It's a normal working day in a London office - until the phone rings. It's the boss from Germany on the line, asking his employee to make an urgent transfer. It's Friday afternoon and already after 4 pm in Germany. However, due to the time difference, London still has an hour's buffer and the transfer would go out today and not on Monday. Although the request is somewhat unusual, the British employee clearly recognizes his boss's voice and therefore immediately arranges the transfer to a foreign account. What he doesn't know is that he has just become a victim of advanced CEO fraud. The money transferred ends up in the hands of the fraudsters. This is one of many real incidents reported by the IT news portal Heise.

Rip-off on a grand scale via voice imitation

The scam is not new per se, but the way it is carried out is. In the past, victims mainly received emails whose senders wanted to initiate transfers with all kinds of adventurous stories. Even as private individuals, many people are familiar with such stories about investments in high-yield diamond mines or poor travelers, supposedly acquaintances who just need a little money for their trip home. With CEO fraud, on the other hand, the email comes from the supposed boss, even with a matching sender address.

Thanks to the development of artificial intelligence (AI) in combination with better voice assistants, the scam has now become even trickier. Fraudsters can now imitate voices and thus exploit the trust of company employees in the authenticity of a payment request even better. Instead of an email, unsuspecting victims actually receive a call from a familiar voice.

Unfortunately, these are no longer isolated cases and the losses for companies can quickly run into the millions. A study by the auditing and consulting firm PwC shows that 40 percent of 500 companies surveyed in Germany have been the target of CEO fraud within two years. However, it is almost impossible to determine the exact losses and specific damage, as the number of companies affected is likely to be significantly higher.

Nevertheless, the police recorded 171 crimes in connection with CEO fraud in North Rhine-Westphalia alone in 2018, with losses of 6.4 million euros. A single travel company alone accounted for 4.5 million euros of this. The Nuremberg-based automotive supplier Leoni was already defrauded of around 40 million euros in 2016. It shows that even a single successful fraud can have extreme consequences for companies. Voice impersonation with the help of AI is likely to make attacks even more successful than before.

Artificial intelligence opens up new gateways

So how exactly does CEO Fraud 2.0 work? Although there are slight variations from case to case, the basic pattern is always similar. First, the company, often the accounting department, receives an email in the name of the CEO. To make the deception even more sophisticated, the fraudsters like to replace the official email signature with "Sent from my iPhone" or similar short sentences that pretend to be sent from a mobile device. This is intended to give the impression that the busy boss has quickly sent a message from a meeting or while on the move.

The following step looks even more authentic: The supposed boss calls the company after sending the email. Even the voice matches. He refers to the email and asks for an urgent bank transfer. So that there is no time for suspicion, inquiries or verification, the perpetrator will pretend to have a very important appointment afterwards and not want to be disturbed. If the accounting department transfers the money without further consultation, the fraud has been successful.

The next important question is how companies can take action against this scam. As always, prevention is better than detection. First of all, it is important to sensitize employees to this form of fraud. Training courses are suitable for this, in which everyone in the company learns how to recognize the attacks and how best to react. Training courses are a much more memorable way of showing how attackers proceed and how easy it is to write such fake emails. The process outlined for a typical CEO fraud shows that the method is now very easy to understand, but the relevant information must also be shared with all employees.

If the company has already been the victim of such a fraud, the training can also be based on this real case in order to bring the mere possibility even closer to reality, so that the employees have a stronger connection to it. To ensure that all employees know how to react in such cases at all times, the internal security officers or external service providers should review the security guidelines and processes for susceptibility to AI-supported attacks and adapt them if necessary.

One simple way to ward off attacks is to introduce the dual control principle for bank transfers, for example, so that at least one other person checks the request before money falls into the wrong hands. It must also be easy and quick to see which reactions to fraud attempts are appropriate. This requires handouts or guidelines. However, many companies do not yet have any information on how to deal with fraud. Processes are only developed once a security incident has actually occurred. By then, however, it is already too late and a lot of money may already have been lost.

Alongside the training courses, IT managers must also carry out tests to ensure that the measures have been effective. For example, the security officers send out phishing emails every year and test the employees' reactions. The same naturally applies to fraud emails and fake phone calls. The aim here is not to show off individual employees, but to measure how successful the training measures were and where there is still room for improvement.

Cyber attacks will continue to increase in the future

In general, it can be said that cyber attacks such as CEO fraud are becoming increasingly efficient as technology develops, which is why they will continue to increase in the future. Of course, the perpetrators often invest a lot of time in preparation and get to know internal company processes. Is the boss on first-name terms with his employees? However, the effort pays off when even one successful attack generates millions of euros for the perpetrators - so motivation is correspondingly high.

Even if further security measures are added in the future in addition to voice verification, fraud attempts can never be completely ruled out. In addition to the voice impersonation scam, cases involving fake video calls are also conceivable in the future. In June 2019, the deepfake video with Mark Zuckerberg showed just how authentic fake videos can look. It is therefore only a matter of time before fraudsters use this technology for themselves. CEO Fraud 3.0 is casting its shadow ahead. This makes it even more important to take this threat seriously and to prevent perpetrators from being given a platform in the first place with well-informed employees and well thought-out internal guidelines.

Attila Misota, Business Development Manager and PreSales Consultant at T-Systems Multimedia Solutions