BIC & The AI Threat

AI & Deepfakes – The Latest Business Identity Compromise Tools

When PwC’s risk and ethics chief was tricked into revealing sensitive information about a hire, it made headlines. An email purporting to be from the consulting firm’s new general counsel targeted the newly-appointed risk chief and induced them to reveal confidential information about the yet-to-be announced counsel.

Unlike other businesses that have fallen victim to business identity compromise (BIC), PwC wasn’t duped out of money, but of sensitive information. And stolen information has the potential to be used later on for fraudulent means.

BIC is a global fraud problem, with 46% of organisations interviewed by PwC (unrelated to the cyber incident) admitting they had been victims of fraud activities in 2021. It is a cyber threat that is on the rise. In the US alone, more than US$5.8 billion was lost to identity theft in 2022 – a 70% increase compared to the previous year. Here in Australia, serious identity theft cost businesses more than $423 million in FY19, according to the Australian Institute of Criminology, which also notes that the instances of serious identity theft are rising at an alarming rate.

Business identity compromise explained

BIC (also known as corporate/commercial identity theft) is where a cybercriminal seeks to impersonate a business, or specific individuals within a business, in order to obtain financial gain. Typically, the criminal will masquerade as a business’ owner, executive or employee in order to illegally transact in the name of the business.

Criminals can steal a business’ identity via access to commercial bank accounts and credit cards, or through theft of sensitive corporate information.

Some of the methods cybercriminals use to perpetuate a BIC scam include:

• data breaches or hacking
• fake invoices
• phishing
• malware
• corporate espionage
• social engineering
• money mules (individuals who act as intermediaries in BIC schemes, who are recruited by some type of business opportunity or scam, such as a fake work-from-home offer or an advanced fee fraud)
• fake social media accounts
• fake or replica websites
• phone scams (impersonating a bank, credit report agency, ATO or similar)
• hacking emails, in particular those of the business’ executives
• planting an unsecured Wi-Fi hotspot in or around an office
• “dumpster diving” (scouring through rubbish to find sensitive information), and
• generative AI using large language models such as ChatGPT, Bing Chat or Google’s Bard.

Once the criminal has the business’ details, they can attempt to defraud the business. For example, they could:

• Obtain a new line of credit, loans or credit cards in the name of the business.
• Transfer funds from the business’ bank accounts to a fraudulent account.
• Open a new bank account under the business’ name.
• Open telephone, internet or other expense accounts in the business’ name.
• Create merchant accounts in a business’ name.
• Scam a business’ employees to access financial details.
• Set up temporary office space in a business’ name.
• Make withdrawals or purchases.
• Make contact with customers, suppliers and other business associates and siphon funds, goods or services from them.
• Go to banks, government agencies, lawyers and courts to update business registration or mailing details (to control all related correspondence).
• Add themselves as a director of the business, remove others as directors, and make key decisions (such as investments) on behalf of the business.
• Steal the identities of individuals within the business and those of business associates to then commit traditional identity theft.

Another form of BIC is fraudulent tax returns, also known as refund fraud. This can see the criminal providing spoofed information and documents such as invoices and receipts, lodging fraudulent returns using fake or stolen identities, or lodging fraudulent GST claims through a fraudulent business registration.

BIC can also lead to trademark ransom. This is where the criminal registers a business name or logo as an official trademark in an effort to demand a ransom.

Businesses that fall victim to BIC often not only lose money, but also suffer damage to their reputation, lose customer trust, experience revenue decline, have their credit score impacted, see their cash-flow impacted, wind up in tax disputes, or have to defend legal action taken against them. The business may also have to deal with legal consequences, such as defending their patents, copyrights, trademarks, or other intellectual property in court.

Evolving risk

One of the ways that cybercriminals exploit BIC is by impersonating a business’ CEO or CFO in order to issue realistic instructions, usually via a compromised email account, to the accounts payable team to make electronic funds transfer payments to the criminal’s own bank account.

With the advent of more sophisticated AI and the increasing use of deepfakes, especially voice deepfakes, cybercriminals are initiating more elaborate – and believable – BIC attacks.

Deepfake technology uses deep learning (a form of AI) to create a fake image, video or audio fragment. By using big datasets of images, audio and video, it imitates someone’s voice or facial expression. This way the criminals can make people – such as CEOs or CFOs – say or do things they have not really said or done, like order a money transfer or open a bank account to launder money.

Deepfake technology has been in the news in recent years due to its ability to fool its intended audience with doctored photos, videos and audio. But recent advancements in the technology and its use in payments fraud pose a substantial threat to business. As the US Federal Trade Commission Chair Lina Khan has said, artificial intelligence is being used to “turbocharge” fraud.

Deepfake audio fraud is a form of cyberattack that is of particular concern for business.

Computer security researchers note (in an article in The Conversation) that “ongoing advancements in deep-learning algorithms, audio editing and engineering, and synthetic voice generation have meant that it is increasingly possible to convincingly simulate a person’s voice. Even worse, chatbots like ChatGPT are starting to generate realistic scripts with adaptive real-time responses. By combining these technologies with voice generation, a deepfake goes from being a static recording to a live, lifelike avatar that can convincingly have a phone conversation.”

And it is not theoretical – it is happening, and it is making the news.

Back in 2019, a UK-based energy company was conned out of US$243,000 when cybercriminals used AI-generated audio to mimic the voice of the company’s Germany-based CEO. The Wall Street Journal reported that the criminals called the UK company’s CEO pretending to be the CEO of the parent company and demanded that an urgent wire transfer be made to a Hungary-based supplier and assured the UK-based CEO of reimbursement. After the money had been transferred, it was forwarded to an account in Mexico and other locations. The criminals then made a second and third attempt, but were unsuccessful on those occasions.

Also in 2019, Empresa Municipal de Transportes de Valencia (EMT) suffered a €4 million fraud. Through the impersonation of identities via email and the execution of fake phone calls, the criminals managed to get the EMT’s director of administration to give the order to make up to eight transfers worth €4 million for a supposed acquisition in China.

A year later, Zendal Pharmaceuticals was the victim of a BIC worth €9.7 million. The criminals impersonated the company’s CEO to instruct a financial manager to make transfers to make an acquisition. They also posed as professionals from KPMG to send the deceived manager the payment orders and false invoices attesting to the transactions.

Then in 2021, an even greater score grabbed the business world’s attention. US$35 million was stolen from a Hong Kong bank after the bank manager received a call and several emails from what appeared to be a company director he had spoken with before, according to Forbes. The director claimed his company was making an acquisition soon and needed a $35 million transfer to complete the process. The bank manager, recognising the man’s voice and believing everything to be legitimate, complied and sent the money. Of course, the person who called the bank manager and sent the emails was not who they said they were – they had cloned the director’s voice and hacked their email to scam millions from the bank.

Cloning a person’s voice is increasingly easy. Once a criminal downloads a short (as short as 30 seconds, and some say just five seconds) sample from an audio clip (for example from a voicemail message, social media or recorded interview/announcement or similar), they can use AI voice synthesising tools to create the content they need.

Currently, the focus is on deepfake audio. But an even greater threat may be yet to come.

While phone calls using deepfake audio are convincing, a video call over Zoom might be even more so. Deepfake video may not be at the point (yet) where a person can realistically impersonate someone over a video call, but it stands to reason that it may soon be.

With the threat ever-evolving, businesses need to be alert to the risks of BIC and deepfakes.

To avoid a deepfake-out:

• Never trust an incoming call – pick up the phone and call your contact on the number you already have on file for them.
• Use a verification measure in the discussion – have the person answer a series of questions or provide a password that only your contact would know.
• Use authenticating tools that can analyse photos and videos to see if they have been altered.
• Streamline manual processes by having strong payment controls which use sound technology.

To help protect against BIC:

• Make sure business records and documents (hardcopy and electronic) are secure.
• Properly destroy business records.
• Regularly check and monitor your business’ credit report.
• Establish data security policies.
• Educate employees about best cybersecurity practices.
• Do not publish sensitive business information online.
• Keep on top of computer network security updates.
• Leverage a zero trust model to limit access to sensitive information.
• Be vigilant.
• Invest in cyber insurance – talk to your EBM Account Manager about policy options.