Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security AI

One Question Stopped a Deepfake Scam Attempt At Ferrari 43

"Deepfake scams are becoming more prolific and their quality will only improve over time," writes longtime Slashdot reader smooth wombat. "However, one question can stop them dead in their tracks. Such was the case with Ferrari earlier this month when a suspicious executive saved the company from being the latest victim." From a report: It all began with a series of WhatsApp messages from someone posing as Ferrari's CEO [Benedetto Vigna]. The messages, seeking urgent help with a supposed classified acquisition, came from a different number but featured a profile picture of Vigna standing in front of the Ferrari emblem. As reported by Bloomberg, one of the messages read: "Hey, did you hear about the big acquisition we're planning? I could need your help." The scammer continued, "Be ready to sign the Non-Disclosure Agreement our lawyer will send you ASAP." The message concluded with a sense of urgency: "Italy's market regulator and Milan stock exchange have already been informed. Maintain utmost discretion."

Following the text messages, the executive received a phone call featuring a convincing impersonation of Vigna's voice, complete with the CEO's signature southern Italian accent. The caller claimed to be using a different number due to the sensitive nature of the matter and then requested the executive execute an "unspecified currency hedge transaction." The oddball money request, coupled with some "slight mechanical intonations" during the call, raised red flags for the Ferrari executive. He retorted, "Sorry, Benedetto, but I need to verify your identity," and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.
This discussion has been archived. No new comments can be posted.

One Question Stopped a Deepfake Scam Attempt At Ferrari

Comments Filter:
  • If the voice modificator malfunctioned, I am sure you could have heard a thick Russian accent.

  • Does that mean security procedures are only for the "little people"?

    • Yip! The security people at multiple orgs I worked at often granted exceptions to the rules to bigwigs because they sign their paycheck.

    • Well, it is why it's a scam. You try to find someone gullible who will fall for it without double checking that it's valid. The scammer can have 99 failures then one success q1and get the big payoff.

  • by ctilsie242 ( 4841247 ) on Monday July 29, 2024 @05:36PM (#64665286)

    Maybe we need to go back to one time pads, or even codebooks. For example, the Star Trek episode "Whom Gods Destroy" comes to mind. This way, if a CEO asks someone to do an action, and they don't get the answer to "Queen to queen level three", then the finance guy isn't buying 100 gift cards and sending them to an address in Lower Elbonia.

    I know this can be automated... perhaps an app where two people in the same company can use it as a secondary channel to create shared secrets, perhaps using something as simple as Dinopass so if someone wants to validate Alice is Alice, they can just ask Alice for their passphrase, and if Alice doesn't give "lazynose38" or another password, then the Alice on the other end is a (deep)fake, and there needs to be a procedure to validate Alice further or just end the transaction.

    • by taustin ( 171655 ) on Monday July 29, 2024 @05:46PM (#64665302) Homepage Journal

      I prefer working in an office small enough that the boss wouldn't bother texting, or even phoning, to send money to someone. He'd walk down the hall and talk to the accounting person face to face. And we all know it.

      • Or if he does text, I'd stick my head in his office and go "huh?" At least that would validate things via a good channel.

        Digressing, some of the best places I worked at were the small businesses where people knew each other and had some sort of bond/respect.

        • by taustin ( 171655 )

          Or if he does text, I'd stick my head in his office and go "huh?" At least that would validate things via a good channel.

          Yeah, that, too, since we all know the boss and how he does things pretty well. Not that we don't get scammers trying, mind you. But we can always use a good laugh.

          Digressing, some of the best places I worked at were the small businesses where people knew each other and had some sort of bond/respect.

          Some of the very best, and very worst, places to work are small businesses. (Though we're not really a small business these days, but the corporate office runs pretty lean, so it still has many of the advantages of one.)

      • by NotEmmanuelGoldstein ( 6423622 ) on Monday July 29, 2024 @06:02PM (#64665348)

        He'd walk down the hall ...

        At least this CEO spent sufficient time with underlings for them to recognize the "oddball money request" and know his background activities ("a book he had recommended") to bring into the conversation.

        Obviously, a more distant relationship and more authoritarian culture would result in the executive blindly following orders. In that case, the GP is correct, a passphrase or OTP applet is needed for confirmation of acquisitions/disposals and transfers.

        • by taustin ( 171655 )

          All very true. But my preference remains where it is. I spent a lot of years looking for a job I like, and I'm going to retire from it.

    • by Kisai ( 213879 )

      The problem really is that large companies have too many "layers" of people, many whom are just there for a paycheck and lack creative thinking skills.

      The way to confirm anything. Always call the person who they claim to be back on their regular number to confirm before any passwords or money are exchanged.

      This should be drilled into everyone who has ever called customer service. "We will never call you unless you have called us first."

      This is also why I miss all the phone calls from "the bank", "the postal

      • by pjt33 ( 739471 )

        You obviously live in a very different culture to me. The postal courier calls to check that I'm in after making the previous delivery: if I don't pick up then they'll just mark me down as "not at home" and move on to the next package. The bank does actually leave a voice message, although if I try to phone back I can't get through the verification because the voice recognition for the nth letter in my password isn't good enough. The government is a mixed bag: I've had some civil servants leave voice messag

        • by AvitarX ( 172628 )

          Does their number show up as "the postal courier"?

          Because I get tons of calls/texts from similar and they are clearly scams.

  • by Grokko ( 193875 ) on Monday July 29, 2024 @06:11PM (#64665362)

    "Queen to Queen's Level 3"
                - Scotty, in "Whom Gods Destroy", the original series.

  • Benedetto, but I need to verify your identity," and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.

    Now we'll all have to start reading books to protect ourselves. On the upside, Trump impersonations will go unchallenged. :-)

  • by usedtobestine ( 7476084 ) on Monday July 29, 2024 @07:03PM (#64665440)

    I bet they were pretending to buy Ford...

  • probably that should have been the red flag already

  • It shouldn't have taken oddness in the voice to be a red flag. The call itself should've triggered identity verification as an automatic response. Even if it'd come from the right number, you always verify the identity of the caller. Always. And the NDA should've elicited a call to the CEO to confirm it.

    • by thegarbz ( 1787294 ) on Tuesday July 30, 2024 @02:21AM (#64665988)

      And the NDA should've elicited a call to the CEO to confirm it.

      The one you're already talking to?

      The reality is trust is something that happens on a sliding scale. When doing something critical it often happens over different communication channels. A different number is also not necessarily a red flag. Numbers can change, and I myself have multiple in my company.

      What is a red flag is the number of concurrent issues that seem to be presented. This is the correct way of going about it.

      Even if it'd come from the right number, you always verify the identity of the caller. Always.

      No, I don't answer every single call with a security question. Again trust is a sliding scale. Now if you were to say that you always verify the identity of a caller when executing a requested transaction above the value $X then I'd be with you.

      • by ledow ( 319597 )

        "Okay, I'm just going to look into this, can I call you back?"

        And when you call the CEO on his office / mobile and he knows NOTHING about it... done.

        • "Okay, I'm just going to look into this, can I call you back?"

          And when you call the CEO on his office / mobile and he knows NOTHING about it... done.

          Again that sounds like a great inefficiency if you do that *for every call*. You don't always need to verify the identity of a caller. You only need to do it for truly important shit, or in cases where evidence of fraud is piling up.

          • by ledow ( 319597 )

            Er... no... you do it for everything that you cannot verify or are even vaguely suspicious of, even if that's every single transaction, especially in these cases where they state it's for some obscure legal reason.

            Anything else trains your staff to take risks, and leaves you open to attack.

            Sorry, but I've never worked anywhere near an accounts department that would hesitate for even one second to block a transaction until they'd spoken to the required approver in person.

      • by unrtst ( 777550 )

        No, I don't answer every single call with a security question.

        I don't answer any calls from any numbers I don't know, and I rarely answer calls from number I _do_ know. They'd better leave a good voicemail, and I'll get back to them through established channels (bank - go to site and go through it or the number listed there; boss - chat+email+cell; family - text or email or cell; etc..).

        That doesn't fully answer the "how to verify" question, but I never would have picked up that WhatsApp call from an unknown number to begin with!

  • âoeHey, did you hear about the big acquisition weâ(TM)re planning? I could need your helpâ

    should have known right there

  • A relative got a call like that from the company's boss. He was one of four in the company capable of making payments. He called the other three who had received the same call then managed to get his boss.
  • One question stopped a Deepfake Scam !!!!!!
    The fact that it got this far, is a testament on how gullible the people involved were.
    This has the typical signature of a scam at every step of the way.

Keep up the good work! But please don't ask me to help.

Working...