LONDON–As credit unions, CUSOs and their vendors continue to invest in biometrics as a means of defeating cyberthieves, one crime here shows just how difficult the challenge can be.
According to investigators, criminals were able to use artificial intelligence-based software to impersonate the voice of one company’s CEO to demand a fraudulent transfer of €220,000 ($243,000). Law enforcement said the CEO of the U.K.-based energy firm thought he was on the phone with his boss, the CEO of his company’s German parent company, who was requesting that funds be sent to a supplier in Hungary. The fake-CEO caller said the request was urgent, and he directed the executive to pay within an hour, according to the company’s insurance firm, Euler Hermes Group SA, the Wall Street Journal reported.
The names of the companies involved have not been revealed.
‘Slight German Accent’
The Journal reported that whoever was behind the incident appears to have used AI-based software to successfully mimic the German executive’s voice by phone. The U.K. CEO recognized his boss’ slight German accent and the melody of his voice on the phone, Rüdiger Kirsch, a fraud expert at Euler Hermes, a subsidiary of Munich-based financial services company Allianz SE, told the Journal.
“Several officials said the voice-spoofing attack in Europe is the first cybercrime they have heard of in which criminals clearly drew on AI,” the Journal reported. “Euler Hermes, which covered the entire amount of the victim company’s claim, hasn’t dealt with other claims seeking to recover losses from crimes involving AI. Scams using AI are a new challenge for companies, Mr. Kirsch said. Traditional cybersecurity tools designed to keep hackers off corporate networks can’t spot spoofed voices. Cybersecurity companies have recently developed products to detect so-called deepfake recordings.”
Europol’s European Cybercrime Center told the Journal that while it is hard to predict whether there might soon be an uptick in cyberattacks using AI, hackers are more likely to use the technology if it makes attacks more successful or profitable.
Three Calls Made
According to the report, attackers responsible for defrauding the British energy company called three times. After the transfer of the $243,000 went through, the hackers called to say the parent company had transferred money to reimburse the U.K. firm. They then made a third call later that day, again impersonating the CEO, and asked for a second payment, the Journal said Because the transfer reimbursing the funds hadn’t yet arrived and the third call was from an Austrian phone number, the executive became suspicious. He didn’t make the second payment.
The money that was transferred to the Hungarian bank account was subsequently moved to Mexico and distributed to other locations. Investigators haven’t identified any suspects, Kirsch told the Wall Street Journal.
Kirsch added he believes the hackers used commercial voice-generating software to carry out the attack. “He recorded his own voice using one such product and said the reproduced version sounded real,” the Journal said.