Root Causes 364: Video Conference Deepfake Enables $25 Million Theft

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

February 22, 2024

Deepfakes continue to show themselves as part of the standard criminal toolkit. A recent deepfake spear phish enabled a $25 million Business Email Compromise (BEC). We explain what happened.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanThis is a news item. And this is a news item that directly connects to something that we've been discussing repeatedly of late. And we've talked about how deep fakes have moved into the criminals’ toolkit, and that they're just showing up as part of spear phishing and fraud and other scams, just as part of the criminals’ toolkit. We just recently published an episode about deep fakes interfering in elections and I'm looking at a headline today, I'm getting this from SC Media. February 5, 2024. Reporter is Laura French and the headline reads, Deep Fake Video Conference Convinces Employee To Send $25 Million To Scammers.

Jason SorokoWow. That’s a lot of money, Tim.

Tim CallanThat’s a lot of money. It was actually in Hong Kong dollars. It was 200 million Hong Kong dollars, which translates to roughly $25 million USD.

Jason SorokoTim, think about this - somebody was convinced to send $25 million – equivalent - from thinking they were talking to a known colleague on a conference call.

Tim CallanYes. Correct. On a video conference call. This is a deep fake. Just think about - Yes. Just think about the level of accomplishment of that. That you are in a conversation. Like it's one thing you and I made a fake intro to our podcast one time. It was convincing and people like thought it was real until we told them it wasn't but we knew what we were going to say and we scripted it out and we had that thing as a recording. This is where you're walking into a situation where, like you could be asked a question, you have to be in a dialogue. Like, wow, this is accomplished.

Jason SorokoTim, I tell you something. I know in the business that we work for if somebody - - if I was working in finance, for example, and my CFO boss said, hey, Jay, please wire off the equivalent of 25 million to five different companies, which is what happened here, I mean, obviously, in banks, maybe that's not uncommon to be asked to do that but I still would be like, are you sure? Are you sure? And you know, Tim, I think at the bottom of this is this - that's enough money, where some double checks are worth it.

Tim CallanYeah.

Jason SorokoLet's just say that. And I tell you, if wiring off that amount of money, all it requires is that your video and audio feed of a colleague is enough for you to wire off that amount of money, you need to check - - first of all, check your controls. But I think for the rest of us who aren't in high finance, and would have went forget it, I'm not doing that, because that's insane. I think for the rest of us, I think the example though is I think we all have to admit, at this point, Tim, we all have to admit, any of us, if somebody got me on a video feed, and it looks just like an authority figure in my company, I'm not sure what I would agree to. I might agree to just about anything.

Tim CallanWell, and that's the thing, right? That's the thing where people think that this couldn't possibly – this has to be my whoever it is, CFO, telling me to do this thing, my CEO telling me to do this thing. And there's one of the trappings of this particular kind of scam you see a lot, which is there's an excuse for things going outside the normal process and usually it's something secret, right? So there's a reference here in the report that it was - - this person thought they were involved in a secret project. And so the old common version of the scam would be, hey, there's some important M&A activity coming up. This is confidential, need to know only. I can't have you discussing this with your coworkers, and we've got to move now or we're going to lose the deal. I need you to do this thing by the end of the day. So it creates the urgency. It creates the excuse for that secrecy. It makes people feel important. It makes people feel like they're going above and beyond and doing something for the good of their community and their coworkers and their company and those are all the way that these things work.

Jason SorokoYes. Social engineering works.

Tim CallanYeah. And so yeah, I mean, wow. There's another thing. I just want to quote one other thing from the same article. Laura French further down, references, some research that said that there was a 3,000% increase in deep fake fraud attempts between 2022 and 2023. So you know, that's a 30x increase, which strikes me as completely credible.

Jason SorokoYes.

Tim CallanMaybe low. Right?

Jason SorokoMaybe low.

Tim CallanI actually think it's probably higher. And so, you know, that's tied into what we said at the very end of 2023, which is 2024 is going to be the year where we see these things just becoming just part of mainstream criminal activity. And here you are. Like we’re barely into the second month of the year and we've already had two very high profile, new attacks, based on these deep fakes. Like it's the thing.

Jason SorokoFolks, it's dangerous out there. I called out in a previous podcast, I want the media to start using my term, which is easy fakes.

Tim CallanEasy fakes.

Jason SorokoBecause I don't think people realize you're going to see a lot more of this. And I think, as you just said Tim, maybe those numbers are low. I don't think they're gonna stay low for long. I think once the bad guys realize this is just an easy way to money, you're gonna see a lot more of it.

Tim CallanIt’s sad that it's true. Like, I'd like to be wrong about this one but I'm just not going to be.

Jason SorokoNo. You’re not going to be wrong about it at all. So folks, stay tuned. The reason why we're rotating on this topic quite a lot is because, you know, in terms of the wider security subject that we speak about on this podcast, this is a big one. And Tim, Tim called it. Said you're gonna see a lot more of it. And we are. And I'm afraid we're gonna see a ton more of it. So folks, the call to arms here is beware. Don't trust even a video call from a colleague at this point.

Tim CallanYeah. Right. Absolutely. And then connect to that also, don't get bent out of shape if your colleague needs some kind of out of band confirmation, right?

Jason SorokoRight.

Tim CallanIt goes both ways. If I have to be able to challenge that this strange request is really true, then in the unusual circumstance where the strange request is true, you can't get bent out of shape that I'm challenging it.

Jason SorokoTim, I think that is an upcoming podcast. You and I, let's talk about the best ways to do out of band confirmations in a scalable and secure way, because that's maybe the only way around this.

Tim CallanAbsolutely. And I still think in the long, long, long term, there is a need for more bolstering of the idea of confirmed identity in these media. And again, is that signed files? Is that somehow confirmed identity connected to an identity when you're in a real live streaming conversation. Like how that is shaped is yet to be determined and there's just nothing there today but that's definitely a thing that society needs. And there's no question that's something that society needs and until that's done, we're going to be hurt in our ability to communicate and do certain kinds of businesses in a real fundamental way.

So I agree with you. I think out of band and best practices is very interesting. And let's cover that. Let's make that a topic.

And I also think if you want to project into the farther future, this isn't a thing that happens this year, or next year or the year after that. But if you project out 10 years from now, there's going to be something in place that allows us to confirm who we are, and that's where tech needs to get to.

Jason SorokoThat's what I wanted to talk about, Tim. Anyway. Interesting subject.

Tim CallanAll right. Thank you very much, Jay.

Jason SorokoThank you.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!