Deepfake scammer walks off with $25 million in first-of-its-kind AI heist::Hong Kong firm tricked by simulation of multiple real people in video chat, including voices.
Acting senior superintendent Baron Chan Shun-ching of the Hong Kong police emphasized the novelty of this scam, noting that it was the first instance in Hong Kong where victims were deceived in a multi-person video conference setting. He pointed out the scammer’s strategy of not engaging directly with the victim beyond requesting a self-introduction, which made the scam more convincing.
The police have offered tips for verifying the authenticity of individuals in video calls, such as asking them to move their heads or answer questions that confirm their identity, especially when money transfer requests are involved. Another potential solution to deepfake scams in corporate environments is to equip every employee with an encrypted key pair, establishing trust by signing public keys at in-person meetings. Later, in remote communications, those signed keys could be used to authenticate parties within the meeting.
If you’re a tank-and-file employee in a virtual meeting with your company’s top brass, it probably won’t occur in your mind to ask them to turn their heads to see if it’ll glitch. The scammers can just act offended and ignore your request instead.
The key exchange mechanism suggested by the article sounds impractical because the employees from HK likely never meet the CFO from UK in person. Maybe the corporate video conferencing system should have a company-wide key registry, but if the scammers managed to hack in and insert their own key or steal a top brass’s video conferencing accounts, then it’ll probably moot.
theskyisfalling@lemmy.dbzer0.com 9 months ago
What kind of company let’s a single employee transfer that amount of money without multiple different password entries or checks from different people though, seriously?
Doesn’t matter if they had a conference call with what appeared to be certain people as the article says they could easily have used key pair verification such as pgp. Sounds like poor security all around especially considering the amounts involved.
WhatAmLemmy@lemmy.world 9 months ago
PGP? Have you ever dealt with any banking or financial corporations? You’d have better luck getting the money handlers and decision makers to authenticate transactions with magic.
gravitas_deficiency@sh.itjust.works 9 months ago
Japan:
itsnotits@lemmy.world 9 months ago
EssentialCoffee@midwest.social 9 months ago
Has South Korea moved on from Internet Explorer for their banking yet?
meat_popsicle@sh.itjust.works 9 months ago
lol Finance is sometimes hilariously low tech. Lookup how ACH works, it’s a fucking farce.
itsnotits@lemmy.world 9 months ago
theskyisfalling@lemmy.dbzer0.com 9 months ago
Good catch, autocorrect is a bastard :p
Silentiea@lemm.ee 9 months ago
It’s yes tits, I think.
Lmaydev@programming.dev 9 months ago
Somewhere I worked the CEOs email got hacked and they asked the head of finance to change the bank account details for a 100k payment that was due to go out.
Luckily they thought to double check with them. But it came really close to happening.
This all happened via a phishing email.
Social engineering is how most hacks happen. Doesn’t matter what protection you put in place.
Cornelius_Wangenheim@lemmy.world 9 months ago
Or just have everyone’s phone number on file and pick up the phone and call them first.