Every CFO’s worst nightmare just came true

In Hong Kong, a finance worker at a multinational firm remitted a total of $200 million Hong Kong dollars, about $25.6 million, to fraudsters who used deepfake technology, CNN reported. Hong Kong authorities, who confirmed the crime on Feb. 2, have not disclosed the name or details of the company or the worker. According to reports, the scammer used past online conferences to train AI to digitally recreate a scenario where the CFO ordered money transfers. The worker was actually the only real person on the video call. “This time, in a multi-person video conference, it turns out that everyone you see is fake,” said Baron Chan Shun-ching, an acting senior superintendent, according to South China Morning Post.

The employee, who made 15 transfers into five local bank accounts, did initially have some suspicions, as the conversation indicated the need for a secret transaction to be carried out, according to reports. But the people on the call looked and sounded just like his colleagues. 

Combatting deepfakes

In the age of AI, a scenario like this is frightening. So the question is: How is this preventable? Well, risk management plays a big role. As companies navigate the cybersecurity threat landscape complicated by AI-driven technologies, “the tried-and-true saying, ‘trust but verify,’ is important to remember,” according to Lisa Cook, governance, risk, and compliance professional practices principal at ISACA, a professional association focused on IT governance. 

Companies will need to employ a variety of preventative and detective controls to mitigate the risk of financial or reputational damage from deepfakes, Cook said. For starters, making sure employees are educated about deepfakes, including the technology’s ability to impersonate people using voice and video, she said. Another suggestion? “Providing employees with alternative identity verification methods to include inserting a ‘human-in-the-middle’ for additional confirmation of significant transactions,” Cook said. Also, deploying AI-driven tools specifically designed to analyze and detect deepfakes which would not be readily identified by a human, Cook said.

According to Cook, another best practice is to identify who in your firm is responsible for detecting and addressing abnormal behavior, while outlining the chain of command and communication for handling such abnormalities. ISACA’s recently released white paper, “The Promise and Peril of the AI Revolution: Managing Risk,” delves further into the topic.

Baptiste Collot, cofounder and CEO of Trustpair, a payment fraud prevention platform provider, also said risk management is key. Collot’s firm specializes in global bank account validation, he said. So even if an employee is duped by a deepfake video call and attempts to send a payment, when the information is set into the the systems, the technology can potentially determine whether the bank account belongs to the vendor or not, he explained. 

Trustpair’s new research survey of more than 260 senior finance and treasury leaders found that 83% of respondents saw an increase in cyber fraud attempts on their organization in the past year. To dupe organizations, fraudsters primarily used text messages (50%), fake websites (48%), social media (37%), hacking (31%), business email compromise scams (31%), and deepfakes (11%). In fact, CEO and CFO impersonations were the third most common type of fraud, according to the report.

“It’s almost impossible to trust the person you’re talking to, unless you have this person just physically in front of you,” Collot said.

The ability to determine deepfakes will need to become second nature for companies.

Sheryl Estrada
sheryl.estrada@fortune.com

Leaderboard

Gary Millerchip is stepping down as SVP and CFO at The Kroger Co. (NYSE: KR) to assume an executive role at another public company. Todd Foley, group vice president, corporate controller and chief accounting officer, has been appointed interim CFO, effective Feb. 5. The company will name a CFO successor at a later date. Foley has over 30 years of experience. Since joining Kroger in 2001, he has served as assistant corporate controller, VP and treasurer. 

David Longo was promoted to CFO at Chegg, Inc. (NYSE:CHGG), a student-first connected learning platform, effective Feb. 21. Andy Brown, current CFO of Chegg, Inc., is retiring. Longo has been chief accounting officer and corporate controller since coming to Chegg in 2021.

Big deal

Informatica (NYSE: INFA), a data management company, has released its annual report, CDO Insights 2024: Charting a Course to AI Readiness. The findings are based on a survey of 600 enterprise chief data officers and other data decision makers across the U.S., Europe, and Asia-Pacific.

Forty-two percent of respondents pointed to the quality of data as the top data-related obstacle to the adoption of generative AI and large language models and 40% named data privacy and protection. However, data leaders forsee the effort being worth it, especially given their emphasis on data management, according to the report.

Almost half (45%) of data leaders reported they’ve already implemented generative AI. And, 73% use or plan to use tech to improve time to value with faster insights from data.

Going deeper

"Is Self-checkout a Failed Experiment?" is a new article in Wharton's business journal that discusses the pros and cons of self-checkout. “For retailers, it’s a combination of cutting labor and adding flexibility,” according to Santiago Gallino, Wharton operations, information and decisions professor. “It’s not to make checkout more efficient. They are basically transferring the labor to the customer.”

Overheard

“We do see that it looks like it’ll be a persistent thing.”

— Fed Chair Jerome Powell said about remote work during an interview with the weekly news program 60 Minutes on Sunday. But many employers are still pushing for a return to work. Some are actively monitoring turnstile data to judge the frequency and, even more importantly, the length of time their workers are there, Fortune reported.