Would you be able to spot a deep fake video of your CEO? Companies should prepare for the next wave of cybercrime in which criminals use AI-based software to impersonate voices and images. In this frightening new world, rigorous processes are key to managing a swift response to fraud, says Joe Hancock
How well do you know your CEO? This year criminals used AI-based software to impersonate a chief executive’s voice to defraud a UK-based energy firm out of €220,000. Experts believe the fraud was the first to be reported in Europe in which criminals clearly drew on AI, so companies should be prepared. The next wave of cyber fraud is expected to be ‘spear phishing’ – attacks that target individual CEOs and their companies using AI-generated voices, deep fake videos and more.
Cyber fraud is a booming business. It is predicted to cost the global economy $6 trillion by 2021 and can affect anyone or any company. It used to be considered a legal or revenue-protection problem, but these days it increasingly involves chief information officers, chief technology officers and chief information security officers. And rightly so. My own experience, however, indicates that many organisations are simply not prepared. There is a widespread failure to recognise that financial fraud is a risk that comes under their watch.
Without doubt, there is a need for more education about financial fraud, including the rapidly evolving technological weapons available to criminals and what can be done in terms of protection. But equally important is the need to establish effective anti-fraud processes within organisations. All too often, we see the window to recover funds has long since closed because responsibilities were unclear and processes not followed.
Speed is of the essence to combat cyber fraud, but you can only be quick if you know what to do. First, identify those who must be told of possible frauds – this may vary according to how big the fraud is. Make sure those people know they are responsible and that they understand the next steps. Our advice is always to follow the money first and investigate afterwards because this maximises the chances of recovery. Only if you have the resources should you attempt the two in parallel.
In a small company, the person assigned to dealing with fraud may have several other responsibilities; in a large organisation, the chances are it will be the chief information security officer. Again, our advice is to make sure you address the risk to your organisation with the appropriate level of resources and build fraud risk management into other risk-management processes such as tech, cyber, data and environmental risk.
Hold regular workshops to keep staff informed and alert about the risk of fraud and make them aware of how phishing and spear phishing are used to get emails, passwords and bank details. Explain how fraudsters access personal details to try to trick a victim and how they can impersonate customers, suppliers, banks, senior staff members and even the tax authorities.
Employ real-time threat software that can raise an alert when something goes wrong. Have processes within the accounts department to check payments and use two-person authorisation for larger transfers and payments. Whatever processes you put in place, ensure all staff realise the importance of following them at all times.
Foster a culture of care – and make sure that anyone who questions a payment or email that turns out to be bona fide is not made to feel bad, and is perhaps even rewarded. Time and again, a fraud is successful because people haven’t followed process, particularly when the order for payment has come from a senior member of staff. The natural inclination is to obey the hierarchy.
Next time you hear from the CEO it might not be by email; it might be a FaceTime call. You might be asked to transfer £20,000 to a Swiss bank account and congratulated at the same time on your recent wedding. Just because it looks like the CEO doesn’t mean it is the CEO. And just because you got married recently and the company gave you a nice gift, it doesn’t mean the CEO knew about it. The fraudsters did their research. Think twice. Think process.
Joe Hancock is Partner and Head of Cyber at Mishcon de Reya