CyberArk researcher Gal Zror demonstrated a combination of different tools that allowed him to impersonate company CEO Udi Mokady during a live demonstration.
Two experts told IT Brew the technical requirements to pull off deepfake scams are becoming trivial, while defending against them is mainly a matter of employee awareness and training.
Lou Steinberg, founder and managing partner at CTM Insights, told IT Brew the Hong Kong scammers’ ability to acquire data on the firm’s employees was more impressive than the resulting deepfakes.
“Fake video, we know how to do. Fake audio, we know how to do. Fake plugins, Zoom avatars, we know how to do,” Steinberg said. “The sophistication here was actually the intelligence—of gathering all the different backgrounds of the group of people. And it just made it so real.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Deepfake detection technology is in its relative infancy and has only recently become a focus of investment, Cloudflare SVP and Chief Security Officer Grant Bourzikas told IT Brew via email.
“The biggest takeaway from these events is that threat actors are ahead of defenders,” Bourzikas wrote. “They continue to underscore the increasing sophistication of threat actors, and their relentlessness to hone their abilities until they find success.”
Steinberg, whose firm works on deepfake detection tools, said technology implementations will only work so well due to an evolutionary arms race with cybercriminals. For example, he says attempting to automatically identify visual artifacts is a dead end thanks to improvements in deepfake technology (such as the use of generative AI).
“When the lions get faster, the gazelles get faster, right?” Steinberg said. “If we don’t use something different from the old school model of detection, we’re gonna find out that we’re the gazelle and we get eaten.”
Right now, Steinberg advised organizations to train employees to challenge suspected deepfakes (such as by prompting the other person on the line with something unexpected) or verify the authenticity of suspicious interactions using a different method of communication. In practice that might amount to amending existing training and awareness programs on business email compromise to include audio and video, he said.
Bourzikas noted deepfakes are already popping up in the political arena and pose a huge threat to vulnerable populations like the elderly.
“The bottom line is that this problem is not siloed to organizations—everyone will require basic protection,” Bourzikas warned.