In February, a finance team member from the multinational company Arup in Hong Kong transferred HK$200 million (US$25 million) to cybercriminals who used deepfake technology to impersonate the company’s chief financial officer and other colleagues during what seemed to be a legitimate video conference.
The elaborate scam targeted the UK-based engineering group Arup, which only recently disclosed the details of the incident. The cybercrime initially made headlines when Hong Kong police’s Baron Chan Shun-ching explained to local reporters, “(In the) multi-person video conference, it turns out that everyone [he saw] was fake.”
The deception began with an email sent to the finance employee from an address that appeared to belong to the UK-based CFO. The email mentioned a “confidential transaction,” which the Hong Kong staff member initially suspected might be a phishing attempt. However, the subsequent deepfake video conference convinced the employee that the instructions were genuine.
The fraudulent transactions were conducted through 15 transfers, totaling the massive sum. The scam was uncovered only after the Hong Kong office followed up with the British headquarters and confirmed the deception.
In a statement released last Friday, Arup commented, “Unfortunately, we can’t go into details at this stage as the incident is still the subject of an ongoing investigation. However, we can confirm that fake voices and images were used. Our financial stability and business operations were not affected, and none of our internal systems were compromised.”
Arup notified authorities in Hong Kong in January, but as of now, no arrests have been made. The investigation is ongoing.
Rob Greig, Arup’s global chief information officer, emphasized the importance of this incident as a cautionary tale: “I hope our experience can help raise awareness of the increasing sophistication and evolving techniques of bad actors.”