by Heather Noggle,
UniteNews Staff Writer
You have to read this one. It’s about our future and why we must figure out how to secure it – addressing the digital threats of today and tomorrow.
In early February of this year a Hong Kong worker fell for the scam of the decade. He could have stopped it by listening to his “spider-sense” and verifying what was happening. Here is the story.
You may have seen the word “deepfake” in headlines and maybe even in news articles. Early technology for faking and forging primarily involved manual editing of videos and images. The book Rising Sun by Michael Creighton (and a 1993 movie by the same name starring Sean Connery and Wesley Snipes) features a doctored video, showcasing very advanced technology for its time.
An image or video considered to be a deepfake is one where it’s been altered to appear as someone else. This is typically exploitative and malicious, especially when the fakes are of public figures.
The scam that enabled the transfer of $25 million dollars went like this:
The setting: An online work meeting held on Zoom
The participants: AI-generated deepfakes; voices were cloned. The CFO’s voice was cloned and then an imitation was built to “talk” at the Zoom meeting.
The ask: At some point during the meeting, the fake-voiced, face-cloned CFO asked the target employee to transfer $25.6 million dollars.
This is a big company. It has that kind of money at its disposal. And this company employee was authorized to make that kind of transfer.
The scammers knew all of this, and in their intricate plan they did the following:
Made fake video representations of real people
Cloned voices
Knew whom to target
Worked past his suspicions
Those suspicions were put to rest when the worker saw the people in the meeting. He recognized them.
The imminent transaction was to be “secret,” so the conversation took on extra importance.
The transfer of $200 million HKD, or Hong Kong Dollars began. To move this much money, it took 15 separate transfers. During each of these transfers, the employee could have stopped to verify.
Now, the Hong Kong police have made 6 arrests thus far. The employee who authorized the transfer did become suspicious enough to report his actions.
The question is, how do we tell what’s real? If we can’t trust our ears and eyes in a video meeting, what do we do?
We verify in other ways. Had the employee stopped and called the corporate office to verify or stalled until he could do so, this could have been averted. Pressure to please executives, though, probably quashed this good behavior.
If it’s digital, it’s hackable. We humans are emotionally hackable, but thus far, it’s unlikely our limbs and other physical attributes will be hackable.
Ars Technica gave more advice: “The police have offered tips for verifying the authenticity of individuals in video calls, such as asking them to move their heads or answer questions that confirm their identity, especially when money transfer requests are involved. Another potential solution to deep-fake scams in corporate environments is to equip every employee with an encrypted key pair, establishing trust by signing public keys at in-person meetings. Later, in remote communications, those signed keys could be used to authenticate parties within the meeting.”
If you’re curious about the encryption option of public and private keys, research PGP—or pretty good privacy.
For more information contact Heather Noggle at hnoggle@codistac.com