According to The Wall Street Journal, a UK energy company’s chief executive was tricked into paying €200,000 to a supplier because he believed his boss was instructing him to do so. But the company’s insurance firm said that a fraudster was using deepfake software to mimic the voice of the executive and request pay him within the hour.
“The software was able to imitate the voice, and not only the voice: the tonality, the punctuation, the German accent,” said a spokesperson. The phone call was matched with an email, and the energy firm CEO obliged. The money is now gone, having been moved through accounts in Hungary and Mexico and dispersed around the world.
The situation highlights the capabilities of depfake software. Google’s Duplex service can mimic the voice of a real human being so that it can make phone calls on a user’s behalf, and a number of smaller startups, many of which are located in China, are offering up similar services for free on smartphones, sometimes under questionable privacy and data collection terms.
In other words, deepfakes are here to stay and are a new attack vector that business need to be aware of. Our advice to protect against this type of threat is to follow up on any unusual request, no matter how convincing, by a different channel. For instance, if you receive a supicious request by email and it is then followed up with a call from a mobile number, call back on a known landline number. And consider implementing code words when requesting financial transactions, or asking personal questions of the requester to prove their identity.