The New Threat in Business Email Compromise Schemes: Video “Deepfakes” of Corporate Executives

by Jonathon J. Rusch

Photo of author

Photo courtesy of the author

Cybercriminals around the world use a variety of exploits to conduct fraud schemes directed against individuals, companies, and government agencies. One of these schemes that has proved highly lucrative for cybercriminals over the past decade is the so-called “business email compromise” (BEC) scheme.[1]

BEC schemes typically involve cybercriminals’ infection of the email account of a corporate executive, then impersonating that company executive via email to direct a subordinate employee to wire-transfer a substantial amount of funds to one or more accounts that the cybercriminals control. The United States Secret Service has estimated current global daily losses to BEC schemes at approximately $8 million (an annualized $2.9 billion).[2]

Another online fraud technique that has been emerging more recently is the use of so-called “deepfakes.”  Deepfakes — a form of synthetic media that uses “deep learning” (artificial intelligence) technology to synthetically create or manipulate various media, including video, audio, and images[3] — are well-recognized in the U.S. and United Kingdom banking sectors as a significant threat to bank customers.[4] Voice deepfakes, for example, can be used to deceive customers as well as bankers into transferring funds out of customer accounts.[5]

Deepfakes Meet BEC Schemes

A recent event in Hong Kong, however, illustrates a new dimension of the deepfakes threat: the marriage of deepfake technology and BEC schemes.  According to local police, an employee in the Hong Kong office of a multinational company was tricked during a video conference call into making 15 funds transfers totaling HK$200 million (US$25.6 million) out of the company, after seeing what appeared to be the company’s chief financial officer (CFO) on the video directing him to make the transfers.  In fact, the images of the CFO and other company executives on the video call were deepfakes.[6]

Initially, cybercriminals targeted multiple employees at the company with “phishing” emails purportedly from the CFO – a classic technique in BEC schemes.  The employee who made the transfers said that although he was initially suspicious, he was convinced by the video call to make the transfers.  Hong Kong police stated that they were making this case public because it was the first of its kind involving multiple deepfake images on a video call.[7]

Observations

Although the Hong Kong deepfake scheme is the first of its kind to be publicly reported, in the last two years researchers have found multiple instances of hostile state actors using deepfake videos for disinformation campaigns, and of cybercriminals using deepfake videos to drive traffic to malicious websites.[8]  Compliance and information security teams in every industry need to recognize that multiple-image deepfake video technology represents a new and potentially greater financial threat to their companies.

To date, some advice about countering deepfake threats to companies has focused on countermeasures for non-video deepfake techniques, such as:

  • Implementing technologies, such as real-time verification capabilities and procedures, to detect deepfakes;
  • Using reverse image searches or plug-ins to detect still images;
  • Protection of public data of high-priority individuals; and
  • Establishing response plans among organizational security teams to respond to various deepfake techniques.[9]

Corporate fraud compliance and information-security teams, however, need to expand their dialogue, and refinement of internal controls, to include the company’s finance and payments staffs.  Corporate finance offices for several years have been actively working to reduce the risks of BEC schemes.

For example, JPMorgan Chase has published extensive and practical guidance on how companies can guard against such schemes.  That guidance focuses on several distinct audiences within a company, including:

  • Corporate executives and leadership
    • Making BEC prevention a priority, in light of the associated costs, downtime, and reputational damages
    • Ensuring that internal controls and programs, such employee testing, are in place at high levels
    • Having leaders responsible for high-level strategy keep up to date with emerging threat trends
  • Senior and middle management
    • Reviewing email security controls, including multifactor authentication
    • Executing the security framework that corporate leaders establish, including regular training and testing of employees
  • Payments staff and other treasury employees
    • Adhering to policy and ensuring that employees faithfully and consistently follow internal controls, particularly when performing a validating callback
    • Standardizing with customers and business partners how changes in account information are to be communicated and validated, and confirming with them how the company expects them to validate changes to banking information
    • Exercising care in posting personal information on social media[10]

Such guidance, however, needs to be reinforced and amended in light of the Hong Kong scheme.  Because a real-time deepfake video may seem substantially more credible than an email or phone call, companies’ internal controls and processes on BEC and other payments-fraud schemes should be expanded to:

  • Establishing dual controls by separating the tasks of issuing and approving online payments[11]
  • Setting different payments limits for different levels of payments staff
  • Requiring two or more approvals by payments supervisors for larger payments, as well as robust escalation processes in cases involving demands for large immediate payments[12]
  • Expanding training on payments fraud to include specific examples of deepfake videos and images as well as email and phone messages
  • Providing specific written guidance from senior leaders (supplemented with periodic training and testing) to corporate treasurers, payments managers, and payments staff that they may not deviate from their internal controls and approval processes merely because an individual purporting to be a senior company executive insists, whether via video, audio, or email, that one or more payments be made immediately.

Cybercriminals on the dark web are constantly exploring new ideas and techniques for using artificial intelligence for illegal purposes.[13]  Companies need to be comparably vigilant about maintaining effective defenses as cyberfraud schemes continue to evolve.

Footnotes

[1]   See, e.g., Ryan Ottesen, The Evolution of Business Email Compromise, Dark Reading, November 30, 2022, https://www.darkreading.com/endpoint-security/the-evolution-of-business-email-compromise.

[2]   See United States Secret Service, Understanding Business Email Compromise, https://www.secretservice.gov/investigation/Preparing-for-a-Cyber-Incident/BEC.

[3]   See, e.g., National Security Agency, Federal Bureau of Investigation, and Cybersecurity and Information Security Agency, Contextualizing Deepfake Threats to Organizations (September 2023), https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF.

[4]   See Old National Bank, New Report: Addressing deepfake threats, ‘the next generation of cyber security concerns’, December 1, 2023, https://www.oldnational.com/resources/insights/new-report-addressing-deepfake-threats-the-next-generation-of-cyber-security-concerns/; Akila Quinio, UK banks prepare for deepfake fraud wave, Financial Times, January 19, 2024, https://www.ft.com/content/515e344d-9ec1-4c3e-888f-10ff57712412.

[5]   See Emily Flitter and Stacy Cowley, Voice Deepfakes Are Coming for Your Bank Balance, New York Times, August 30, 2023, https://www.nytimes.com/2023/08/30/business/voice-deepfakes-bank-scams.html.

[6]   Harvey Kong, ‘Everyone looked real’: multinational firm’s Hong Kong office loses HK$200 million after scammers stage deepfake video meeting, South China Morning Herald, February 4, 2024, https://www.scmp.com/news/hong-kong/law-and-crime/article/3250851/everyone-looked-real-multinational-firms-hong-kong-office-loses-hk200-million-after-scammers-stage.

[7]   James Titcomb, Deepfake video call scams global firm out of $39 million, The Age, February 8, 2024, https://www.theage.com.au/world/asia/deepfake-video-call-scams-global-firm-out-of-39-million-20240208-p5f3ej.html.

[8]   See Akila Quinio, supra note 4; Adam Satariano and Paul Mozur, The People Onscreen Are Fake. The Disinformation Is Real., New York Times, February 7, 2023, https://www.nytimes.com/2023/02/07/technology/artificial-intelligence-training-deepfake.html.

[9]   See Old National Bank, supra note 4.

[10]   J.P. Morgan Chase, Defending against business email compromise 4 (December 2022), https://www.jpmorgan.com/content/dam/jpm/commercial-banking/insights/cybersecurity/defending-against-business-email-compromise.pdf; J.P. Morgan Chase, Prepare Your Employees: Review, Train and Test to Help Prevent Business Email Compromise (BEC) Attacks 2 (2020), https://www.jpmorgan.com/content/dam/jpm/commercial-banking/insights/cybersecurity/pdf-insights-bec-csuite.pdf.

[11]   U.S. Bank, Payments fraud prevention best practices 1 (2018), https://www.usbank.com/dam/financialiq/documents/List_FraudBestPractices_FINAL.pdf.

[12]   Deutsche Bank, A corporate’s guide to payment fraud prevention 18 (May 2022), https://corporates.db.com/files/documents/publications/052022_A_corporates_guide_to_fraud_prevention.pdf.

[13]   See Cybercrime AI experimentation in the dark web – new Kaspersky study, India Technology News, February 8, 2024, https://indiatechnologynews.in/cybercrime-ai-experimentation-in-the-dark-web-new-kaspersky-study/.

Jonathan J. Rusch is Director of the U.S. and International Anti-Corruption Law Program and Adjunct Professor at American University Washington College of Law; Adjunct Professor at Georgetown University Law Center; a Senior Fellow at New York University School of Law’s Program on Corporate Compliance and Enforcement; and Principal of DTG Risk & Compliance LLC. He is a former Deputy Chief in the U.S. Department of Justice’s Fraud Section, and former Senior Vice President and Head of Anti-Bribery & Corruption Governance at Wells Fargo.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).