Businesses ill-equiped to deal with rising threat of deepfake scams

Advancements in technology, such as artificial intelligence, have enabled fraudsters to develop more sophisticated scams and fraud attempts in the past couple of years, including deepfake scams used to impersonate other people.

With fraudsters deploying these types of schemes to target finance teams in some instances, Roger Darvall-Stevens, head of fraud and forensic services at RSM Australia, said it is critical that organisations have appropriate controls and training to deal with these emerging threats.

In February last year, it was reported that scammers were able to siphon $25 million from engineering firm Arup through an AI-manipulated deepfake that falsely posed as the group's chief financial officer and requested transfers to bank accounts in Hong Kong.

While most examples of deepfake scams have occurred overseas, it is likely that Australian organisations will soon become a greater target over time if they haven't already.

Speaking to Accountants Daily, Darvall-Stevens explained that deepfake scams are essentially a video version of business email compromise, where a person receives an email purporting to be from the CFO or chief executive, asking them to pay something urgently or change a vendor bank account, for example.

Darvall-Stevens outlined that fraud typologies nowadays often intersect between IT security concerns and classic fraud and cyber fraud.

"This is technology enabling further perpetration of the classic fraud types such as theft, identity theft and fraud, account takeover and cheque fraud.

"Cyber fraud examples in addition to deepfakes include Business Email Compromise (BEC), identify theft and fraud, synthetic identity fraud, pharming (cyberattack through a website that looks legitimate), and methods of sending various communication types to entice and deceive victims to part with money such as phishing (emails), vishing (via voice by ‘phone), smishing (via text), and quishing (via QR code)."

Given these emerging threats, Darvall-Stevens said it is important that organisations have continual fraud and corruption control awareness training that is bespoke to that particular organisation.

This needs to be provided at an employee level but also a specific functional level such as finance, procurement or audit.

“It also depends on the size of the organisation and their propensity for them to be a victim to this,” Darvall-Stevens said.

Training in this area tended to be minimal to non-existent among organisations, he said.

“We do a ton of fraud and corruption control awareness training for clients, and we talk about these kinds of [threats], but some organisations don’t do any training because it's discretionary.”

One of the first tests his team does when conducting a fraud and corruption control review is to see if there is any employee training and what that training is.

“Sometimes that training is off the shelf and it's online and it's how fast an employee can tick and get through the training rather than the training being interactive and enabling questions and answers,” he said.

“It may even not be up to date with some of these emerging deceptive practices.”

With fraud attempts becoming increasingly sophisticated as technology advances, Kylie Wing, general manager of APAC at ApprovalMax, said it's vital that staff across all businesses can apply “a professional lens of skepticism and develop their critical thinking”.

Wing said far too many businesses still rely on emails to handle purchase orders or to do invoice and bill approvals.

Organisations should instead be using more secure systems with layers of security and different hierarchies of people who have to make approvals and delegated financial authority, she added.

"That way, if employees do receive a video or an email from the CEO or CFO, they still have to follow the same processes built into that system since day one,” Wing said.

“There is no skirting around those processes in the system, and it will also raise alarm bells if they're told to skip that process."