According to The Wall Street Journal, a UK energy company’s chief executive was tricked into paying €200,000 to a supplier because he believed his boss was instructing him to do so. But the company’s insurance firm said that a fraudster was using deepfake software to mimic the voice of the executive and request pay him within the hour.
“The software was able to imitate the voice, and not only the voice: the tonality, the punctuation, the German accent,” said a spokesperson. The phone call was matched with an email, and the energy firm CEO obliged. The money is now gone, having been moved through accounts in Hungary and Mexico and dispersed around the world.
Later, after a second request from the thieves was made, the energy firm CEO called up his actual boss, only to find himself handling calls from both the fake and the real versions of the man simultaneously, which alerted the CEO to the ongoing theft. This may not be the first time this has happened. Cybersecurity firm Symantec says it has come across at least three cases of deepfake voice fraud used to trick companies into sending money to a fraudulent account, and that one of the cases resulted in millions of dollars in losses.
The situation highlights the capabilities of depfake software. Google’s Duplex service can mimic the voice of a real human being so that it can make phone calls on a user’s behalf, and a number of smaller startups, many of which are located in China, are offering up similar services for free on smartphones, sometimes under questionable privacy and data collection terms.
In other words, deepfakes are here to stay and are a new attack vector that business need to be aware of. Our advice to protect against this type of threat is to follow up on any unusual request, no matter how convincing, by a different channel. For instance, if you receive a supicious request by email and it is then followed up with a call from a mobile number, call back on a known landline number. And consider implementing code words when requesting financial transactions, or asking personal questions of the requester to prove their identity.