Osterman Research

The New Zealand Herald covered the story of a deepfake meeting scam attempt against Zuru in November 2023, which [1] featured a deepfake of the CEO attempting to get the CFO to transfer money, but [2] was less than optimal since while the deepfake video presented a perfect rendition of the CEO, the “AI wasn’t sophisticated enough for a real-time voice exchange.” The deepfake CEO reverted to a text exchange (by the sounds of it, either a chat session during the Teams meeting or a WhatsApp message exchange), but since the language used during that exchange deviated from the language patterns of the actual CEO, the CFO saw through the fraud attempt.

We’ve come a long way in three months, apparently, since a successful and costly incident happened a couple of weeks back that seamlessly merged video and voice of multiple deepfakes in an online meeting meeting to trick a finance employee into transferring a large sum of money. This happened at the Hong Kong office of an unnamed multinational company, resulted in losses of US$25.6 million, and saw the scammers “convincingly replicat[ing] the appearances and voices of targeted individuals using publicly available video and audio footage.”

A couple of thoughts on the above:

1. There is speculation in the comments section of the ArsTechnica article that the finance employee in Hong Kong was complicit. Yes, that’s possible, but voicing such speculations is fraught with danger, because irrespective of whether it proves to be true or false, such actions have smeared many an individual and resulted in some taking their own life out of a sense of public shaming. If the Hong Kong employee was duped, he or she should be supported, not shamed. It points to a significant area of weakness in organizational processes and systems that the multinational company will need to address, along with everyone else.
2. Requests for secret transfers of money to new bank accounts should be an immediate red flag, irrespective of the person asking for this to happen. For any organization that doesn’t have a policy on this type of request, along a strong authorization process that applies in such cases, fraud and other types of questionable behavior will only continue to succeed.
3. From a tech perspective, this highlights the need for using authorized apps only, enforcing strong identity security controls, and recording and archiving online meeting content for subsequent review.