There’s a new wave of cybercriminals using AI to clone voices, produce deepfake LinkedIn pages and dupe firms out of millions of pounds. And it’s finance professionals who are increasingly being targeted. Christian Koch meets the experts to unravel these ever-evolving threats
Picture the scene. Your phone pings with a WhatsApp alert. It’s the CFO summoning you to a Teams meeting. You log into the video call, see the profile pics of other colleagues you recognise and listen as your boss instructs you to make company payments into five bank accounts.
None of this is unusual. Financial employees across the globe receive requests just like this every day. What is strange is that the CFO – like everyone else in the virtual meeting – isn’t a real person, but a deepfaked video.
“Cybercriminals like accountancy because accountants hold high volumes of data… they’re like a stepping stone into multiple other companies”
SUSIE SHARAWI, CYBERSECURITY PARTNER, DELOITTE
This is what happened earlier this year to a finance clerk in the Hong Kong office of a multinational – recently revealed to be UK engineering firm Arup – who was duped into paying HK$200m (£20m) of her firm’s money to fraudsters. The WhatsApp message? From a bogus account using a publicly available shot of the CFO. The people in the Teams call? The scammers had downloaded videos of them in advance and used AI tools to clone their voices.
Cybercrime is already a huge problem in the UK, costing £27bn annually according to government estimates. In the past 18 months, the British Library, Royal Mail and Greater Manchester Police have all been disrupted by high-profile ransomware attacks; Susie Sharawi, Cybersecurity Partner at Deloitte, estimates some of her global clients are hit by 300–400 attempted cyber-attacks every day.
The advent of generative AI, however, means cybercriminals can now rustle up lifelike imitations of a person’s voice using just a few snippets of audio. There’s even a form of AI that can identify computer passwords by the sound of keys being pressed when somebody logs on for a video call with their microphone switched on.
“Because it’s usually the CFO who signs off the money going out the door, they’re naturally the ones being targeted”
NIALL McCALLUM CA, CHIEF FINANCIAL OFFICER, LRQA
“AI has lowered the barrier to entry [for cybercriminals],” says Ben Turner, a “red-hat hacker” (an ethical hacker who aims to bring down cybercriminals) and Senior VP, Consulting and Advisory Services, at global assurance firm LRQA. “Previously, somebody had to be very skilled to do this. But AI has made everything more accessible. Now, adversaries without English as their first language can craft perfect emails using ChatGPT, even making it sound as if it was written by somebody from Yorkshire or Scotland. It all helps build rapport with their targets.”
“Things have moved on so much in the last five years – phishing now takes place on Teams, WhatsApp and SMS, not just emails”
BEN TURNER, SENIOR VP, CONSULTING & ADVISORY SERVICES, LRQA
Until recently, the person who’d typically fall prey to a cyber-attack would be an accounts clerk who unwittingly opens a phishing email which paralyses an organisation’s computer system by releasing malware. Today though, it’s finance professionals who are prime targets.
“Because it’s usually the CFO who signs off the money going out the door, they’re naturally the ones being targeted,” says Niall McCallum CA, Chief Financial Officer at LRQA and an ICAS Council member. “[Through CFOs], they could get access to company accounts, supplier and customer lists, bank accounts… Businesses are now getting deepfake WhatsApp calls from somebody purporting to be the CFO, saying, ‘We’re about to close a deal, please move some money.’”
“Cybercriminals are size-agnostic: a small business or firm is just as likely to be caught as a large business”
ALICE TELFER CA, HEAD OF BUSINESS POLICY & PUBLIC SECTOR, ICAS
As Sharawi says, “They [cybercriminals] like accountancy because accountants hold high volumes of data… they’re like a stepping stone into multiple other companies.” The financial felons are clever too, striking when their targets are busiest, such as preparing year-end tax returns or, as Sharawi says, “seasonal busy periods: summer holiday season, Easter, bank holidays – whenever you might have skeletal staff and your ability to react is on the back foot”.
And CAs in SMEs – or in a practice with SME clients – shouldn’t assume they’re small enough to fly under the hackers’ radar. “Cybercriminals are size-agnostic: a small business or firm is just as likely to be caught as a large business,” says Alice Telfer CA, Head of Business Policy and Public Sector at ICAS. “We are aware of several incidents in accountancy firms… These attacks have included not only loss of data, but money taken from bank accounts of clients accessed through the accountant, and, of course, loss of business and reputational damage.”
Finance professionals don’t just need to be vigilant for themselves: they also play a key role in fortifying their company’s cybersecurity strategy. Because the financial costs of cyber-threats fall under their remit – whether it’s lost revenue due to reputational damage or training budgets – collaborating with other parts of the business is essential.
“If you’re responsible for the financial security of the organisation, you’ve got to be all over this, working closely as a business partner with the CIO,” says McCallum. “It’s yet another thing that’ll keep CFOs awake at night.”
The new cyber-threats
AI-generated voice clones
To create a realistic imitation of a person’s voice, all a cybercriminal need do is access a few minutes of recorded audio – perhaps the CFO speaking in a TED talk or video on the company website – before filtering it through AI tools such as ElevenLabs.
The Hong Kong cyber-heist wasn’t a one-off: earlier this year scammers mimicked Mark Read, CEO of WPP, the world’s biggest ad firm, in a Teams meeting by using a voice clone taken from YouTube for Business. Fortunately, the fraudsters – who attempted to get Read’s colleagues to set up a new business – were unsuccessful.
Souped-up scam emails
It’s usually pretty easy to detect a phishing email: woeful translation with abysmal spelling and grammatical mistakes. AI chatbots have changed all that. By feeding social media posts into say, ChatGPT, non-English-speaking cybercriminals can now create convincing emails which hoodwink users into resetting passwords or handing over sensitive data.
A rise in ransomware
Ransomware – where gangs hack into a company’s data and computer systems and demand a fee to restore access – is an ever-present threat for UK businesses. Last year was a record one for such attacks, with average ransomware payments by UK firms hitting $2.1m (£1.7m) according to cybersecurity firm Sophos.
All companies are vulnerable, says Turner. “Ransomware gangs don’t discriminate. They often use a ‘spray and pray’ approach [where spam email is distributed to large numbers of potential victims – only a few will open the malicious links or attachments].”
Unsurprisingly, AI is making this worse. “AI speeds up the process, allowing nefariously minded people to do this at a higher frequency,” says Sharawi.
Man-in-the-middle emails
Turner: “When threat actors gain access to somebody’s inbox, they can put themselves into the middle of an email chain, responding to emails between you and a supplier.”
Info-stealing malware
Turner: “This is malware which embeds itself in applications. For example, if you download Teams infected with info-stealing malware, it’ll also download information from your PC, most notably passwords – which people can use maliciously. This information can be dumped on the dark web, and picked up by organised crime units.”
Strikes against your supply chain
Sharawi: “Organised criminals are looking at the overall supply chain and trying to find the weakest link: it could be an IT supplier, small manufacturing company, even the person who delivers your milk. These smaller SMEs are unlikely to have strong security capabilities, which allows cybercriminals to attack [larger] companies higher up the chain.”
Who are the cybercriminals?
Although malicious players can operate from anywhere – including the UK – many of the more prolific ransomware groups are based in eastern Europe and Russia. Anne Keast-Butler, Director of GCGQ, recently warned that Russia is actively encouraging hackers to attack British businesses. Meanwhile, North Korea is believed to have made $3bn (£2.4bn) for its nuclear weapons programme by staging cyber-attacks on western cryptocurrency-related companies, according to a recent UN report.
The world’s largest ransomware gang is Russia-based LockBit, which was responsible for an estimated 44% of global ransomware attacks in 2022.
Victims include Royal Mail, Boeing and Nottinghamshire-based car dealership Pendragon, which refused to pay a $60m (£47m) ransomware demand.
The US National Crime Agency recently identified its leader, said to be Dmitry Korashev, and offered a $10m reward for information leading to his capture.
Hackers aren’t always part of organised crime units either. “Sometimes it could be a 14-year-old in Russia who cyber-hacks for fun, before selling their access over the dark web to a ransomware service team,” says Turner.
How to safeguard your business
Invest in training
“From a CFO perspective, the best prevention against deepfakes and cybercrime is training,” says McCallum. “Make sure everybody in your business has the right level of scepticism not to click on something when it doesn’t look or feel right.”
This training should, of course, cover current trends. “Things have moved on so much in the last five years – phishing now takes place on Teams, WhatsApp and SMS, not just emails,” adds Turner. “If that’s not in your training, you won’t be protecting your staff adequately.”
Get with the drill
“As a business, you should always expect that you will be a victim of a cyber-attack at some point,” says Sharawi. “Staging regular fire drills builds resilience – if something does happen, this resilience could save you the days/hours it usually takes businesses to recover.”
Spring-clean your social media
Sharawi: “Because organised criminals often scrape their info [for deepfaked WhatsApps/ LinkedIn pages] from publicly available data, I spend a lot of time with executives talking about their digital footprint. They often don’t realise what they or their family put online is all open. For example, if there’s a social media post about, say, the exchange of a new house, that’s enough for a criminal to spear-phish [steal sensitive data] by contacting them and saying there’s a problem with the new house.”
Use password management software
“In some organisations we often see people storing passwords in Excel or text files,” says Turner. “As an organisation, you should be providing staff with the right software to store their passwords.”
Don’t delegate cybersecurity to your IT team
“Make sure it’s a board priority; don’t just treat it as an IT issue,” says Telfer. “Ensure cybersecurity experts are consulted and don’t rely on your IT department or suppliers.”
Look at your data security
“If you don’t know where your client data is being stored or who has access to it, how do you know if you can protect it when somebody is trying to access it?” says Turner. McCallum recommends becoming certified with ISO 27001, the international standard for cybersecurity, which acts as a guarantor that your organisation has set up controls to manage data-related security risks.
Don’t neglect your legacy tech: computers, servers and databases
“Many businesses assume their critical assets are safe because they’re in the cloud,” says Sharawi. “Okay, but what about all the older legacy tech you’ve decided not to monitor? All [cybercriminals] need to do is access a remote device and they can jump into your environment. Organisations should be focusing on this, not just emails and malware.”
Take cybersecurity seriously
“One of the biggest mistakes businesses make is trying to minimise the situation, avoiding it because they think it’s just an IT issue,” says Sharawi. “Yet those companies who constantly have cybercrime in mind are much quicker to engage their legal and forensic teams, the management board and incident responders.
“One thing’s clear – expect disruption regardless of geopolitical uncertainty as there’ll always be lots of motivated individuals resorting to cybercrime. Therefore, focus on your preparedness, basic security hygiene and your ability to recover quickly – because any company can be affected by this, regardless of how big or small they are.”
From the frontline
Gary Connel CA, a CFO with experience in the tech sector, shares sage advice on cybercrime awareness
“Cybersecurity has become a high priority for us all in recent years, second only to health and safety in terms of importance in the boardroom. Like health and safety, it needs a regime of constant training, visibility and vigilance along with commitment from the directors. We use short training videos, staff meeting presentations, posters and live tests – such as fake internally generated emails to see who clicks on the link – to help safeguard the company.
“The most common scams I have seen are emails to finance, supposedly from your boss, requesting that an urgent payment is made to X. The email looks real and will have the person’s picture and signature. But if you hover your mouse over the address you will see the real email address it is sent from.
“Our processes always require verbal confirmation and multiple approvals of any ad hoc payments. Similarly, we require verbal approval from any employee or supplier who wants to change their recipient bank account.
“Cybersecurity is not just about the company systems. The products can also pose a risk to consumers and the company. For example, my car is connected to the internet as it passes data back to the manufacturer, even though I do not subscribe to any data service. This could pose a threat to the manufacturer, the people in the car and also any internet device nearby. It is an increasingly large and complex area of risk that needs to be effectively managed.”
For more resources visit the ICAS cybersecurity hub
ADVERTISEMENT