Insight & Analysis

Beware of the deepfake CFO

Published: Mar 2024

Could you be tricked by a deepfake video call purportedly from your CFO? Two experts explain how treasurers can protect their companies from the latest cyberattacks.

Deepfake AI face being created

Since the pandemic, businesses have increasingly embraced video calls via platforms like Zoom and Microsoft Teams as a convenient way of communicating with colleagues in different geographical locations.

Last month, however, the risk of falling victim to a video call scam was laid bare by the case of the employee of an unnamed Hong Kong company who was tricked into paying fraudsters HK$200m (£20m) during a video conference, following an earlier email purporting to be from the company’s UK-based CFO. Unlike previous scams of this type using one-to-one video calls, in this case the finance worker believed they were speaking to a number of other employees.

“I believe the fraudster downloaded videos in advance and then used artificial intelligence to add fake voices to use in the video conference,” explained acting senior superintendent Baron Chan during a press conference. The worker in question made 15 transactions to local bank accounts, only to realise the mistake a week later.

“For someone to make payments off an instruction given on a video call does call into question how stringent their processes are,” comments Royston Da Costa, Assistant Treasurer at Ferguson. “But nevertheless, what people will be saying is, ‘if you can be fooled by a video call – not just through an email – the requirement for robust procedures becomes even more paramount.”

Processes and controls

Da Costa argues that this incident highlights corporates, banks and fintechs need to evolve in terms of how technology is used. Likewise, people should think about how they would react if they were targeted as individuals. One example he has come across is of a family that has a secret password, “whereby if one of their members were to get a call saying that money needed to be transmitted urgently, they would need to use the password as a way of identifying themselves,” he notes.

Likewise, while there is “no substitute” for segregated control processes for making payments, he argues there is a growing need to think about how people can be identified or validated. “Banks need to use technology so they can properly identify the person who’s making that payment,” he adds. “And similarly, corporates need to look more closely at their processes.”

Staying one step ahead

According to Jon Paquette, EVP of Solutions and Strategy at TIS, “This latest attack highlights the pace at which fraudulent threats are evolving in the financial sector and signifies the challenges treasurers face in staying one step ahead of the perpetrators.”

To protect against these new-age threats, says Paquette, corporate practitioners need to prioritise a multifaceted approach. “First off, it’s crucial to foster a culture of awareness and education within the organisation, ensuring all employees know how to effectively recognise and respond to the attacks they may encounter.”

Secondly, Paquette says treasurers should secure their payment processes through technologies that enable straight-through-processing and minimise the level of human intervention. “Executing manual payments should be a rare exception to the status quo, and these should be further secured with stringent controls that reflect the increased risk they pose,” he comments. “Technologies that enable multi-factor authentication (MFA) and user management based on principles of least privilege are another critical component of securing these processes as well.”

Finally, as fraudsters continue to leverage new and emerging technologies to enhance their attacks, Paquette argues it “only makes sense” for treasurers to protect themselves in a similarly advanced fashion through the deployment of modern fraud detection software. “If implemented correctly, these technologies can be an essential last line of defence for identifying and preventing sophisticated fraud attacks, thereby protecting organisations against both financial and reputational loss,” he concludes.

All our content is free, just register below

As we move to a new and improved digital platform all users need to create a new account. This is very simple and should only take a moment.

Already have an account? Sign In

Already a member? Sign In

This website uses cookies and asks for your personal data to enhance your browsing experience.