It’s been reported that an employee at London-based design and engineering multinational, Arup, was duped by a deepfake video call into paying a staggering $25.6 million to fraudsters.
What Happened?
According to reports published on CNN, back in January, a finance employee in Arup’s Hong Kong office received what they suspected was a phishing email, purporting to be from the company’s UK office, because it requested a secret transaction.
The employee then reportedly took part in a video call with people who looked and sounded like senior staff members (including the CFO) but who were in fact deepfakes! It’s been reported that this deepfake video call led to the employee putting aside previous doubts and subsequently agreeing to transfer 200 million Hong Kong dollars / $25.6 million via 15 separate transactions.
The fraud was reportedly only discovered following the employee making an official inquiry with the company’s headquarters, which resulted in a police investigation.
Confirmed
A spokesperson from Arup (the company behind world-famous buildings such as Australia’s iconic Sydney Opera House and the Bird’s Nest Stadium in Beijing) has been reported as saying that whilst they can’t go into details, they “can confirm that fake voices and images were used”.
Financial Stability Not Affected
Despite $25 million going astray and the initial suspected phishing email, Arup’s reported email statement said: “Our financial stability and business operations were not affected and none of our internal systems were compromised.”
Many Deepfake Scams
There have been many high-profile and large-scale deepfake scams in recent years, including:
– In 2023, a deepfake video scam of consumer champion Martin Lewis was circulated on social media to trick people into investing in something called ‘Quantum AI’ (an app) which scammers claimed was Elon Musk’s new project.
– In 2022, the chief communications officer at the world’s largest crypto exchange, Binance, claimed that a deepfake AI hologram of him (made from video footage of interviews and TV appearances) had been used on a Zoom call to scam another business, leading to significant financial losses.
– In 2020, a branch manager of a Japanese company in Hong Kong received an AI deepfake call that sounded like the Director, but was actually from fraudsters. The call used an AI to mimic the CEO’s voice to instruct a bank manager to engage with a fictional lawyer, which then led to the authorisation and transfer of $35 million to fraudulent accounts.
– In 2019, an energy company in the UK was defrauded of €220,000 ($243,000) through a deepfake audio scam. The fraudsters used AI-generated voice technology to impersonate the CEO of the firm’s parent company, instructing a senior executive to transfer funds to a Hungarian supplier.
More Sophisticated Attacks
Following the recent scamming of Arup, Rob Greig (Arup’s global chief information officer) has been reported as saying : “Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes.” He noted that “the number and sophistication of these attacks has been rising sharply in recent months”.
What Does This Mean For Your Business?
This massive $25 million deepfake scam involving Arup is a reminder of the growing sophistication and severity of digital fraud. Sadly, this incident is not an isolated case but part of a broader trend of increasingly advanced scams leveraging AI. The rapid advancements in AI technology and its wide availability have made it easier for fraudsters to create highly convincing deepfake videos and audio, posing significant risks to businesses of all sizes.
For UK businesses, this incident is a reminder of the urgent need to enhance security measures and verification processes. Traditional methods of authentication, such as emails and video calls, can no longer be solely relied upon. Instead, businesses may want to adopt multi-layered security strategies that include advanced AI-based detection tools, biometric verification, and identity verification protocols. Regular training and awareness programmes for employees may also now be essential to help them recognise and respond to potential threats.
This incident also highlights the critical role of law enforcement and regulatory bodies in combating digital fraud. Enhanced cooperation and information sharing between businesses, cybersecurity experts, and law enforcement agencies are vital to staying ahead of these sophisticated attacks. Implementing stricter regulations on the use and dissemination of AI technology and ensuring that companies have access to the latest detection and prevention tools will be crucial steps in this battle.
The Arup scam demonstrates that even technologically savvy industries are not immune to the threats posed by deepfakes.