British engineering giant Arup revealed as $25M deepfake scam victim

British engineering giant Arup revealed as $25M deepfake scam victim(cnn.com)

126 points by gds44 1 year ago | 102 comments

bartlettD 1 year ago |

> According to police, the worker had initially suspected he had received a phishing email from the company’s UK office, as it specified the need for a secret transaction to be carried out. However, the worker put aside his doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.

Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right? I'm not even sure I'd be comfortable making secret transactions on instruction from my boss. Even if your boss is actually asking you to do this, how can you have the financial authority to transfer $25M and not the savvy to think that being asked to transfer huge amounts of money in secret isn't going to result in you getting thrown under the bus?

michaelt 1 year ago | |

The scammers usually have a slightly unusual, but plausible (and urgent) story.

For example, that they've just closed a deal to buy a startup - a negotiation which was of course conducted in secrecy. It's a startup in another country, which is why we're all out of the office. Timezones are why you've received the request outside of normal working hours. And we've got to, um, close the deal so we can announce it outside of stock market opening hours, for both countries. To close the deal we've got to pay 10% of the 250M purchase price upfront. If you can't get this done within 2 hours the deal will fall through.

csomar 1 year ago | |

Secret doesn't mean illegal. Unless something is illegal, this guy doesn't have any input and it's up to the auditor to verify the legitimacy of the transactions.

llamaimperative 1 year ago | |

Big transactions happen and it’s some people’s jobs to execute them

Semaphor 1 year ago | | |

"in secret" is the issue

vintermann 1 year ago | |

Maybe high-up workers are asked to do secret/illegal stuff more often than we think.

helsinkiandrew 1 year ago | |

> Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right?

Its a company with revenues of a couple of billion and that probably sub contracts thousands of other companies on projects around the world. The finance department is probably sending similar payments regularly.

Most payments will be "secret" in that the amounts won't be made public to employees that don't need to know. The company maybe, for example, be repeating work that has been already been done in house so doesn't want it known inhouse what companies are being paid.

markogrady 1 year ago | |

I've heard this happening for a local company with about £9 million with a similar email scam. Supposedly, the person who transferred the money was competent and clever. With that amount of money, saying you don't need to ask questions, in part, is very convincing.

el_oni 1 year ago | |

Yeah, this would at least cause me to email my boss and say "Can you just confirm, you want me to transfer $25 million to this account? I'll hold off until you give me confirmation in writing"

hell i do this if our tester hasn't managed to go over some aspect of our release. That way i get in writing from the product owner that he has OKd it, and if he sends me a teams message i ask him to email me confirmation.

Tao3300 1 year ago | | |

Reminds me of that old urban legend about the trader who ordered the coal futures that eventually showed up as actual coal. In that story there's always an element where the subordinates who have to carry out the transactions have been abused to the point of never questioning his decisions.

chasd00 1 year ago | | |

Yep sometimes I go so far as printing the email and sticking it in a meatspace folder on my desk. Just depends on how important that sign off really is and the consequences of not being able to produce it.

miohtama 1 year ago | |

If you are a boomer company that does not know how online works, then you can also afford a boomer-style business class flight tickets to do a secret $25M transaction face-to-face.

tompccs 1 year ago |

I said this over a year ago elsewhere:

Electronic engineers spent decades overcoming thermal noise floors so that humans could communicate over vast distances with small amounts of energy.

AI researchers, in a few short years, undid all that by making computer-generated chatter and images indistinguishable from messages sent by humans.

Until such a time as we live in a Bladerunner-like world of Replicants, being in-person will be the only reliable way to convey a message from human to human.

I'm long on travel and in-person meetings, short on VR and telecoms.

laurencei 1 year ago |

What I find strange about this is you dont need it to be "deepfake".

Just an inside job.

If a large company allows a single employee to transfer millions to a new bank account/vendor that has no history, on "their belief" the instruction came from an approved person (i.e. their boss, CFO etc) - that company has major governance issues that are not related to deepfake.

Imagine the more simple scenario - an employee transfers millions, knowingly fraudulantly, to some people they are working with. They then simply supply some "deep fake" pictures and a story how it was an accident - and boom; you walk away with millions.

Checks and balances exist for many reasons - deepfake doesnt overcome those by itself. This company is just missing basic steps that would have protected itself here.

edit: in fact- its even more obviously some inside job; put the deepfake aside for a moment. How was the meeting even booked? Their PR person said "none of our internal systems were compromised". So this meeting magically appeared in someone's calendar? Using their internal video system (Skype or Teams or whatever). And the criminals knew to target this person, with enough knowledge of random office people to deep fake them? Come on...

illwrks 1 year ago |

The real issue here is a lack of proper risk controls around business processes involving money. Regardless of if it’s £3 for a coffee or £25m for a Secret acquisition there should be an agreed process that everyone involved in business transactions should be aware of so that if they are suddenly privy to a deal they can navigate and validate the authenticity of their involvement.

legel 1 year ago | |

This brings up an interesting “risk control” that one of my tech investors personally implemented with his family, in case a audio/video version of him ever asks to do anything crazy: secret passwords, agreed upon in person.

XorNot 1 year ago | | |

Technically Signal solves this problem with safety codes.

The UI really could stand to be more assertive about what they mean though.

graemep 1 year ago | |

With £25m there ought to be at least two people required to authorise the transfer.

klyrs 1 year ago |

How cool is it that Zoom is capturing our data and using it to train their "AI" efforts? Perhaps nobody in the world is better positioned to completely disrupt nearly every tech-using company, by emulating our C-suites, and ordering us to drain everything. Imagine the Robin Hood shenanigans they could get up to! Or the evil supervillain shenanigans! Who cares, really. The future is so fun!

dboreham 1 year ago |

I think the underlying problem is cultural: people have been conditioned to expect others to authenticate them (give me the last 4 digits of your SSN, tell me the last two transactions on your account), BUT they haven't been told they need to authenticate others. They just aren't thinking "how do I know this is who I think it is? How do I know they haven't been kidnapped?".

blitzar 1 year ago | |

My personal protocol with my bank when they ring me is for me to call them back.

The bank workers are normally quite understanding - except when it is someone from fraud detection (and yes these are legitimate calls) and they tend to get odly defensive that I wont hand out my personal information.

wiradikusuma 1 year ago |

I think one way to verify legitimacy is by calling back. For example, "Ok boss, just protocol, but you wouldn't mind if I call you using your usual number?" (or just do it without informing in advance).

Ideally they screen-record (can you do that in Android/iPhone?), so at least if it's really scam, they can say "but I follow protocol, here's the evidence".

Btw we once had a similar scam attempt. "The CEO" emailed Finance in great urgency to transfer money. Good thing the CEO was sitting next to the Finance lady. I was sitting next to them watching the horror turned comedy.

EZ-E 1 year ago |

Learned recently my mid sized company was also targeted. The CFO received first a (fake) call from a lawyer asking to confirm a transaction, then later a deep faked voicemail from the co founder mentioning that same transaction. It apparently all sounded very real. The attacks are becoming very targeted, customized and elaborate. Very far from the Nigerian prince emails written in poor English...

_tk_ 1 year ago |

The article lacks details to discuss this particular incident. This could reasonably be a company with poor governance, insecure configuration and authentication - and then this is a non-story. OTOH, with the amount of money in question, a sophisticated attack is absolutely believeable, and even 2FA and better process governance will help you out. Maybe a PKI does, but as always, it depends.

betaby 1 year ago |

It's not a BitCoin, so transaction has been reversed since then, righ?

bgrainger 1 year ago |

Previous discussion (from when it happened but before the victim company was named): https://news.ycombinator.com/item?id=39248649