Deepfake scam costs Arup £20 million

UK giant design and engineering firm Arup has revealed it was targeted by an artificial intelligence-created deepfake scam that cost it HK$200 million (£20 million). 

A “deepfake” refers to a type of synthetic media where a person in an existing image or video is replaced with someone else’s likeness, typically using advanced machine learning and artificial intelligence techniques. 

Deepfake technology can convincingly swap faces, synthesize human voices, alter facial expressions, and even generate body movements that never actually occurred. It does this by analysing a vast amount of images and videos to learn how human faces and bodies move and then applying that model to new content.

The fraudsters tricked a Hong Kong employee into attending a video call with people he believed were the chief financial officer and other staff members, all of whom were deepfake recreations.

During the call, these “senior officers” persuaded the employee to make 15 “confidential” bank transfers to five Hong Kong bank accounts. The scam was only discovered when they followed up with the group’s headquarters.

While Arup were not named as the victims originally, with Hong Kong police saying in February that an unnamed company had been tricked into transferring vast sums by people on a hoax call, the company said that month that they wanted to reveal the scam to “raise awareness” of the increasing sophistication of cyber-attackers.

In an internal memo, Arup’s East Asia regional chairman, Michael Kwok, emphasised the increasing frequency and sophistication of these attacks, urging employees to stay informed and alert to spot different scamming techniques.

Deepfake technology and other sophisticated scams such as invoice fraud and phishing emails are becoming growing threats to businesses, so company owners need to enhance their cybersecurity measures.

Roger Isaacs, Forensic Partner at Milsted Langdon, said: “Deepfakes are adding an extra level of risk to businesses and necessitate ever more to checks when conducting complex or high-value financial transactions. 

“Their growing use, and success at duping employees, should be a concern for all organisations. 

“Employers must ramp up their security systems and train their staff in what to watch out for if conducting business online.

“Forensically, where a business is tricked into transferring funds to an outside party, it can be difficult to take action to recover these amounts, but with the right professionals it can be possible to track the complex money trails back to the original fraudsters.”

Sources: Guardian

Posted in The Forensic Blog.