Week 14: Online meeting with deepfake boss: CEO fraud 2.0

09.04.2024 - The finance department receives a supposedly urgent payment request from the boss. The boss explains that if the person in accounts does not make the payment as quickly as possible, there will be serious consequences for the company as it risks losing an important order. The request usually cannot be queried as the boss is then not available. That is generally the scenario in cases of CEO fraud. Most of these attacks are not very sophisticated and easy to spot. However, artificial intelligence and deepfakes do not stop at this rather simple fraud method, as a recent example reported to the NCSC shows.

Classic CEO fraud

To prepare for a CEO fraud attempt, attackers usually carry out systematic searches of public company websites for the names and email addresses of CEOs and their financial officers. The fraudsters make keen use of company webpages listing employee teams. Some companies post their entire team on their website, including role, photo, name, telephone number and email address. However, this customer-friendly approach is also a valuable source of data for fraudsters. The NCSC has also observed that LinkedIn profiles are systematically screened. If the attackers find what they are looking for, they send an email to the finance department from a fake address purporting to be from the CEO containing an urgent payment request. In most cases, however, these are rather unsophisticated mass attacks. The fraudsters do not make any particular effort to tailor the mail to the victim and personalise the request. The texts used are unspecific and mostly identical.

CEO fraud using deepfake AI - online conference with a fake boss

However, one case reported to the NCSC last week stands out from these mass attacks. In contrast to the usual approach, no attempt was made to prevent the victim from contacting the boss. Quite the opposite: the financial officer was contacted by phone by a lawyer and invited to a video conference with his boss, which would begin in a few minutes. The victim received an email with the meeting invitation. When the financial officer then dialled into the online conference, he could actually see someone resembling his boss on the screen and talk to him. During the conversation, the alleged boss then tried to obtain the mobile phone number of the financial officer and persuade him to initiate financial transactions.

In this case, the fraudsters used AI to generate a video image of the boss. It is not clear exactly where the attackers got the source material to generate the fake video images. The NCSC assumes that video material in the public domain was used to create these deepfakes. A further possibility, especially regarding voice simulation, is to conduct and record phone calls in advance. For example, various companies have recently reported that unknown individuals have made calls requesting information about the company. In addition to the information obtained about the company, which could be used for targeted attacks, voice recordings of the person concerned could be used to generate an AI deepfake of the boss.

This case once again shows that fraudsters are now trying to misuse AI for their own ends, even if they are not yet entirely professional. In this particular case, the attempted fraud was spotted relatively quickly. The fraudsters limited themselves to manipulating the boss's face. The style of clothing also differed from what the boss usually wore. And the voice was not particularly well imitated either.

Precautionary measures

  • Raise all employees' awareness of CEO fraud! Employees in finance departments and other key positions must be informed about these possible methods of attack. In the case of associations, all presiding members and treasurers must receive training.
  • Make employees aware that targeted attacks can be carried out using information in the public domain.
  • Limit information about employees on company websites to what is absolutely necessary. That also applies to videos.
  • Do not divulge internal information by email or on the phone.
  • Be careful with payment requests: Do not respond to unusual payment requests.
  • All processes which concern payment transactions should be clearly defined internally and complied with by employees in all cases (e.g. dual control principle, joint signature by two people).

Last modification 09.04.2024

Top of page