[HN Gopher] Finance worker pays out $25M after video call call w...
___________________________________________________________________
Finance worker pays out $25M after video call call with deepfake
CFO
Author : bsdz
Score : 289 points
Date : 2024-02-04 08:43 UTC (14 hours ago)
(HTM) web link (edition.cnn.com)
(TXT) w3m dump (edition.cnn.com)
| bsdz wrote:
| _"(In the) multi-person video conference, it turns out that
| everyone [he saw] was fake,"_
|
| This sounds like it required quite a bit of preparation, i.e.
| collecting data for each deep-faked participant including
| image/voice samples.
|
| If it's reaching this level of sophistication already then I
| suspect a new participant validation scheme is on its way for
| sensitive meetings.
| willsmith72 wrote:
| the scary part is how easy this would be to do right now,
| especially for a larger, higher-profile company. leadership is
| almost synonymous with an online presence in the form of
| podcasts, interviews, youtube videos, conference talks. combine
| that with public photo-sharing app profiles, and you're in
| business.
| sbarre wrote:
| Yeah C-suite execs are often on quarterly investor calls and
| those calls are made public as a matter of record aren't
| they?
| dist-epoch wrote:
| $25 mil was on the stake.
|
| It would easily be worth it spending $1m on the perfect setup.
| irrelative wrote:
| Only if it works >4% of the time.
| jsnell wrote:
| Only if you intend to run the scam only once, or if all of
| the work is completely bespoke and not reusable for future
| attacks.
|
| That seems unlikely. I'm pretty sure there's actually a lot
| of economies of scale here, where the attackers' pipelines
| will become vastly more efficient and higher quality over
| time, with each attack requiring less manual work.
| escapecharacter wrote:
| spearphaking?
| ozr wrote:
| It's a sophisticated attack for sure, but the data collection
| really isn't too difficult now. A minute or two of audio is
| sufficient for voice, and a single good image.
| silexia wrote:
| The most likely explanation is the employee responsible here
| was actually the one who stole the money.
| iamflimflam1 wrote:
| I would suggest that every CFO agrees some kind of secret
| challenge response with their staff and other execs.
| pliny wrote:
| The secret challenge exists and it is the phone number / email
| address / VC account of CFO. If CFO wants to order EMPLOYEE to
| send money, then EMPLOYEE should only do the action after
| making an outgoing call to CFO.
| agilob wrote:
| Make a twist and call my wife, not me.
| makeitdouble wrote:
| Where it hurts is it can be a PITA to get hold of the CFO
| from the mere employee side, especially as the CFO was UK
| based.
|
| Basically, it was a well thought and well executed scam that
| perfectly fit the employee's situation.
| greenyoda wrote:
| > it can be a PITA to get hold of the CFO from the mere
| employee side
|
| I'm guessing that someone who can authorize a $25M
| transaction is fairly high up in the corporate hierarchy,
| not that many levels away from the CFO.
| makeitdouble wrote:
| For a finance worker I actually wonder how much it means
| to transfer $25M.
|
| I have no idea, but I suppose moving funds from one
| subsidiary to another for instance wouldn't be for a few
| thousands only, and he's seeing money fly around day in
| day out. Would it feel the same as an infra engineer
| rebalancing a few millions of access from a cluster to
| another ?
| dools wrote:
| The CFO was on the call. You just say "cool I'm sending a 4
| digit code to your mobile phone, read it back to me".
| makeitdouble wrote:
| The CFO already separately sent him a message before the
| call, and I wonder if they'd get access to the CFO's
| number in a central directory (leaving aside the fact
| that you're asking to message them while they're live "in
| front" of you).
|
| I fthe CFO gave a number on the call, it wouldn't also be
| much of a check.
|
| I think the real improvement would be to have the CFO
| file a ticket, but obviously that company was used to
| play it loose and fast.
| pavel_lishin wrote:
| With $25 million on the line, I'd argue that the company
| could afford an airline ticket to fly to the UK and back
| to verify in person.
| Detrytus wrote:
| They might be able to afford ticket price, but not the
| time it takes to fly to the UK. Some things are time-
| sensitive.
| rijx wrote:
| It would detect number spoofing. Spoofing is easy,
| hacking phones is hard(er).
| hn_throwaway_99 wrote:
| 100% agree. "Hang Up, Look Up, Call Back" should be made into
| a jingle and absolutely hammered into the culture of, at this
| point, literally everyone (given all the scams that occur
| targeted both toward consumers and employees):
| https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-
| lo...
| TrackerFF wrote:
| I don't know enough about this, but would it be possible for
| the scammers to hijack the SIM swapping?
|
| That is, the scammer manages to get ahold of the SIM card /
| phone number of the CFO, and be on the receiving end if/when
| a worker calls the CFO up.
|
| Weakest link would probably be to compromise some telecom
| worker, so that this can be orchestrated.
| Narkov wrote:
| Money transfer, or any non-revocable transaction for that
| matter, should require multiple sign-offs (a.k.a "two/X to
| sign"). Businesses have been using this for decades.
|
| This problem isn't a technical one..it's a process issue. One
| person shouldn't be able to transfer $25m without multiple
| people authenticating and authorising.
| monkeydust wrote:
| Was expecting this to happen soon and I guess soon is now. Will
| Zoom, MS start to compete on participant authentication features
| they are probably going to add?
| DANmode wrote:
| Heading in that direction
|
| https://www.microsoft.com/en-us/security/blog/2023/05/04/how...
|
| https://learn.microsoft.com/en-us/entra/verified-id/how-to-d...
| smeej wrote:
| My money had been on 3-5 years, but it was definitely coming,
| and I guess I shouldn't be surprised it's here.
| Gustomaximus wrote:
| > "(In the) multi-person video conference, it turns out that
| everyone [he saw] was fake,"
|
| This could be totally real, but also could one employee saying
| 'the CFO was on a call' and claim deepfake to make it an excuse?
|
| I guess it was a matter of time before this occurred. How long
| before scammers do bulk video calls to parents/grandparent
| pretending to be the kids saying they are in trouble and need $$$
| ASAP.
|
| The even better question, is how can this be stopped or reduced
| and is there a new business there?
| cornholio wrote:
| Seems like it can be stopped dead with standard crypto, smart
| cards and multifactor tokens, multiparty authorization etc.
| Ideally, issued by public authorities together with any other
| official ID, leveraging the strong security governments have
| already built around that process.
|
| The generic type of vulnerability referenced in the latter part
| of the article has sprung up after fintech tried to emulate
| traditional offline auth and KYC with things like scanned
| images of ID documents, face recognition and liveness
| detection. Anyone in the know could see these attacks coming
| miles away.
| loceng wrote:
| Could you elucidate how exactly "standard crypto" would stop
| such a thing?
| sargun wrote:
| I think the poster meant the prior meaning of the word
| 'crypto' -- cryptography, in which the CFO could sign and
| encrypt some message and then the message's authenticity
| could be verified.
| YetAnotherNick wrote:
| How does crypto add anything that just verifying email
| ID/phone number doens't provide. If you solution is to
| whitelist some certificates or key, you can as easily or
| even easier whitelist email IDs/phone number.
| sverhagen wrote:
| Banks certainly don't trust email, that's why instead
| they make you use those "encrypted messages" portals
| (...from hell).
| pastage wrote:
| Cryptography can and should be done on hardware tokens
| that should directly be reported as stolen. A video call
| with email/phone is easy to fake.
|
| I work with people who all have hardware crypto, you are
| right that we do not have the organizational knowledge to
| verify everything with crypto. Even if the tech is 60%
| there.
| YetAnotherNick wrote:
| Most company only allows logging in email in work
| devices, which is as easy to report stolen.
|
| What other kind of verification are we talking about
| which standard email DKIM doesn't have.
| acdha wrote:
| Email means I got access to your device or something
| you've configured to be able to send email, which is
| probably a lot of servers unless you have an entire
| domain dedicated to financial messages everyone knows not
| to trust any other domains.
|
| A message signature means I got you to do something like
| tap a Yubikey and enter a PIN, touch a fingerprint
| sensor, etc. That can still be socially engineered, of
| course, but it can't happen by accident and you could add
| some safeguards against routine by having a dedicated
| "major transactions" key used only for that purpose to
| add a physical speed bump.
|
| The problem is that "ignore my gmail, I list my phone"
| will defeat that training more often than we'd like, so
| you really need to have process safeguards which make it
| a requirement and management backing to say even the CEO
| will follow the lost device process rather than asking
| someone to bypass process, and that has to be so
| carefully enshrined that nobody questions whether their
| job is on the line if they tell the real CFO that they
| can't bypass the process.
| ghaff wrote:
| I expect that most work emails are accessed from
| personally-owned phones.
| macrolime wrote:
| Phone numbers are trivial to spoof or steal and there is
| currently no way to protect against that.
| YetAnotherNick wrote:
| Care to explain how can I spoof other's phone number.
| Also phone is as hard to steal as any device where key is
| stored. In fact, people will remember their phone is
| stolen much before than the usb key or laptop or anything
| else.
| p_l wrote:
| If you can get S7 link with Telco, in most cases it's
| trivial to spoof Caller ID signals, as those are
| essentially forwarded from originating network. Getting
| direct S7 link isn't as hard as it sounds, it's IIRC
| common thing if yo want to run VOIP provider.
|
| Your telco's NOC can at best track what "port of entry"
| the call came from but can't force the Caller ID go be
| truthful.
| xur17 wrote:
| I imagine it has changed, but 10-ish years ago I recall
| having a cheap VoIP account that just let me enter
| whatever phone number I wanted as the caller ID.
| p_l wrote:
| It's very much a "honor system". If VoIP provider doesn't
| do due diligence, the other networks can't really check
| the value, especially since number porting became norm
| MichaelZuo wrote:
| For the first few dozen times sure, but after the
| hundredth or so report of a scam call associated with a
| spoofed number, the VoIP provider should be blocked by
| the telco. That is if they were allowed to do so.
| p_l wrote:
| "should" is doing a lot of heavy lifting in that
| statement :)
| xorcist wrote:
| There is an authentication between your phone and your
| telco, but there is no authentication between your telco
| and others. Any telco in the world (and there are many)
| or someone who has bribed (or hacked) someone who works
| there can say "this phone is now roaming our network" and
| traffic gets routed there.
|
| These things are usually discovered but not before a call
| or sms goes through. There are also other possibilities
| such as diverting calls available to someone with the
| right access to the signalling network. Anything that's
| unauthenticated and unencrypted should be regarded as
| insecure, really.
| HeatrayEnjoyer wrote:
| If it's authenticated how can one telco sign a call with
| the key of another telco?
| wolfgang42 wrote:
| There is (or was) no authentication within the core of
| the public switched telephone network, since it was
| designed at a time when that was impractical and physical
| infrastructure was assumed to be reasonably secure. So
| you don't need to fake signing, you just say "Hey,
| +1-555-555-5555 roamed onto my network and is making a
| phone call" and the recipient takes this at face value.
| ("Blue boxing" to fake the phone system into giving you
| free long distance phone calls worked for similar
| reasons.) STIR/SHAKEN is supposed to fix this, though I
| don't know how far along implementation has actually
| gotten.
| internet101010 wrote:
| From what I gather it depends on the carrier. T-Mobile is
| supposedly the easiest and Verizon the most difficult.
| The Darknet Diaries (link below) recently did an episode
| on how the sim swapping thing works and how expensive it
| is to get it done.
|
| https://www.youtube.com/watch?v=Cjy8-rVXO7o&t=2190s
| computerfriend wrote:
| This is a current, not prior, meaning of the word.
| subtra3t wrote:
| I think many people would expand the word crypto to
| cryptocurrency and not cryptography. We can argue on and
| on about which is the "correct" expansion but in my
| opinion a word's current meaning should be the most
| popular association people have of it.
| thwarted wrote:
| _phone beeps with SMS message from CEO_
|
| "Can you buy $1000 worth of egift cards and text me back
| with the redemption codes? Our jobs depend on this. I'm
| in a very important meeting, otherwise of so it myself,
| left my private key at office and can't sign this message
| right now."
|
| The human element remains the weakest link.
| Aeolun wrote:
| Hard to buy 25M worth of gift codes though.
| chrisco255 wrote:
| You require that people sign messages cryptographically,
| including video calls, to validate their identity. You
| can't fake that.
| coffeebeqn wrote:
| Do any video call clients support this ?
| kwhitefoot wrote:
| Everyone in the call has a cryptographic ID that can be
| authenticated with a trusted authority. Your device would
| just ask all the others for a one time token that it then
| submits to the ID server. The server tells you public
| identifier of the person associated with that token.
|
| We already have infrastructure for bus and rail tickets,
| for logging in to banks, tax authorities, health services,
| etc. in Norway and other countries that could easily be
| extended to cover this use case..
| cornholio wrote:
| By using it? This was a social engineering attack against
| an otherwise unprotected service, if you manage to trick
| the security guard, you are in.
| Karellen wrote:
| It's easy. We just generate our own key pairs, establish a
| web-of-trust by signing each others public keys at in-
| person meetups, and then use those signed keys to
| authenticate all the digital communication we do with each
| other.
|
| You know, like we've been doing with our emails since PGP
| was developed in 1991. You can tell how simple the process
| is, by how ubiquitous it has become in a mere 30 years!
| DANmode wrote:
| Publish it in your Twitter bio,
|
| or as a Nostr note, for cool kids to share with other
| cool kids.
|
| Defeatists get defeated!
| hobofan wrote:
| I don't know. Based on how it is described in the article,
| you could detect it via the means you mentioned and raise
| them as warning flags to the user, but as a last instance
| there will still be users that ignore all the warning signs
| and be convinced by a good scam story.
| sverhagen wrote:
| ...such as a person much higher up in the organization
| giving you a direct "urgent" order. It shouldn't be hard to
| find corporate employees who really fear their superiors.
| cornholio wrote:
| Then it's the fault of those superiors for setting up a
| culture of fear and mindless subservience, instead of one
| of strong rules even they themselves are expected to
| follow.
|
| Cryptography without strong social rules is just cargo-
| cult religion.
| psychlops wrote:
| A culture of fear and mindless subservience has strong
| social rules. Would it work there?
| lupire wrote:
| The article mentions a pile of stolen ID cards used in
| another fraud.
| dist-epoch wrote:
| It's a lose-lose situation.
|
| If you refuse and it's an actual emergency with the real CFO,
| it might be a career limiting move, if you don't get fired.
|
| If you accept, it might be a deepfake CFO and you might get
| sued.
| acdha wrote:
| > If you refuse and it's an actual emergency with the real
| CFO, it might be a career limiting move, if you don't get
| fired.
|
| This is really the crux of it: senior management needs to
| take the lead setting up policies which are efficient enough
| not encourage people to try to bypass them and the culture
| that everyone in the company should feel comfortable telling
| the CEO "I'm not allowed to do that". This is possible but it
| has to be actively cultivated.
| MichaelZuo wrote:
| It might not matter in the extreme case as there could
| always be a sufficiently serious emergency that will force
| their hand to bypass every policy. e.g. if they get a
| National Security Letter.
| acdha wrote:
| That's not Joe CPA's problem, though, beyond verifying
| that the men in black have valid government ID. If the
| FBI raids your office, you're not the one in trouble for
| it.
|
| Let's not ascribe too much power to those, either: NSLs
| can compel release of certain types of information but
| they can't force you to do things like transfer money or
| even disclose the contents of private messages.
| michaelt wrote:
| The solution: Make it your boss's problem.
| acheong08 wrote:
| > scammers do bulk video calls to parents/grandparent
| pretending to be the kids saying they are in trouble and need
| $$$ ASAP
|
| Especially when a high percentage of people post their face and
| voice on social media. I find this especially crazy in the age
| of AI. I trained a Stable Diffusion LORA with photos of a
| friend and showed it to them (with permission) and they were
| completely shocked. Showed it to one of their friends and they
| were fooled for at least a minute and took some careful looks
| to find discrepancies
| ghaff wrote:
| The reality is that if you speak at a conference there's a
| decent chance there's video of that on YouTube. If you have
| any sort of public presence as part of your job, your voice
| and likeness are probably out there whether you put it out
| yourself or not.
|
| Keeping yourself anonymous isn't compatible with a lot of
| even moderately senior-level jobs out there.
| mprovost wrote:
| CFOs of public companies typically do quarterly earnings
| conference calls with Wall St. So there's potentially
| plenty of recordings of their voices using the same kinds
| of language that it would take to fake something like this.
| ghaff wrote:
| One of the tradeoffs you make as you move up the ladder
| is that you increasingly can't be an anonymous person.
| That may be a good tradeoff or bad depending upon your
| perspective.
| internet101010 wrote:
| You would think that executives would clone their own
| voices for the earnings call script readings like a lot
| of video essay YouTubers do now. But no, they still use
| terrible conference call systems for earnings calls
| rather than decent microphones that would be used in a
| podcast. That could actually be a silver lining here when
| it comes to creating quality training data.
| NoPicklez wrote:
| I dont think its "crazy".
|
| There has been little issue for most people having photos of
| themselves online on social media.
|
| If people want a photo of you they will find one.
| RScholar wrote:
| Roguescholar@sbcglobal.net Roguescholar@sbcglobain and and
| and and and and and l.net
| fuzzfactor wrote:
| >it was a matter of time before this occurred.
|
| I would assume the matter of time for it _occurring_ has
| elapsed a while ago, and now we are in the place where it 's
| not only being detected, but further, actually revealed,
| regardless of how embarassing that is.
| pas wrote:
| recently a group targeted expat/temp students and their
| families. they somehow coerced the kid to go camping don't pick
| up to anyone, and then they told the family the kid is with
| them. the family paid.
|
| https://abcnews.go.com/US/utah-missing-foreign-exchange-stud...
| abdullahkhalids wrote:
| > How long before scammers do bulk video calls to
| parents/grandparent pretending to be the kids saying they are
| in trouble and need $$$ ASAP.
|
| Unfortunately, this is why we need open access to some deepfake
| tech. The only way to convince people who are not immersed in
| tech how convincing deepfakes can be is to sit with them, and
| create their own deepfakes.
|
| Then memorize and practice security protocols like verbal
| passwords.
| bagels wrote:
| That's already happening successfully without deepfakes.
| Scammer calls and says "grandma I'm in trouble, they are
| holding me in jail unless you buy gift cards"
| jimmySixDOF wrote:
| There was an old theory you needed to be holding today's
| newspaper or mention current events to at least show that a
| media was not prepared earlier but this advice is out the
| window given enough dedication from the adversary.
| makeitdouble wrote:
| > Chan said the worker had grown suspicious after he received a
| message that was purportedly from the company's UK-based chief
| financial officer.
|
| It wasn't just a fake call, and he had a paper trail of the
| order...at this point it's pretty hard to prevent this from
| happening, short of having every order double checked by some
| other independent entity.
| oldtownroad wrote:
| it's trivial to avoid. Do not accept instructions outside of
| the standard instruction channels. The only reason this scheme
| works is because of bad processes, bad training or a culture of
| fear (where employees feel compelled to comply with any demand
| regardless of process for fear of losing their job).
|
| If an employee routinely receives email or zoom instructions to
| transfer $25m without any sort of sign off then the company is
| completely at fault for terrible process.
| JumpCrisscross wrote:
| > _Do not accept instructions outside of the defined company
| processes_
|
| Most non-enterprise companies have fairly loose wire
| protocols. That said, outgoing phone calls to two separate
| signers is a good, simple best practice.
| nikanj wrote:
| The standard instruction channels are so reliably shit,
| nobody bats an eye if they get an email saying "Teams is on
| the fritz again, please join us on Zoom instead"
| logicchains wrote:
| Corporate email clients usually have a way of marking non-
| internal emails, surprised this wasn't used.
| laboratorymice wrote:
| Don't know the details here, but email is still very much
| broken, and a number of large companies, including in the
| financial sector, are spoofable even after checking the usual
| boxes.[0]
|
| [0]: https://news.ycombinator.com/item?id=37438478
| makeitdouble wrote:
| Perhaps I'm reading too much between the lines, but this part
| makes it look like he got suspicious and checked for clues.
| It would have been pretty bad if the email was actually
| marked as internal.
|
| Sam deal for the call as well. I'd expect the video client to
| warn that some members of the call are external to the
| organization (Google Meet does that). Or the CFO is expected
| to be outside (from another org) from the get go.
|
| > Initially, the worker suspected it was a phishing email, as
| it talked of the need for a secret transaction to be carried
| out.
| frenchman99 wrote:
| This should like bad company processes all around. For a sum this
| high, you need more than just a video call. Get an email (if the
| tech team setup DMARC correctly, sending phishing from company-
| domain is near impossible). Talk through company chat (Slack,
| Teams, etc). Call a couple high ranking on their cell.
| miohtama wrote:
| Good old face-to-face works. 25M is worth of a business class
| flight.
| smeej wrote:
| It's not the money. It's the time. Lots of companies move
| fast enough that a $25M deal won't wait as long as it takes
| to fly from HK to London.
| switch007 wrote:
| If they want to do business like in the 21st century they
| can invest in 21st century security and polices. Otherwise
| get on the darn plane and do it 1970s style
| tetha wrote:
| It's one of the better ways to avoid getting scammed: Try to
| validate the communication in ways without relying on any
| information they gave you.
|
| If someone claims to be a police officer and hands you a number
| to call to see if they are real... don't use that number.
| Figure out the non-emergency number of the station they claim
| to be coming from independently and ask them. If a "new agent"
| from your bank calls you and gives you a "new number" to call
| them, figure out an official number of your bank and call that.
| willsmith72 wrote:
| > Initially, the worker suspected it was a phishing email, as it
| talked of the need for a secret transaction to be carried out.
| However, the worker put aside his early doubts after the video
| call because other people in attendance had looked and sounded
| just like colleagues he recognized.
|
| this is the real problem. why oh why, after suspecting an email
| as phishing, would you then go on to even click ANYTHING, let
| alone join a video call?
|
| insanity. either stupidity or he's lying about suspecting the
| email. how many corporate security trainings does it take? this
| is just about 101. "if asked to do a secret task by a suspicious
| email, DONT do it"
| geraldwhen wrote:
| "Secret transaction" is in the annual training of annual who
| handles money. That's an immediate red flag, escalate to
| corporate governance officer.
| pavel_lishin wrote:
| > _how many corporate security trainings does it take? this is
| just about 101. "if asked to do a secret task by a suspicious
| email, DONT do it"_
|
| It takes $CURRENT_NUMBER + 1.
|
| People are _still_ , to this day, racking up thousands of
| dollars in iTunes gift cards on corporate cards and mailing
| them out, because they got a text from "the CEO". It happened
| at my spouse's work just last year. It'll continue happening
| again, forever, because to paraphrase P.T. Barnum, a sucker is
| hired every minute - in the probability distribution of
| humanity along that particular axis, there's always going to be
| some percentage at the bottom who'll fall for the most obvious
| scams. Sometimes repeatedly.
| IshKebab wrote:
| > corporate security trainings
|
| Have you ever actually done corporate security training? It's
| very obviously 100% useless and not going to teach anyone
| anything.
|
| A company I worked for actually started sending test phishing
| campaigns which is a lot more effective, but I thought they
| were still pretty obvious and also it led to stupid people
| reporting them on Slack endlessly.
|
| Still, probably the best thing you can do.
| ozr wrote:
| For you and me, yeah the training is useless. For someone
| actually naive enough to pick up gift cards for the 'CEO'? It
| could help.
| Havoc wrote:
| >It's very obviously 100% useless and not going to teach
| anyone anything.
|
| I've seen some decent ones. e.g. One that was presented from
| adversaries PoV which I thought was innovative & got people
| thinking about it in novel ways (at least did for me).
| NoPicklez wrote:
| I work in making and sending phishing emails for companies
| and measuring people's response.
|
| Many people will open a suspected phishing link, report it,
| then open it later in the afternoon...
| teo_zero wrote:
| > "if asked to do a secret task by a suspicious email, DONT do
| it"
|
| This is not what they teach you in trainings, though. They
| teach you to get the requestor (or your boss or whoever might
| be authoritative) on the line and confirm that the email is
| authentic. I believe a video call qualifies as well.
| saaaaaam wrote:
| I have no idea how something like this can even happen. In a
| company of that size it should be actually impossible for a
| transaction like this to occur without clearly documented
| processes to ingest, review, authorise and pay transactions.
|
| I have clients where anything over even quite a low set limit
| (say EUR10k) requires multi-party authorisation - and it's very
| common for the person entering payments to be unable to authorise
| payments. That's just good practice.
|
| A payment should not be able to be queued without a PO number. If
| the payee is new, the bank details need to be verified by phone.
| Once approved as a destination account, that payee is set up in
| banking, and authorised by a finance clerk and someone more
| senior. At the point a payment is requested the PO and other
| details should be double checked against what is in the system.
| If there's a match, then the payment can be queued for
| authorisation. The person entering payments and the people
| approving payments should be entirely different - and it should
| be people, not a single person. When payments are entered, the
| payments should be reviewed by first authorisation - a finance
| manager, for example - and once that authorisation is conducted,
| depending on payment limits, another authorisation or
| authorisations will be carried out.
| BrandoElFollito wrote:
| Exactly. There are programatical barriers you cannot bypass
| alone.
|
| I can imagine a scan where the fake CEO gets a phone or laptop
| outside of the process "because CEO". This however will still
| be limited to generic, low value stuff handled by single people
| in a company.
|
| There is no way that a reasonably organized company can leak 40
| MM USD.
| fallingknife wrote:
| Citigroup leaked almost a billion, and it wasn't even fraud.
| https://www.npr.org/transcripts/1019909860
| BrandoElFollito wrote:
| Yes, but this is due to three people trying willingly to
| bypass the system, and probably a shitty UI. They knew what
| they were doing, they just did it badly.
| doubloon wrote:
| Citi is one of the major foundations of the entire
| industry, how much of a "yes but" is involved before its
| standard practice. shitty UI is extremely common inside
| financial companies because fixing it would cost money.
| BobaFloutist wrote:
| > And Citibank software is really jenky (ph), so basically
| the only way to > complete the wonky transaction is to sort
| of momentarily trick the software into > thinking that
| Revlon has repaid the entire loan.
|
| Think I found your problem, boss.
| lightedman wrote:
| "There is no way that a reasonably organized company can leak
| 40 MM USD. "
|
| Oh, please, HP lost some 40 million in inventory while
| contracted to Solectron Global for repairs, because their
| inventory systems are utter garbage compared to Dell or
| Toshiba.
| Log_out_ wrote:
| Cooperate processes are not laws, cooperations are not states,
| they are thiefdoms and of course the baron gets todo as he
| wish. Why whenever that illusion of order crumbles away, have
| this sort of public meltdown just because one is powerless and
| exposed to be trampled at any moment by random forces? This is
| just life and this is just part of a medieval peasants
| existence, towards which all of HN helped culturally steer this
| ship. Get over it, get on with it..
| dartos wrote:
| Do you... need a hug?
| lebean wrote:
| I do, after reading that
| psychlops wrote:
| Hugs are just an illusion of order and will crumble away.
| Get over it!
| lebean wrote:
| Thanks, I needed that.
| mp05 wrote:
| I definitely err on the side of cynicism but jeez, this is
| pretty out there.
| pts_ wrote:
| Yeah people here acting illogically like denying covid for eg
| ecf wrote:
| > I have no idea how something like this can even happen. In a
| company of that size it should be actually impossible for a
| transaction like this to occur without clearly documented
| processes to ingest, review, authorise and pay transactions.
|
| After having worked IT for various startups I cannot understate
| just how much executives and other higher ups detest policies
| that make them verify who they are. It short circuits something
| with their ego.
| ricardobayes wrote:
| True, I was closing a real estate deal once with a rich guy
| and he called his private banker for something. He had a
| near-meltdown that they asked some kind of verification
| question from him.
| doubloon wrote:
| every process has exceptions. and there is no process stronger
| than the manager firing an employee for disobeying an order.
| cj wrote:
| > every process has exceptions
|
| Except these sort of transfers almost always happen with, at
| a minimum, dual approval where exceptions cannot be made
| because it's software defining the rule.
|
| 1 employee submits the transaction for review, and a 2nd (and
| sometimes a 3rd, 4th) person must approve it before the
| payment initiates. There isn't typically a bypass function.
|
| Also, CFOs are typically responsible for setting up and
| enforcing these controls. A big part of a CFO's job is to
| manage risk. If you work under a CFO, you would be more
| likely to be rewarded for following the process than be
| punished.
|
| Obviously there are exceptions to this, but by and large no
| CFO would punish a finance person for disobeying an order to
| bypass a process intended to prevent financial fraud.
| MichaelZuo wrote:
| Not if the CFO and the other most senior executives all
| order you to do so on a video call... hence the article.
| doubloon wrote:
| "no CFO would punish a finance person for disobeying an
| order to bypass a process intended to prevent financial
| fraud."
|
| CFO are often involved in fraud. it is part of finance
| industry training to be wary of dealing with other
| financial institutions.
|
| https://tax.thomsonreuters.com/news/enron-former-cfo-i-am-
| on...
|
| https://www.accountancydaily.co/ex-countrywide-cfo-
| charged-f...
|
| https://www.businessinsider.com/bed-bath-and-beyond-cfo-
| foun...
|
| https://www.nytimes.com/2024/02/01/nyregion/weisselberg-
| perj...
|
| https://www.justice.gov/usao-ndtx/pr/cfo-controller-
| corporat...
|
| https://www.fraud-magazine.com/article.aspx?id=4294976271
|
| https://core.ac.uk/reader/231825040
|
| https://www.nydailynews.com/2023/10/05/former-ftx-co-
| founder...
|
| https://www.justice.gov/usao-wdwa/pr/former-company-chief-
| fi...
|
| https://www.nydailynews.com/2023/10/05/former-ftx-co-
| founder...
|
| https://www.investopedia.com/terms/w/worldcom.asp
|
| whistleblowers get punished all the time.
|
| https://www.pbs.org/wgbh/pages/frontline/warning/interviews
| /...
|
| https://www.institutionalinvestor.com/article/2btg8yx4pcckb
| 0...
|
| https://www.marketswiki.com/wiki/Madelyn_Antoncic
|
| https://www.wsj.com/articles/wells-fargo-fined-22-million-
| fo...
|
| https://www.npr.org/2016/11/04/500728907/senators-
| investigat...
|
| etc etc
| cj wrote:
| When I say "no CFO" would punish someone doing things
| that mitigate fraud... it's the same as saying "no
| software engineer intentionally introduces bugs on
| purpose".
|
| Obviously the statement isn't literally accurate.
| Hopefully it's 99% accurate (otherwise none of us would
| have jobs if all we did all day was sabotage our
| employers). Likewise, not every CFO is to be trusted, nor
| are all software engineers... but most can be.
| wjnc wrote:
| At the end of the day even in large firms you only need to fool
| three or four eyes. Those eyes might get a lot of transactions
| to process and a certain sense of complacency might occur. The
| hope is that automatic controls will aid those humans with all
| kinds of checks, but even billion dollar transactions at the
| end of the day are human transactions.
| wslh wrote:
| I have been witness of spreadsheets passed through email,
| whatsapp, etc from one sector to another to initiate
| payments. It's all about trust perception. That is one of the
| weak links.
| Solvency wrote:
| I don't get it. I work for a biggish company. Every time a
| user wants to join my Miro team I have to use a maze of
| ancient purchase order systems like Sage with multiple levels
| of approvals from our finance team. It's almost outrageously
| draconian but... not a penny goes by unpinched.
|
| This is astounding levels of incompetence.
| nvr219 wrote:
| The reality is these processes, while on paper "applicable
| to all users", can be bypassed the higher up you go.
| Culture issue.
| thaumasiotes wrote:
| That's not a culture issue. The alternative is that no
| one in the company has the power to do anything.
|
| If processes can't be bypassed, then as soon as you
| implement a detrimental process, your company dies.
| lenkite wrote:
| In other words, detrimental processes are only for the
| worker bees.
| wjnc wrote:
| I'll give you good odds that if you ever talk to the CFO
| about the transactions they personally sign off on, it's a
| lot of emails and spreadsheets passed around. Processes are
| there for the little people, the big ones are chefsache. I
| also know what the biggest risk are. Not the automated
| stuff, not the very big M&A stuff, it's the not yet
| automated routine combined payment order that is boring but
| rests on a few insiders to keep working. Insiders are very
| much in demand for these cons. The voice of the CEO is
| nothing, you need the proper tone, the proper pomp and
| circumstance.
| ilrwbwrkhv wrote:
| You are a low level grunt. Directors and executives are not
| using sage for a lot of things.
| yfbx wrote:
| Yup and large corp/banker corruption and bribery happens only
| in netflix movies /s
| blibble wrote:
| in financial services everything you can possibly doing for
| your regular job has an approval chain (often consisting of at
| least 3 people)
|
| install notepad++ from pre-packaged store? approval needed
|
| change to mailing list you own? approval needed
|
| 1 line config change to production alerting system? 8 approvals
| needed
|
| I can easily imagine people just clicking Approve sometimes
| without reading
| Aurornis wrote:
| I feel like I'm missing something from your post. Are you
| being asked to approve several _large financial transactions_
| per hour in your job as a software engineer?
|
| Regardless, approvals for multi-million transfers require a
| higher level of process and approval.
| blibble wrote:
| I think you underestimate the scale here, a "multi-million"
| dollar transaction is something that happens tens of
| thousands of times a day
|
| > Regardless, approvals for multi-million transfers require
| a higher level of process and approval.
|
| if you say so
| cjalmeida wrote:
| Maybe, but those multi-million transfers are usually
| going to known trusted counterparties (other brokers,
| bank treasuries), not random vendor accounts.
| ponector wrote:
| And then you hear stories like that one about french trader
| Jerome Kerviel who did unauthorized trades with 5 billion
| losses.
|
| And many more stories like that.
|
| But yes, for small fish there is an approval process for
| everything, even to but a paper clip.
| blibble wrote:
| controls applied to traders are very different
|
| a common thread in these modern rogue trader scandals are
| that the perp worked on the controls or monitoring system
| in a role prior to becoming a trader
|
| so they knew how to structure their trades in such a way to
| evade detection
| seagulls wrote:
| > In a company of that size it should be actually impossible
| for a transaction like this to occur without clearly documented
| processes to ingest, review, authorise and pay transactions.
|
| Oh, my sweet summer child. The larger the organization, the
| more dysfunctional it becomes.
|
| See _How this scammer used phishing emails to steal over $100
| million from Google and Facebook_
|
| https://www.cnbc.com/2019/03/27/phishing-email-scam-stole-10...
| samstave wrote:
| The deep-fakers were likely, at least at one point, an internal
| employee of this firm so that they knew how to pull this off.
| RecycledEle wrote:
| Having 2 people authorize a $25M USD transaction does seem like
| a prudent precaution.
| micromacrofoot wrote:
| billionaires do it all the time with 1 person
| r00fus wrote:
| Maybe they're ok getting scammed for $25M now and then I
| guess.
| stavros wrote:
| I like the juxtaposition of this comment and the one before
| it, saying "if we had to authorize every transaction of a few
| million, we wouldn't get any other work done".
| cesaref wrote:
| I worked at an investment bank which made daily FX transactions
| to cover trading in world markets to their nostro accounts, and
| these could easily be in the 10-100 million range on a given
| day. Transactions like these are not particularly surprising in
| that context, so processes will be in place to reduce the
| workload on operations staff, so that they only need to
| validate exceptional transactions.
|
| If you have 10 business units trading 50 world currencies,
| checking 500 transactions for FX every day is a total chore
| hence it would get automated, and only unusually large
| transactions would be flagged. Rules like <10m goes through
| automatically would be tuned over time so that the workload on
| operations team members would add actual value without being
| onerous on their time.
|
| So, depending on the business we are talking about, a 25m
| transaction could basically be lost in the noise. Given the
| mention of the CFO being london based and the operations team
| being in HK, it sounds like a typical investment bank setup to
| me.
| vincnetas wrote:
| but i assume these daily transactions are going to same
| validates target accounts, that are nnot changing daily. in
| this case i assume this was a transaction to a random
| account.
| cesaref wrote:
| Yes, that's a good point. The nostro accounts don't change
| often, but they do change as new business lines come and
| go, but I don't remember the validator having any rules
| based on the target accounts in the system I was involved
| with. However I may be wrong, and that was 10 years ago, so
| things have probably moved on.
| rwmj wrote:
| It depends what the multi-party authorisation is trying to
| protect against. Normally you're trying to protect against
| insiders stealing money by authorizing a payment on their own.
| In this case it's quite possible that multiple people inside
| the company signed off on the transfer and it all happened "by
| the book".
| hinkley wrote:
| Social engineering is substantially about appealing to
| someone who can do all the steps you cannot perform from
| outside.
|
| From what I understand of the literature, it's often several
| interactions to gather enough information from several
| employees to learn to sound like you belong there, then using
| it all against someone with "keys" who escorts you the rest
| of the way.
| hinkley wrote:
| But does that fix the problem or just slow it down a bit?
|
| If you can deepfake one guy with the checkbook, can't you
| deepfake the guy with the checkbook and the guy who enters the
| POs into the system? Lower odds, but far from zero.
| anon84873628 wrote:
| Just like the locks on your door or safe. Doesn't "fix" the
| problem of theft, but slows them down quite a bit.
| IanCal wrote:
| This was a case where someone pretended to be other people at
| the company over video calls. It's not a huge leap for that to
| happen to multiple employees - if it didn't happen here having
| multiple people doesn't eliminate this attack.
| saiya-jin wrote:
| You don't understand current banking as its happening right
| now, simple as that. Also, you probably didn't read article
| since it clearly states it was a 'secret' transaction, most
| probably meaning bypassing all controls put in place.
|
| I mean we still right now live in the world where just a very
| rough match for signature on a piece of crappy paper is enough
| to move millions if needed.
| Havoc wrote:
| >it should be actually impossible
|
| Couple years ago I thought that too...
|
| All the checks you describe - multiple approvers, standing
| data, callbacks etc - the guys going after big payments like
| this know these checks are in place, how they work and have a
| game plan for it.
| nickdothutton wrote:
| There really ought to be a stronger sign of confirmed identity in
| business calls. Something cryptographic. Every single day I end
| up in business calls randomly scattered across teams, WhatsApp,
| FaceTime, zoom, and a half dozen other systems. Instead we get
| stupid cartoon avatars and the ability to put a funny backdrop
| behind us.
| DANmode wrote:
| For many of these "attacks", it could be thwarted as simply as
| opening the messages tab and seeing no prior history.
| pavel_lishin wrote:
| I'm not sure if we have good enough systems in place, in terms
| of UX, for that to work.
|
| Imagine every C-level exec who's opened a top-urgent ticket
| with IT because their printer doesn't work (they forgot to plug
| it in/forgot it needs paper/it's not a printer, it's a paper
| shredder) trying to operate some form of key exchange software
| securely, while people capable of pulling off this sort of scam
| are targeting them.
|
| I don't think this is a problem that can be solved with
| technology.
| MichaelZuo wrote:
| This doesn't sound correct, why can't it be solved with
| sufficiently advanced technology i.e. software and devices?
|
| We already have facial verification systems in hundreds of
| millions of devices that are genuinely very difficult to
| spoof.
| pavel_lishin wrote:
| > _with sufficiently advanced technology_
|
| Oh, you mean magic? :P
| BlueTemplar wrote:
| Wanna see a magic trick ?
|
| These $25M... _waves hands_ gone !
| psychlops wrote:
| A 2 of 3 key authorization would have gone a long way to
| preventing this.
| aiisjustanif wrote:
| Zoom has MFA, including YubiKey.
| physPop wrote:
| Then they shouldn't be C-level execs. We should expect more
| proficiency from people we pay so highly.
| favflam wrote:
| Is PGP out for this use case?
|
| Doesn't the US military have DoD people plug in their ID badges
| to read/sign emails through outlook?
| mebassett wrote:
| I have known two publicly traded companies that fell victim to
| similar sorts of scams (someone impersonating the cfo or ceo over
| the phone). One was defrauded out of a seven figure sum, the
| other got lucky and a bank involved stopped the transaction to
| verify again. I don't know how the first was able to keep it
| quiet, I only knew because I chatted with the people in question.
| I suspect that the deepfake angle makes it easier to admit that
| they were defrauded in this way.
|
| Talking about how something like this can happen in a big company
| is fun and all, but the scary thing is is that it is _so much
| easier_ to do these sorts of scams with deepfakes. Which means
| they will be deployed against "softer" targets, like you and me,
| and your parents and grandparents.
| jbirer wrote:
| Looks like an elaborate embezzling scheme to me.
| smeej wrote:
| Why embezzle from one company when you can steal from lots of
| them?
|
| This is an obvious and natural evolution of the kinds of
| attacks that have existed for years. It was bound to happen
| eventually. I think it's just sooner than people expected.
| djmips wrote:
| My feeling too. I doubt criminals actually have mastered
| realtime deepfake. It's plausible but on the balance it's more
| likely a 'plausible' excuse.
| mikkom wrote:
| VC usually means venture capital(ist) so the title is very
| confusing.
| redsoundbanner wrote:
| what does it mean here?
| mikkom wrote:
| > Finance worker pays out $25 million after video call with
| deepfake 'chief financial officer'
|
| That is the actual title of the linked article.
| mattmaroon wrote:
| It's so strange to me when people change a perfectly good
| title into something worse here, but it happens so often I
| honestly think the site should just change the
| functionality.
| jacooper wrote:
| There is a character limit to be dealt with here.
| squigz wrote:
| Pretty sure there's plenty of room to include it.
| mattmaroon wrote:
| CFO is one character longer, and if that really was the
| issue, which is very unlikely, I can think of 100 ways to
| shorten it without changing something important.
| ooterness wrote:
| "Video conference"
| marssaxman wrote:
| I agree, I read the headline several times over without
| understanding.
| dang wrote:
| Ok, we've taken VC out of the title above.
| mattmaroon wrote:
| Just because I am curious, and have not seen any software capable
| of fooling me in this regard, yet, what would somebody use to do
| this? Is this an already existing product that can create video
| representations of people I know so well it would fool me?
| sbarre wrote:
| There was a paper linked on here recently (last few months?)
| that showed off video call deepfaking using gaussian splatting,
| essentially using a webcam to "puppet" a very convincing 3D
| recreation of another person's head & shoulders in real-time..
|
| I tried to find the link but my search-fu is not good today it
| seems..
|
| I did find this, which seems related:
| https://blog.metaphysic.ai/the-emergence-of-full-body-gaussi...
|
| There's also the fact from the article that this was an
| employee in Hong Kong on a video call with people supposedly in
| the UK, so it's also possible they took advantage of bad video
| quality to do this..
|
| Get on video for the first minute or so, then, as we've all
| done, say "I'm going to turn off my video so my connection
| sounds better" etc...
| jacquesm wrote:
| This is where those 'security researchers' are helping to
| make such fraud easier. If you release these tools into the
| wild you are enabling criminals who by themselves would have
| no way to create these tools.
| sbarre wrote:
| I don't recall them being security-related researchers
| though, but there are obviously security concerns, I agree.
| skriticos2 wrote:
| Security through obscurity does not work. As soon as
| deepfakes have proliferated on TikTok for stupid stuff,
| they'd inevitably be used for this kind of exploits by any
| adversary that is motivated enough to do a directed
| operation on a high value target.
|
| The researchers really just raise awareness on where things
| are going, but ultimately the solution will be to improve
| process and verify anything that has to do with money
| through specific internal company channels that are hard to
| forge - and anybody in a call like this that would not use
| them needs to automatically raise an alarm by procedure.
| geor9e wrote:
| >I have not seen any software capable of fooling me
|
| That belief is a catch-22, though. By definition, each time one
| fooled you, you didn't note anything other than a run-of-the-
| mill normal video. A lot of tiktok accounts lately are
| dedicated to deepfaking celebrities. For example, if I hadn't
| already told you and you just casually scrolled by it, would
| you immediately suspect this isn't Jenna Ortega
| https://www.tiktok.com/@fake_ortegafan/video/732425793067973...
| ? I didn't look for the best example, that was just the very
| first that came up.
|
| >Is this an already existing product
|
| Usually cutting edge ML has to be done with a github repo last
| updated a few days ago using Tensorflow/Pytorch and installing
| a bazillion dependancies. And then months later you might see
| it packaged up as a polished product startup website. I've seen
| this repo a lot https://github.com/chervonij/DFL-Colab
| xyst wrote:
| Honestly, half the time I am interviewing random contractors
| around the world. I get a feeling they use OpenAI to answer
| questions. I have thrown out the typical "leet hacker" bullshit
| questions and rote memorization type stuff. Gone back to simply
| quizzing them on their own resume, digging into the finer details
| of what they did. Can't deep fake experience, yet.
| the_duke wrote:
| Yep, Google/openai has become pretty common place in remote
| interviews.
|
| The funny thing is, I ask them to say say "I don't know" rather
| than the above, but they still do it...
|
| You can work around it by picking a difficult practical problem
| from your domain and talking through choices and their
| different tradeoffs.
| welder wrote:
| @dang can you change the title to:
|
| Finance worker pays out $25M after vid call with deepfake CFO
|
| Edit: maybe not zoom
| mintplant wrote:
| It's most expedient to email hn@ycombinator.com for things like
| this.
| welder wrote:
| Thanks, sent.
| dang wrote:
| Done!
| jacquesm wrote:
| Where does it say it was Zoom?
| switch007 wrote:
| Hoover, Walkman, Sellotape, Google, Bandaid, Kleenex...
| hinkley wrote:
| Are we going to have to start using code phrases like in the
| Renaissance and in popular fiction?
|
| Don't write a check unless you hear me mention aardvark or Mad
| King Ludwig.
| RobRivera wrote:
| I literally thought the title meant a Venture Capitalist, not
| Video Call smh
| diebeforei485 wrote:
| I think "power distance" (a cultural thing - both national
| culture and corporate culture) might play a role here. In some
| cultures, you do whatever the big boss asks you to do, regardless
| of procedure.
|
| (Media reporting suggests this can also be true at some US
| hardware tech companies).
| ladyanita22 wrote:
| Having worked with Chinese people, let me tell you this is 100%
| accurate. It may (and probably will) happen in western
| countries as well, but the culture makes China, South Korea,
| Taiwan and Japan extremely vulnerable to this. No one I worked
| with was willing to refute, question or even raise any doubts
| if someone they perceive not at their level or, even better,
| below, was in the call.
| usrusr wrote:
| Other countries are known for a culture of nothing ever
| happening without a piece of paper carrying an official-
| looking stamp. Those are laughably insecure, but the
| _culture_ could easily be ported to public key signature.
| "Boss voice is only boss voice when it comes with a digitally
| signed transcript" shouldn't be too hard to introduce in
| "don't ever question your boss" cultures I think? Bosses
| might even enjoy the grandeur of showing off their status
| with an insignia-device. "Orders without proof of identity
| are irresponsibly bad form" could be surprisingly easy to
| establish.
| dotancohen wrote:
| I think that you are unfamiliar with these cultures. In
| Japan, you would never ask the voice that sounds like the
| boss to prove his identity with a digitally signed
| transcript - even if that's a fireable offense. It is so
| culturally alien to them that it would never get through.
| ctrw wrote:
| Yeah with the advent of good deep fakes were at the point
| where everyone having their own private key is a must for
| all communication that's not face to face.
| daymanstep wrote:
| Which cultures are like that?
| robocat wrote:
| From the article this was an employee in Hong Kong on a video
| call with people supposedly in the UK.
|
| Power distance might matter, depending on nationality of
| participants.
|
| Also if English is a second language, then perhaps the sound
| quality of the synthetic voices wouldn't need to be as good -
| we are surely better at recognising voices in our mother
| tongue.
| ctrw wrote:
| Current deep fakes are good enough to fool your mother. I've
| done it with friends to show what's possible.
| ultrasaurus wrote:
| Back in my days building custom software (in the US/Canada) a
| lot of the PM work was figuring out how the process overrides
| worked. Every organization has a set of formal rules... and the
| way things actually work (and 50% of my job was making sure our
| CRUD apps that were more than just spreadsheets with
| changelogs).
|
| But having lived & worked in a few countries now, the way other
| cultures do their overrides is always more visible (e.g.
| Country A you might pay bribes to get out of tickets, country B
| might just not pull people over in nice cars)
| slickrick216 wrote:
| In some ways the west is still remarkably feudal but to the
| direct chain of managers not just directly to your "liege
| lord". I regularly see people say no to big bosses who are
| outside the direct management even if they have high ranks.
| franze wrote:
| In Austria one CFO wired a few millions (7 I think) after a
| couple of fake emails from her boss - with a note to not
| mention it to anyone even him.
| thih9 wrote:
| What is the chance that a CFO gets in touch with a deepfake
| specialist and they split the profits? I'm not saying that this
| is what happened, I'm more focused on future scenarios.
| willcipriano wrote:
| I thought the value of these types of people are their people
| skills.
|
| Nobody would accuse me of great people skills and while I'd
| like to point to my technical acumen as the reason I can spot
| fakes like this easily, it's my primate brain that knows
| something is wrong.
| coding123 wrote:
| Wouldn't only a CFO have the ability to move 25MM
| evanjrowley wrote:
| A Boston-based finance worker also sent $6M to scammers back in
| 2023. Surely some social engineering was involved, but nothing
| about deepfake was mentioned:
| https://apnews.com/article/technology-boston-law-enforcement...
|
| Deepfake was used in the 2023 MGM casino breach to convince tech
| support staff to do things that compromised their MFA
|
| Now we're seeing a combination of these for significantly higher
| gains.
| newhotelowner wrote:
| A lot of upper midscale hotels in the USA are owned by Indians
| from India whose last name is Patel.
|
| Pretty much every single hotel gets a call from Mr. Patel at
| night asking to wire money due to an emergency. A lot of hotel
| employees fell for it and wire money. These employees even drill
| open the safe. Some even wire money from their personal account.
|
| This scam is mostly social engineering without any AI/Deepfake.
| It's going to be a fun time ahead for everyone.
| swyx wrote:
| the patel motel cartel!
| https://www.nytimes.com/1999/07/04/magazine/a-patel-motel-ca...
| BlueTemplar wrote:
| Heh, reminds me a bit of how a South Korean cult is behind
| Sushi becoming popular...
| skybrian wrote:
| I'm confused about what you're saying. This is a hypothetical
| scenario?
| bengalister wrote:
| In France there had been cases of employees wiring money
| convinced that they were talking to their CEO/CFO/lawyers over
| the phone. Many cases were due to a Franco-Israeli gang arrested
| in 2022/2023 that managed to make at least 38M Euros out of it.
| They impersonated CEOs without the help of deepfake AI. See
| https://www.europol.europa.eu/media-press/newsroom/news/fran...
| CaffeinatedDev wrote:
| War using AI begins :O
___________________________________________________________________
(page generated 2024-02-04 23:00 UTC)