One Question Stopped a Deepfake Scam Attempt At Ferrari 43
"Deepfake scams are becoming more prolific and their quality will only improve over time," writes longtime Slashdot reader smooth wombat. "However, one question can stop them dead in their tracks. Such was the case with Ferrari earlier this month when a suspicious executive saved the company from being the latest victim." From a report: It all began with a series of WhatsApp messages from someone posing as Ferrari's CEO [Benedetto Vigna]. The messages, seeking urgent help with a supposed classified acquisition, came from a different number but featured a profile picture of Vigna standing in front of the Ferrari emblem. As reported by Bloomberg, one of the messages read: "Hey, did you hear about the big acquisition we're planning? I could need your help." The scammer continued, "Be ready to sign the Non-Disclosure Agreement our lawyer will send you ASAP." The message concluded with a sense of urgency: "Italy's market regulator and Milan stock exchange have already been informed. Maintain utmost discretion."
Following the text messages, the executive received a phone call featuring a convincing impersonation of Vigna's voice, complete with the CEO's signature southern Italian accent. The caller claimed to be using a different number due to the sensitive nature of the matter and then requested the executive execute an "unspecified currency hedge transaction." The oddball money request, coupled with some "slight mechanical intonations" during the call, raised red flags for the Ferrari executive. He retorted, "Sorry, Benedetto, but I need to verify your identity," and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.
Following the text messages, the executive received a phone call featuring a convincing impersonation of Vigna's voice, complete with the CEO's signature southern Italian accent. The caller claimed to be using a different number due to the sensitive nature of the matter and then requested the executive execute an "unspecified currency hedge transaction." The oddball money request, coupled with some "slight mechanical intonations" during the call, raised red flags for the Ferrari executive. He retorted, "Sorry, Benedetto, but I need to verify your identity," and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.
If the voice modificator malfunctioned.. (Score:1)
If the voice modificator malfunctioned, I am sure you could have heard a thick Russian accent.
Re:If the voice modificator malfunctioned.. (Score:4, Funny)
If the voice modificator malfunctioned, I am sure you could have heard a thick Russian accent.
I think their mistake was the scammer not making their request in the form of a song. If I've learned anything from Disney films, it's that asking for money is the perfect song cue.
Re: If the voice modificator malfunctioned.. (Score:4, Funny)
Re:If the voice modificator malfunctioned.. (Score:5, Funny)
If the voice modificator malfunctioned, I am sure you could have heard a thick Russian accent.
I think their mistake was the scammer not making their request in the form of a song. If I've learned anything from Disney films, it's that asking for money is the perfect song cue.
Daisy, Daisy, give me your money, do.
I'm no scammer. I really work with you.
It won't be a big transaction —
this acquisition action —
then my Ferrari will run over your bicycle built for two.
Re:If the voice modificator malfunctioned.. (Score:5, Funny)
If the voice modificator malfunctioned, I am sure you could have heard a thick Russian accent.
Excuse me, I'm looking for the nuclear wessels!
Re:Excuse me, I'm looking for nuclear wessels! (Score:3, Funny)
Gawwd that was a funny scene. [youtube.com]
The cop is probably thinking, "Which 3 letter agency do I report this to? All? The log is gonna be a lot of paper work."
Re: (Score:2)
"Now fire ze missiles!" Sorry, that was faux French accent...
Ferrari does corp financial transactions by text (Score:1)
Does that mean security procedures are only for the "little people"?
Re: Security is only for plebs? (Score:2)
Yip! The security people at multiple orgs I worked at often granted exceptions to the rules to bigwigs because they sign their paycheck.
Re: (Score:1)
Touche
Re: (Score:2)
And probably did it just for fun or to mess with the scammers, because as a higher executive he would know that a company like Ferrari doesn't do business this way. E.g "Milan stock exchange have already been informed. Maintain utmost discretion." is an oxymoron, you don't inform that exchange itself (they don't care one bit) you inform your share holders (aka the information is completely public). And deals like this never comes out of nowhere, they are the results of hours upon hours of executive meetings
Re: no (Score:2)
Re: (Score:2)
Re: (Score:2)
Which is why so many corporations now mandate security training, with exactly this sort of scenario included. It feels funny being on the bottom rung and being told how to not fall for a fake CEO calling you...
Like all scams, they usually don't work. You only need it to work once. Most corporations wouldn't work with such an ad-hoc scheme. However I think some disorganized smaller companies might, especially startups led by twenty-somethings who think that major payments made via phone or company reorgs d
Re: (Score:2)
Well, it is why it's a scam. You try to find someone gullible who will fall for it without double checking that it's valid. The scammer can have 99 failures then one success q1and get the big payoff.
Maybe we need to go back to codebooks? (Score:3)
Maybe we need to go back to one time pads, or even codebooks. For example, the Star Trek episode "Whom Gods Destroy" comes to mind. This way, if a CEO asks someone to do an action, and they don't get the answer to "Queen to queen level three", then the finance guy isn't buying 100 gift cards and sending them to an address in Lower Elbonia.
I know this can be automated... perhaps an app where two people in the same company can use it as a secondary channel to create shared secrets, perhaps using something as simple as Dinopass so if someone wants to validate Alice is Alice, they can just ask Alice for their passphrase, and if Alice doesn't give "lazynose38" or another password, then the Alice on the other end is a (deep)fake, and there needs to be a procedure to validate Alice further or just end the transaction.
Re:Maybe we need to go back to codebooks? (Score:5, Insightful)
I prefer working in an office small enough that the boss wouldn't bother texting, or even phoning, to send money to someone. He'd walk down the hall and talk to the accounting person face to face. And we all know it.
Re: (Score:2)
Or if he does text, I'd stick my head in his office and go "huh?" At least that would validate things via a good channel.
Digressing, some of the best places I worked at were the small businesses where people knew each other and had some sort of bond/respect.
Re: (Score:2)
Or if he does text, I'd stick my head in his office and go "huh?" At least that would validate things via a good channel.
Yeah, that, too, since we all know the boss and how he does things pretty well. Not that we don't get scammers trying, mind you. But we can always use a good laugh.
Digressing, some of the best places I worked at were the small businesses where people knew each other and had some sort of bond/respect.
Some of the very best, and very worst, places to work are small businesses. (Though we're not really a small business these days, but the corporate office runs pretty lean, so it still has many of the advantages of one.)
Re:Maybe we need to go back to codebooks? (Score:5, Informative)
He'd walk down the hall ...
At least this CEO spent sufficient time with underlings for them to recognize the "oddball money request" and know his background activities ("a book he had recommended") to bring into the conversation.
Obviously, a more distant relationship and more authoritarian culture would result in the executive blindly following orders. In that case, the GP is correct, a passphrase or OTP applet is needed for confirmation of acquisitions/disposals and transfers.
Re: (Score:2)
All very true. But my preference remains where it is. I spent a lot of years looking for a job I like, and I'm going to retire from it.
Re: (Score:2)
Warm and sunny, like most days in southern California. Jealous?
Re: (Score:2)
No idea, having never worked in such an office. Nor do I have any desire to find out.
Re: (Score:3)
The problem really is that large companies have too many "layers" of people, many whom are just there for a paycheck and lack creative thinking skills.
The way to confirm anything. Always call the person who they claim to be back on their regular number to confirm before any passwords or money are exchanged.
This should be drilled into everyone who has ever called customer service. "We will never call you unless you have called us first."
This is also why I miss all the phone calls from "the bank", "the postal
Re: (Score:2)
You obviously live in a very different culture to me. The postal courier calls to check that I'm in after making the previous delivery: if I don't pick up then they'll just mark me down as "not at home" and move on to the next package. The bank does actually leave a voice message, although if I try to phone back I can't get through the verification because the voice recognition for the nth letter in my password isn't good enough. The government is a mixed bag: I've had some civil servants leave voice messag
Re: (Score:2)
Does their number show up as "the postal courier"?
Because I get tons of calls/texts from similar and they are clearly scams.
Star Trek has shown us the way (Score:3, Interesting)
"Queen to Queen's Level 3"
- Scotty, in "Whom Gods Destroy", the original series.
Just great (Score:1)
Benedetto, but I need to verify your identity," and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.
Now we'll all have to start reading books to protect ourselves. On the upside, Trump impersonations will go unchallenged. :-)
Ha. (Score:3)
I bet they were pretending to buy Ford...
Whatsapp. And from an unknown number (Score:1)
probably that should have been the red flag already
The call itself should have been the red flag (Score:3)
It shouldn't have taken oddness in the voice to be a red flag. The call itself should've triggered identity verification as an automatic response. Even if it'd come from the right number, you always verify the identity of the caller. Always. And the NDA should've elicited a call to the CEO to confirm it.
Re:The call itself should have been the red flag (Score:4, Informative)
And the NDA should've elicited a call to the CEO to confirm it.
The one you're already talking to?
The reality is trust is something that happens on a sliding scale. When doing something critical it often happens over different communication channels. A different number is also not necessarily a red flag. Numbers can change, and I myself have multiple in my company.
What is a red flag is the number of concurrent issues that seem to be presented. This is the correct way of going about it.
Even if it'd come from the right number, you always verify the identity of the caller. Always.
No, I don't answer every single call with a security question. Again trust is a sliding scale. Now if you were to say that you always verify the identity of a caller when executing a requested transaction above the value $X then I'd be with you.
Re: (Score:3)
"Okay, I'm just going to look into this, can I call you back?"
And when you call the CEO on his office / mobile and he knows NOTHING about it... done.
Re: (Score:2)
"Okay, I'm just going to look into this, can I call you back?"
And when you call the CEO on his office / mobile and he knows NOTHING about it... done.
Again that sounds like a great inefficiency if you do that *for every call*. You don't always need to verify the identity of a caller. You only need to do it for truly important shit, or in cases where evidence of fraud is piling up.
Re: (Score:2)
Er... no... you do it for everything that you cannot verify or are even vaguely suspicious of, even if that's every single transaction, especially in these cases where they state it's for some obscure legal reason.
Anything else trains your staff to take risks, and leaves you open to attack.
Sorry, but I've never worked anywhere near an accounts department that would hesitate for even one second to block a transaction until they'd spoken to the required approver in person.
Re: (Score:2)
No, I don't answer every single call with a security question.
I don't answer any calls from any numbers I don't know, and I rarely answer calls from number I _do_ know. They'd better leave a good voicemail, and I'll get back to them through established channels (bank - go to site and go through it or the number listed there; boss - chat+email+cell; family - text or email or cell; etc..).
That doesn't fully answer the "how to verify" question, but I never would have picked up that WhatsApp call from an unknown number to begin with!
line 1 is classic phishing script (Score:1)
âoeHey, did you hear about the big acquisition weâ(TM)re planning? I could need your helpâ
should have known right there
Doesnâ(TM)t need deepfakes (Score:2)
Red flags everywhere (Score:2)
The fact that it got this far, is a testament on how gullible the people involved were.
This has the typical signature of a scam at every step of the way.