AI-generated voice clones
To create a realistic imitation of a person’s voice, all a cybercriminal need do is access a few minutes of recorded audio – perhaps the CFO speaking in a TED talk or video on the company website – before filtering it through AI tools such as ElevenLabs.

The Hong Kong cyber-heist wasn’t a one-off: earlier this year scammers mimicked Mark Read, CEO of WPP, the world’s biggest ad firm, in a Teams meeting by using a voice clone taken from YouTube for Business. Fortunately, the fraudsters – who attempted to get Read’s colleagues to set up a new business – were unsuccessful.

Souped-up scam emails
It’s usually pretty easy to detect a phishing email: woeful translation with abysmal spelling and grammatical mistakes. AI chatbots have changed all that. By feeding social media posts into say, ChatGPT, non-English-speaking cybercriminals can now create convincing emails which hoodwink users into resetting passwords or handing over sensitive data.

A rise in ransomware
Ransomware – where gangs hack into a company’s data and computer systems and demand a fee to restore access – is an ever-present threat for UK businesses. Last year was a record one for such attacks, with average ransomware payments by UK firms hitting $2.1m (£1.7m) according to cybersecurity firm Sophos.

All companies are vulnerable, says Turner. “Ransomware gangs don’t discriminate. They often use a ‘spray and pray’ approach [where spam email is distributed to large numbers of potential victims – only a few will open the malicious links or attachments].”

Unsurprisingly, AI is making this worse. “AI speeds up the process, allowing nefariously minded people to do this at a higher frequency,” says Sharawi.

Man-in-the-middle emails
Turner: “When threat actors gain access to somebody’s inbox, they can put themselves into the middle of an email chain, responding to emails between you and a supplier.”

Info-stealing malware
Turner: “This is malware which embeds itself in applications. For example, if you download Teams infected with info-stealing malware, it’ll also download information from your PC, most notably passwords – which people can use maliciously. This information can be dumped on the dark web, and picked up by organised crime units.”

Strikes against your supply chain
Sharawi: “Organised criminals are looking at the overall supply chain and trying to find the weakest link: it could be an IT supplier, small manufacturing company, even the person who delivers your milk. These smaller SMEs are unlikely to have strong security capabilities, which allows cybercriminals to attack [larger] companies higher up the chain.”

Invest in training
“From a CFO perspective, the best prevention against deepfakes and cybercrime is training,” says McCallum. “Make sure everybody in your business has the right level of scepticism not to click on something when it doesn’t look or feel right.”

This training should, of course, cover current trends. “Things have moved on so much in the last five years – phishing now takes place on Teams, WhatsApp and SMS, not just emails,” adds Turner. “If that’s not in your training, you won’t be protecting your staff adequately.”

Get with the drill
“As a business, you should always expect that you will be a victim of a cyber-attack at some point,” says Sharawi. “Staging regular fire drills builds resilience – if something does happen, this resilience could save you the days/hours it usually takes businesses to recover.”

Spring-clean your social media
Sharawi: “Because organised criminals often scrape their info [for deepfaked WhatsApps/ LinkedIn pages] from publicly available data, I spend a lot of time with executives talking about their digital footprint. They often don’t realise what they or their family put online is all open. For example, if there’s a social media post about, say, the exchange of a new house, that’s enough for a criminal to spear-phish [steal sensitive data] by contacting them and saying there’s a problem with the new house.”

Use password management software
“In some organisations we often see people storing passwords in Excel or text files,” says Turner. “As an organisation, you should be providing staff with the right software to store their passwords.”

Don’t delegate cybersecurity to your IT team
“Make sure it’s a board priority; don’t just treat it as an IT issue,” says Telfer. “Ensure cybersecurity experts are consulted and don’t rely on your IT department or suppliers.”

Look at your data security
“If you don’t know where your client data is being stored or who has access to it, how do you know if you can protect it when somebody is trying to access it?” says Turner. McCallum recommends becoming certified with ISO 27001, the international standard for cybersecurity, which acts as a guarantor that your organisation has set up controls to manage data-related security risks.

Don’t neglect your legacy tech: computers, servers and databases
“Many businesses assume their critical assets are safe because they’re in the cloud,” says Sharawi.  “Okay, but what about all the older legacy tech you’ve decided not to monitor? All [cybercriminals] need to do is access a remote device and they can jump into your environment. Organisations should be focusing on this, not just emails and malware.” 

Take cybersecurity seriously
“One of the biggest mistakes businesses make is trying to minimise the situation, avoiding it because they think it’s just an IT issue,” says Sharawi. “Yet those companies who constantly have cybercrime in mind are much quicker to engage their legal and forensic teams, the management board and incident responders.

“One thing’s clear – expect disruption regardless of geopolitical uncertainty as there’ll always be lots of motivated individuals resorting to cybercrime. Therefore, focus on your preparedness, basic security hygiene and your ability to recover quickly – because any company can be affected by this, regardless of how big or small they are.”