Scammers deepfake CEO’s voice to talk underling into $243,000 transfer
Any business in its right mind should be painfully aware of how much money they could bleed via skillful Business Email Compromise (BEC) scams, where fraudsters convincingly forge emails, invoices, contracts and letters to socially engineer the people who hold the purse strings.
And any human in their right mind should be at least a little freaked out by how easy it now is to churn out convincing deepfake videos including, say, of you, cast in an adult movie, or of your CEO saying things that… well, they would simply never say.
Well, welcome to a hybrid version of those hoodwinks: deepfake audio, which was recently used in what’s considered to be the first known case of an AI-generated voice of a CEO to bilk a UK-based energy firm out of €220,000 (USD $243,000).
The Wall Street Journal reports that some time in March, the British CEO thought he had gotten a call from the CEO of his business’s parent company, which is based in Germany.
Whoever placed the call sounded legitimate. The voice had the hint of a German accent and the same “melody” that the UK CEO recognized in his boss’s voice, according to fraud expert Rüdiger Kirsch, who works with the company’s insurer, Euler Hermes Group SA. The insurer shared details of the crime with the WSJ, but it declined to identify the businesses involved.
The caller had an “urgent” request: he demanded that the British CEO transfer $243,000 to a Hungarian supplier within the hour. He complied and made the transfer.
Analysts told the WSJ that they believe that artificial intelligence- (AI)-based software was used to create a convincing imitation of the German CEO’s voice. The transfer went through, and the money was subsequently funneled into accounts in other countries.
The scammers then called back for more: Kirsch told the WSJ that the imposter called the target company three times. The transfer went through after their first call, then the attacker called a second time to lie about the money having been reimbursed to the British company. Then, they called a third time, to ask for another payment, using the same fake voice.
The British CEO had grown skeptical by that time, given that the “reimbursement” never showed up. Plus, the third call was made with an Austrian phone number. Hence, he didn’t comply with the repeated demand for money.