A multinational company has reported a loss of HK$200 million (US$25.6 million) after a scam where deepfakes of the firm’s chief financial officer (CFO) were used during a video call to deceive employees at its Hong Kong branch to transfer the funds.
The perpetrators fabricated convincing representations of the CFO and other meeting participants by transforming publicly available video and other footage into lifelike simulations of the real individuals. According to reports, everyone present on the video calls, except for the employee who was convinced to make the transfer, was a fake representation of actual people.
Acting senior superintendent of Honk Kong Police’s Cyber Security Division, Baron Chan Shun-ching, noted that usually such cases had the scammers interacting with victims in one-on-one calls, but “this time, in a multi-person video conference, it turns out that everyone you see is fake.”
He further added that this crime, in its sophistication and with such large funds lost, was the first of its kind in Hong Kong. Although the police did not disclose details about the company and the affected employees, Chan revealed that the scammers adeptly generated deepfake versions that accurately resembled and sounded like the targeted individuals.
The targeted employee, a member of the finance department, received a phishing message in mid-January that appeared to be from the company’s UK-based chief financial officer. The message claimed the necessity of carrying out a secret transaction.
Despite being initially doubtful the employee fell for the ruse after joining a group video conference where the company’s CFO and other seemingly legitimate staff members were present, along with some outsiders. The deepfake technology effectively created convincing visual and auditory illusions with the fake CFO, instructing the employee to make 15 transfers totalling HK$200 million to five Hong Kong bank accounts.
Authorities are now investigating the case, and cybersecurity experts are likely to stress the need for enhanced awareness and security measures to mitigate the risks associated with deepfake technology.
