Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
UK engineering group Arup lost HK$200mn ($25mn) after fraudsters used a digitally cloned version of a senior manager to order financial transfers during a video conference, the Financial Times has learned.
Hong Kong police previously revealed what is one of the world’s biggest known deepfake scams, but did not identify the company involved. The FT has confirmed it was Arup, which employs about 18,000 people globally and has annual revenues of more than £2bn.
The case highlights the threat posed by deepfakes — hyper-realistic video, audio or other material generated using artificial intelligence — when used by cyber criminals to target companies or governments.
Two people familiar with the matter told the FT this month that Arup had been the target of the scam, which Hong Kong police have classified as “obtaining property by deception”.
Asked about the case, Arup said the company had in January “notified the police about an incident of fraud in Hong Kong”.
“We can confirm that fake voices and images were used,” the company said, declining to give details because the incident was still being investigated. “Our financial stability and business operations were not affected and none of our internal systems were compromised,” it said.
Hong Kong police acting senior superintendent Baron Chan told local media in February that a member of staff in the targeted firm had received a message purporting to be from the company’s UK-based chief financial officer regarding a “confidential transaction”.
After a video conference joined by the company’s digitally cloned CFO and other fake company employees, Chan said, the staff member made a total of 15 transfers to five Hong Kong bank accounts before eventually discovering it was a scam upon following up with the group’s headquarters.
The police said investigations into the case continued, with no arrests so far.
Arup’s east Asia chair Andy Lee stepped down in the weeks following the scam after just a year in the role. He was replaced by Michael Kwok, a former east Asia chair for the company. Lee said on his personal LinkedIn page that he had “decided to embark on a new opportunity”. Lee did not respond to a request for comment made via LinkedIn and Arup declined to comment further on his departure.
The FT reported this month that international advertising agency WPP had been the target of an unsuccessful deepfake scam in which criminals used a voice clone and YouTube footage to set up a video meeting with executives.
Liu Meng, an analyst with consultancy Forrester, said many companies, banks and legislators lacked awareness of new forms of scam such as those using deepfakes.
“Corporates need to purchase more IT solutions to counter cyber security scams [and] banks need to alert their clients on suspicious payments when the money is about to be wired,” Liu said, adding that laws should be passed to ensure banks shared more in financial losses from fraud.
Arup’s global chief information officer Rob Greig said in a statement that the number and sophistication of deepfake and other scams had been “rising sharply” in recent months.
“I hope our experience can help raise awareness of the increasing sophistication and evolving techniques of bad actors,” Greig said.
Additional reporting by Gill Plimmer in London and Kaye Wiggins in Hong Kong
Read the full article here