Lessons from the $25 million deep fake scam

It seemed like a normal meeting.

Earlier this year, a banker at a multinational firm, based in Hong Kong, was on a Zoom call with his Chief Financial Officer and several other members of staff.

Towards the end of the call, the CFO instructed him to transfer $25 million out of the company. He promptly complied.

The problem?

It soon emerged that the entire call was an elaborate scam.

Everyone on the call, except for the banker, were replicas created by deep fake technology.

The CFO never requested the transfer, which went directly to the pockets of cyber criminals. Following the call, they had kept in touch with the victim via messaging and emails, including 1-to-1 calls.

Police are currently investigating.

Perhaps you’ve already heard of this incident, which immediately made international headlines as it was a milestone in the use of deep fake technology.

But the frightening part is that this was not an unusual incident. Similar frauds, albeit involving smaller sums, take place the whole time, and are becoming increasingly common.

Artificial Intelligence technology is evolving at a dizzying speed, and as it becomes more available, it also becomes easier for cybercriminals to employ.

This means it poses a danger to your company right now – not at some distant time in the future.

Deep fakes may still be on the sophisticated side of the spectrum. But it’s relatively easy for scammers to conduct more basic ‘phishing’ scams, where they use emails, text messages or even phone calls to trick victims into disclosing financial information or stealing their bank details.

Very often, they impersonate people in your company. And while you think this would be easy to spot, it isn’t. The criminals use their email addresses, mimic their language and make requests that sound reasonable.

You have to be on continual high alert to protect yourself, your company and your finances.

Large corporates are now employing Chief Information Security Officers (CISOs), whose job it is to stay abreast of these developments, train staff to recognise these scenarios and implement protections.

Unfortunately, many smaller companies have not kept up their defences.

Many companies still think it’s enough to employ a basic firewall to protect their systems. They are simply not equipped to handle today’s reality of phishing scams and other types of financial fraud.

The cost – as the Hong Kong company discovered – can be immense.

So how can you protect yourself?

First, you need to be aware of the most common scams, and educate your staff about them. It’s much more difficult to identify and resist scams which you have never heard of.

Then, you need to stay vigilant – even with people you believe you know. You and your staff must always be suspicious and act immediately if your gut instinct tells you there’s something wrong.

Signs to watch out for include being asked to do anything out of the ordinary; any kind of pressure; and any pushback to your attempts to verify.

For example, we once had someone call, requesting payment for a company car allegedly bought by one of our clients. The person on the line was extremely insistent that payment needed to be made immediately, which was a huge red flag.

We were able to resist the pressure and investigate another way until we could ascertain that it was not a scam and allowed the payment to be made.

Verify, verify, verify every suspicious interaction.

In the Hong Kong example, the employee who was asked to transfer $25 million should have come off that call, and phoned his boss on his normal number to double-check that the instruction was real.

But the most effective defence of all?

Don’t rely on your team’s gut feeling or instincts. All of this should be baked into proper procedures that employees must follow at all times, whether or not they are suspicious.

For example, here at Insight Associates, the vast majority of payments we make for ourselves and for our clients follow a predefined process approved on our system, which includes verifying bank details. Payments always go through at least two members of staff, to reduce the chances of fraud and maximise the chances that any errors will be noticed. 

If anything at all is out of the ordinary, for example a request is marked as urgent, we immediately check the background and get another colleague involved.

And we have procedures outlining how these checks are carried out – for example, never using phone numbers that are supplied to us (which may lead to the scammers) but rather, using numbers we already have or find from other sources.

Additionally, we invest in the latest firewalls and software, so our IT systems have up-to-date defences.

While no system is 100% secure, the systems we use are undoubtedly far stronger and safer than the ones our clients would otherwise employ. And their money and reputations are far better protected.

We do all this because we are very focused on building a world-class finance function for our clients. This includes ensuring that they will not be victims of fraud.

Professional, grown-up, well-run finance departments take this risk seriously.

If that’s the kind of finance function you want for your organisation, please get in touch today. Simply email garry@insightassociates.co.uk or call us on 01279 647 447 to find out more about how we can upgrade your financial management and how we can help you grow faster and maximise your profit.



Garbage in, garbage out

The financial side of your business can’t be the only part of your business that professionalises.
All parts of your business really need to grow up together, in order to create a more profitable organisation that is ready for its next stage of growth.

Read More »


Invest in your business today

Ready to step up, invest in your business and reap the benefits?

Get our blog posts directly to your inbox

"*" indicates required fields

Update Frequency
This field is for validation purposes and should be left unchanged.