In March 2019, an unprecedented cybercrime involving artificial intelligence took place, where fraudsters used AI software to imitate a CEO's voice, convincing another executive to wire €220,000 to a fake account. This incident, involving a UK energy company and its German parent, showcases a sophisticated AI use in hacking, marking a significant shift in cybercrime tactics. It underscores the emergent challenges in cybersecurity, as traditional defenses may not detect such advanced frauds.
The CEO of a U.K.-based energy firm thought he was speaking on the phone with his boss, the chief executive of the firm’s German parent company, who asked him to send the funds to a Hungarian supplier. The caller said the request was urgent, directing the executive to pay within an hour.
Law enforcement authorities and AI experts have predicted that criminals would use AI to automate cyberattacks. Whoever was behind this incident appears to have used AI-based software to successfully mimic the German executive’s voice by phone. The U.K. CEO recognized his boss’ slight German accent and the melody of his voice on the phone.
The attackers responsible for defrauding the British energy company called three times. After the transfer of the $243,000 went through, the hackers called to say the parent company had transferred money to reimburse the U.K. firm. They then made a third call later that day, again impersonating the CEO, and asked for a second payment. Because the transfer reimbursing the funds hadn’t yet arrived and the third call was from an Austrian phone number, the executive became suspicious. He didn’t make the second payment.
The money that was transferred to the Hungarian bank account was subsequently moved to Mexico and distributed to other locations. Investigators haven’t identified any suspects.
How to evade such attacks?
To protect yourself from deceptive calls, including those using deepfake technology to imitate company leaders, it's crucial to verify any significant request. If you're contacted with a request for money transfers or sensitive information, take steps to confirm the request's legitimacy. Use known contact information to reach out directly to the person supposedly making the request. Always use a separate communication method for verification, such as an email or a WhatsApp message to a verified number, and never act solely on instructions received via an unexpected message or call.