Associated Incidents
During the security conference Financial Security: Who can you trust?, Executive Vice President Kjerstin Braathen was able to tell that DNB was recently exposed to a cunning deepfake attack.
-- Last Tuesday, I was sitting in a corporate management meeting when I was shown a replay of a Teams meeting. The meeting looked completely legitimate -- it was my colleagues, some external representatives and myself who were talking about our overall strategy, Braathen says.
Then came part two of the meeting, where Braathen did not participate. CFO Ida Lerner came in and presented a fantastic opportunity related to DNB's strategy. She explained it and asked the team to carry out a transaction.
-- Everything seemed credible -- the voices were recognizable, the appearance was recognizable, says Braathen, before adding:
-- The only thing that stood out was that I was wearing summer clothes in November. Of course, it wasn't me. Neither I nor our CFO participated in this meeting. It was a complete deepfake.
See video of the incident at the bottom of the story!
Whatsapp contact before meeting
External actors had targeted the DNB offices in Singapore and London.
On Tuesday, January 21, the managers at DNB's Singapore office received a suspicious message from CFO Lerner on Whatsapp. At the same time, other managers at DNB's international offices received messages from Lerner and CEO Braathen with similar content.
The message invited both top managers to a meeting in connection with a project to launch a "new and exciting product."
Opportunity to learn
The meeting was held two days later, on Thursday, January 23.
The manager in Singapore reported the suspicious message to DNB's security department, in accordance with DNB's procedures. They saw clear signs that this was an attempted fraud, a so-called "CEO fraud."
It was decided to continue with the Teams meeting to learn more about the methods the scammers plan to use.
The Teams meeting was attended by several internal and external stakeholders. It took some time for "Lerner" to connect, but when she did, she came in with instructions and asked DNB to transfer several million Singapore dollars to complete the trade - which was supposed to be a unique investment opportunity for DNB.
Despite some breaks in the line, the recording seems credible and as seamless as can be expected on a slightly choppy line over long distances, DNB believes. The audio is complete with Lerner's voice and recognizable English accent from her time at the British major bank HSBC.
Retrieved videos from the web
-- This was a learning experience for us, and it shows how good they have become. Deepfake attacks are developing rapidly, and we need to be prepared, says Braathen.
When DNB reviewed the videos of Lerner and Braathen, they saw that both the audio and the image were taken from actual recordings available online, which the scammers let run on a loop.
-- We've heard talk of this type of deepfake fraud before, but this is the first time we've seen it in a live meeting format, and it was not possible to distinguish from the audio quality whether this was real or not. Anyone who has worked from home knows that there can be small delays on the line, so you may not be surprised right away, says Torgeir von Essen, Chief Security Officer at DNB, to BankShift.
Easily accessible tools
Von Essen tells BankShift that he happened to be well prepared for this type of fraud when it happened. Three months ago, he was at a seminar where a large security company had conducted a test with deepfake technology.
-- They used it in a meeting with the corporate management, where one of the participants turned out to be a deepfake. The point was to test how well this could work, and the reality is that such tools are readily available. Some are available for free, others can be purchased for a small fee. It takes very little in terms of both sound and image to create a convincing deepfake, he says.
Von Essen points out that Braathen knew something was wrong because she remembered that she had not been wearing summer clothes, but that you have to react very quickly to capture such details. Another red flag for DNB was that Braathen and Lerner contacted each other via Whatsapp.
-- Have you considered the risk that sharing this could lead to the fraudsters using the information about how they were exposed to improve themselves?
-- This toolbox is already available to the criminals, and we gain more by being open about these incidents than by holding them back. We also believe that we get a lot in return from other actors when we share our knowledge, von Essen replies.
No Norwegian actor
The Security Director says that DNB is still in the process of analyzing all data from this case to find out which threat actor they have been facing.
-- When we analyze this case, we see that it is a relatively advanced actor that has set up a live meeting in this way and adapted the interaction along the way. There are some details that reveal errors, but this is not a Norwegian actor. We are continuing to work on identifying who is behind it.
von Essen also says that it was only when they were shown payment instructions on the screen that they chose to break off contact.
-- Whether there has been further contact from them since, I cannot answer categorically. It is possible that they have tried to reach us again, but this happened so recently that we have been fully focused on analyzing and sharing the information.
Who can you trust?
-- Who can you really trust? When you talk to the bank, the authorities or the police -- how can you be sure it's actually them?, asks von Essen.
He believes this problem has clear parallels to fraud cases where someone calls and pretends to be from the bank or the police to manipulate victims into making certain choices, so-called secure account fraud cases.
von Essen does not believe in keeping leaders away from the media, to reduce the risk of their votes being misused for deepfake fraud.
-- I do not think that is the solution. This will be a race with the criminals, where we constantly have to stay up to date on their methods. They are using the entire toolbox that is available, and we must do the same to protect ourselves, he states.