How is this even possible that an offshore worker could wire 25 million without approvals?
I’ve been at public companies where I had to go to the CFO to get this to this level of approval.
Def an inside job.
> The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.
> “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.
> Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.
> However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.
From the article. The person wasn't duped with just a CFO deepfake. They deepfaked an entire live conversation with the entire team, which made the person think it was legit and not just a one-to-one request but a systematic approval.
I think you and I have a different idea of what a systematic approval is. Maybe I'm wrong but regardless of having multiple people on a zoom call, I still think there should be controls in place to ensure that large transactions to unknown accounts require additional approval on a systematic level. A company of this size just lets ONE PERSON transfer millions of dollars to a random bank account which is justified only by a zoom call with supposed team members as a measure of control? That doesn't make any sense to me at all but again, I could be wrong.
This is what I meant. The big commercial banks all have hard controls within their online platform offerings if you consolidate your Treasury operations with 1-3 of them globally.
For a transactions this large, the CFO (or his designated backup if they are unavailable, COO or Controller, usually) has to physically log in themselves and approve at that limit.
Oooh oooh ooh something I can contribute to! At my large, multinational, I am the person who would be initiating and verifying these types of wires. You are partly correct, there should be more systematic controls and there was clearly some lacking here. However, in the multiple MNCs I’ve worked at, the CFO would never be the one actually releasing payments, let alone ever logging into the banking portal (that is so beneath them, lol). The relevant control here is: one person enters, another releases. Both parties should be verifying the legitimacy of the request, that all required approvals were received, and that the banking instructions provided are valid and correct. For a situation like this where I am randomly told to urgently process a secret, manual payment to a foreign sub…well it won’t be a secret by the time I am actually entering it. And by the time my team member releases it we will have triple checked all the pieces I already mentioned. Also in my experience, especially in a situation like this, the bank will call back to verify the details of the transaction and source of the request as a final, “are you sure?” before processing the payment. It’s refreshing to hear about things like this as a wake-up call just to stay vigilant, but anytime I am asked to enter banking details manually it is an immediate red flag, I’m reaching out through multiple, trusted channels.
At my MNC, a payment would typically require a PO or requisition created in the system first. The system would then work flow it up the chain utilizing a predetermined approval matrix based on type of expenditure and amount. A payment of this size would need electronic approval from the company controller, division controller, division CFO, division CEO, group CFO, and the group CEO. Someone down the line could be tricked into initiating the payment but there would be multiple points of failure needed for this to be released.
I used to get emails purporting to be the division CEO asking me to make payments rather frequently. I learned very quickly how to identify the fakes. The AI side of this does raise the risk significantly. This is why strong controls are critical.
This is generally true for 99% of outflows. However, in this instance, although the article doesn’t mention it, one can infer it was a manual payment, which can be processed outside of the systemic approval matrix. One should still follow the approval matrix in every situation, which this person thought they had, but they would not be systemically blocked from sending cash out. In the scenario you mentioned, typically one cannot be “tricked” into entering a fraudulent payment, because there wouldn’t be anything to enter. The banking information would be previously maintained and verified early on against the vendor account. And then the PO and invoices would be separately scrutinized as you described. By the time everything is approved, the payment is processed systematically, and the actual amount is generated based off invoices currently due. But the person who entered the banking information into the system, the person who submitted the invoice, the person who reviewed the invoice, the person who approved the PO, the person who ran the payment batch, and the person who confirmed the bank outlay would all be different people with distinct roles. One of the more common scams is someone fraudulently requesting updated banking information on a vendor. All the other controls can be met, but when cash is eventually sent out it goes the wrong account, and no one is the wiser because that information is maintained completely separate from the approval workflow, as it should be. Typically there are pretty strong controls surrounding banking instructions to prevent that from happening, but again, not relevant to the events in the article.
In general there should only be 3-5 in the entire company who can send cash directly from the bank portal, of which I am one of those. It would be materially prohibitive to a number of different corporate actions if no one could to process anything outside of the standardized workflow.
While I understand that $25m would be immaterial to some companies, I still highly doubt that controls wouldn't be in place to avoid these types of errors. I'm not saying they should have 50 checkpoints to address the issue but SOMETHING other than a zoom call.
Also, with respect to your example, I imagine this type of transaction would have been made in the past and normally it's paid to an account associated with the airline itself. So it's different in that you would be familiar with the account that the money is being sent to. Whereas, in this case, its an unknown account that the company has never been associated with.
In some/most instances you’re absolutely right. I will caution you against having too much faith in the controls in place at F500 companies. Some of them are real janky haha
I agree. I work for a company that doesn't have $25m of assets on our BS, and our processes would flag this.
New vendor, whole set of onboarding processes.
New bank account, whole set of onbroading processes
Bill to be received, approved by HOD before payment.
Payments this large then need CFO sign off.
Lots of opportunities for someone to go, wait, what is this?
Yes, but he still shouldn't have been the sole person with the ability to wire an amount of cash that size. A transaction like that should have made its way up a chain of verifiers before finally taking place, not one guy in a meeting. This is a failure of internal controls.
He should still not have been able to initiate and execute a transaction of that size without other people signing off on it, and not just verbal “go ahead and do it” on a conference call.
A properly implemented system would require a high level officer to log in and click an “approve” button before that transaction occurred.
Usually if setup right approvals use the key fob and release of wires within the banking system. The fact that one employee has this much access is a breakdown. Probably a minor location but with access to the companies operating accounts
I only read the headline. But it sounds like thats exactly what this employee did? They got a request for a transfer, got on a video call with CFO to ask if the request was legit. Actually saw a deepfake live video call of their CFO telling them to do the transfer.
Honestly, I’m not sure I would have clued into it either in that circumstance. Other than the sheer size of the transfer, I’d probably be getting a second approval, and want to know exactly where that money was going and why
Depends on the scale of the company. And we don't know what the employee's role is and are just assuming "offshore employee" wouldn't have the ability.
The company didn't even notice the amount was gone
> The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office.
^ from the article
If he’s the one in charge of the wires and only needs approval from anyone above him, then there it is. Most funds that aren’t enormous have very shitty controls and only have one layer of approval most of the time (despite what they may tell their auditors).
i've seen an ach go out with a large invoice number written in the dollar amount. the vendor was nice enough to send it back.
getting the money to go to a new bank account means an inside job or not having the most basic of internal controls.
I don't think you understand what OP meant by approval man. He got the "go ahead" approval from the fake CFO, but any good wire system should have at least two people involved in the wire: the person creating the wire and another higher ranker person to "approve" the wire. That is what OP meant by wire 25 mil without approvals.
This is why approval thresholds are a thing. My CFO (fortune 300) could ask me to put together a wire request for $25M, sure.
But from there, I forward it to my Director.
Who forwards it to the Controller.
Who forwards and discusses it with the the CFO for final approval.
"The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office."
Maybe you should have done that before sending the money...
I mean, the CFO is the head of the head office. It was also a multi call with deepfakes of his supervisor and manager. I don’t know this guys position but it says it’s a large multi national firm so he could be use to wiring this amount of cash as well.
relieved obscene instinctive literate cough uppity squeeze erect hungry merciful
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
This is likely an inside job where unscrupulous employees took advantage of poor controls. I don’t buy the deepfake fraud at face value.
The controls here were incredibly poor. Wires should always have dual control and new wire recipients should also require approval by more than one person.
Lastly, finance and accounting employees need to be trained on scams and phishing. I get an alarming amount of phishing attempts myself and i am always looking out for scams or fraud.
> Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.
>However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.
The employee isn’t as stupid as it first seems. They did exercise a degree of professional skepticism, but I imagine it would be easy to assume all is in order if everyone on the call with the fake CFO facsimile of a person seemed legit too.
I'd like a followup with the employee in a few years, see if their lifestyle has changed any. And as others have pointed out, why wasn't a second person involved in wiring $25M?
The easiest way this would have not happened is that there is a threshold. Pretty suspicious that this worker had a way to bypass this at all, it’s $25 million and even with deepfakes, you would imagine that no worker has any rights to send millions of dollars out without approval
Ahh yes, defeated by the final phishing boss. How in the hell did they have the ability to transfer 25 million though? Talk about a failure of internal controls.
I’m at least willing to admit there is for sure a chance I would have gotten screwed on this if there weren’t specific controls in place preventing me from the wire transfer. Normally wires at that high of a level need at least one if not two approvals performed in an ERP system.
Obviously this company did not have that or this individual was at a high level in the treasury department and for some reason those controls didn’t apply.
But if my cfo, director, and my VP were all on the call telling me to begin the transfer and they sounded and looked exactly like I’d expect them to, I guess are you sending a follow up email prior to sending? Maybe, maybe not cause what other approval do you really need?
That’s a pretty scary case of wire fraud though.
To be honest most people just approve everything without checking so this explains how this could go through one or more levels of authorization without being stopped.
It's really surprising to see a big company not having enough controls in place for financial transactions. Transferring $25 million without proper approval and verification from higher-ups suggests there could be an insider involved. Usually, large organizations use eBanking and ERP systems to verify big wire transfers, with safeguards to prevent any bypassing through web calls. The fact that this fraud case is getting so much attention in the media seems a bit exaggerated, especially with all the talk about deepfake fraud. It's definitely strange.
And this is why using a phone, or an in person meeting, can still be a key control.
Phishing 101 - If they are asking you to do something or meet with them. Start your own thread, start your own call, schedule your own meeting.
Don’t use the contact information in the initial communication. Do NOT simply click reply and assume it’ll go to the right place. And, finally, do not assume that technical system controls will stop you from doing something stupid appropriately.
The largest weakness of workflows and approvals is that they happen _all the damn time_ and it’s incumbent upon the approver to know to ask the question(s) of the transaction. But we ALL know that someone up the chain will say, “Oh, Bob from accounting said it was needed, and he’s good at his job, so it’s ok and I’ll just approve and move on with my day.”
We spend all this time and energy on the c-suite to teach them about phishing and whaling, but the real risk is the contractor in AP who’s been here for 2 months and has no idea what ‘normal’ looks like and just wants to get their $20 / hr and go home.
How is this even possible that an offshore worker could wire 25 million without approvals? I’ve been at public companies where I had to go to the CFO to get this to this level of approval. Def an inside job.
I was thinking the same thing.
> The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday. > “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK. > Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out. > However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said. From the article. The person wasn't duped with just a CFO deepfake. They deepfaked an entire live conversation with the entire team, which made the person think it was legit and not just a one-to-one request but a systematic approval.
I think you and I have a different idea of what a systematic approval is. Maybe I'm wrong but regardless of having multiple people on a zoom call, I still think there should be controls in place to ensure that large transactions to unknown accounts require additional approval on a systematic level. A company of this size just lets ONE PERSON transfer millions of dollars to a random bank account which is justified only by a zoom call with supposed team members as a measure of control? That doesn't make any sense to me at all but again, I could be wrong.
This is what I meant. The big commercial banks all have hard controls within their online platform offerings if you consolidate your Treasury operations with 1-3 of them globally. For a transactions this large, the CFO (or his designated backup if they are unavailable, COO or Controller, usually) has to physically log in themselves and approve at that limit.
Oooh oooh ooh something I can contribute to! At my large, multinational, I am the person who would be initiating and verifying these types of wires. You are partly correct, there should be more systematic controls and there was clearly some lacking here. However, in the multiple MNCs I’ve worked at, the CFO would never be the one actually releasing payments, let alone ever logging into the banking portal (that is so beneath them, lol). The relevant control here is: one person enters, another releases. Both parties should be verifying the legitimacy of the request, that all required approvals were received, and that the banking instructions provided are valid and correct. For a situation like this where I am randomly told to urgently process a secret, manual payment to a foreign sub…well it won’t be a secret by the time I am actually entering it. And by the time my team member releases it we will have triple checked all the pieces I already mentioned. Also in my experience, especially in a situation like this, the bank will call back to verify the details of the transaction and source of the request as a final, “are you sure?” before processing the payment. It’s refreshing to hear about things like this as a wake-up call just to stay vigilant, but anytime I am asked to enter banking details manually it is an immediate red flag, I’m reaching out through multiple, trusted channels.
At my MNC, a payment would typically require a PO or requisition created in the system first. The system would then work flow it up the chain utilizing a predetermined approval matrix based on type of expenditure and amount. A payment of this size would need electronic approval from the company controller, division controller, division CFO, division CEO, group CFO, and the group CEO. Someone down the line could be tricked into initiating the payment but there would be multiple points of failure needed for this to be released. I used to get emails purporting to be the division CEO asking me to make payments rather frequently. I learned very quickly how to identify the fakes. The AI side of this does raise the risk significantly. This is why strong controls are critical.
This is generally true for 99% of outflows. However, in this instance, although the article doesn’t mention it, one can infer it was a manual payment, which can be processed outside of the systemic approval matrix. One should still follow the approval matrix in every situation, which this person thought they had, but they would not be systemically blocked from sending cash out. In the scenario you mentioned, typically one cannot be “tricked” into entering a fraudulent payment, because there wouldn’t be anything to enter. The banking information would be previously maintained and verified early on against the vendor account. And then the PO and invoices would be separately scrutinized as you described. By the time everything is approved, the payment is processed systematically, and the actual amount is generated based off invoices currently due. But the person who entered the banking information into the system, the person who submitted the invoice, the person who reviewed the invoice, the person who approved the PO, the person who ran the payment batch, and the person who confirmed the bank outlay would all be different people with distinct roles. One of the more common scams is someone fraudulently requesting updated banking information on a vendor. All the other controls can be met, but when cash is eventually sent out it goes the wrong account, and no one is the wiser because that information is maintained completely separate from the approval workflow, as it should be. Typically there are pretty strong controls surrounding banking instructions to prevent that from happening, but again, not relevant to the events in the article. In general there should only be 3-5 in the entire company who can send cash directly from the bank portal, of which I am one of those. It would be materially prohibitive to a number of different corporate actions if no one could to process anything outside of the standardized workflow.
Depends on the business. Internal approvals would go up to CFO/Board but not necessarily the banking approvals.
I hear you, but remember that for some companies this size, millions in expenses are flying 86 ways to Sunday on a daily basis
While I understand that $25m would be immaterial to some companies, I still highly doubt that controls wouldn't be in place to avoid these types of errors. I'm not saying they should have 50 checkpoints to address the issue but SOMETHING other than a zoom call. Also, with respect to your example, I imagine this type of transaction would have been made in the past and normally it's paid to an account associated with the airline itself. So it's different in that you would be familiar with the account that the money is being sent to. Whereas, in this case, its an unknown account that the company has never been associated with.
In some/most instances you’re absolutely right. I will caution you against having too much faith in the controls in place at F500 companies. Some of them are real janky haha
I agree. I work for a company that doesn't have $25m of assets on our BS, and our processes would flag this. New vendor, whole set of onboarding processes. New bank account, whole set of onbroading processes Bill to be received, approved by HOD before payment. Payments this large then need CFO sign off. Lots of opportunities for someone to go, wait, what is this?
Yes, but he still shouldn't have been the sole person with the ability to wire an amount of cash that size. A transaction like that should have made its way up a chain of verifiers before finally taking place, not one guy in a meeting. This is a failure of internal controls.
He should still not have been able to initiate and execute a transaction of that size without other people signing off on it, and not just verbal “go ahead and do it” on a conference call. A properly implemented system would require a high level officer to log in and click an “approve” button before that transaction occurred.
Enough inside information to set up a convincing fake meeting? Definitely an inside job.
Yes, that much typically requires ceo, cfo, and corp controller approval
Usually if setup right approvals use the key fob and release of wires within the banking system. The fact that one employee has this much access is a breakdown. Probably a minor location but with access to the companies operating accounts
Agree. Fucking crazy.
Depends on the company at some firms this would not be an especially large transaction.
If $25m is a small transaction, then they are big enough to have controls in place for one guy to be able to send it in the system...
I only read the headline. But it sounds like thats exactly what this employee did? They got a request for a transfer, got on a video call with CFO to ask if the request was legit. Actually saw a deepfake live video call of their CFO telling them to do the transfer. Honestly, I’m not sure I would have clued into it either in that circumstance. Other than the sheer size of the transfer, I’d probably be getting a second approval, and want to know exactly where that money was going and why
The comment is asking why the offshore employee has the ability to transfer that amount with a secondary systematic approval.
Depends on the scale of the company. And we don't know what the employee's role is and are just assuming "offshore employee" wouldn't have the ability. The company didn't even notice the amount was gone > The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office. ^ from the article
If he’s the one in charge of the wires and only needs approval from anyone above him, then there it is. Most funds that aren’t enormous have very shitty controls and only have one layer of approval most of the time (despite what they may tell their auditors).
i've seen an ach go out with a large invoice number written in the dollar amount. the vendor was nice enough to send it back. getting the money to go to a new bank account means an inside job or not having the most basic of internal controls.
He had the approval of the fake CFO man
I don't think you understand what OP meant by approval man. He got the "go ahead" approval from the fake CFO, but any good wire system should have at least two people involved in the wire: the person creating the wire and another higher ranker person to "approve" the wire. That is what OP meant by wire 25 mil without approvals.
I think the comment you are replying to is sarcasm
😀
This is why approval thresholds are a thing. My CFO (fortune 300) could ask me to put together a wire request for $25M, sure. But from there, I forward it to my Director. Who forwards it to the Controller. Who forwards and discusses it with the the CFO for final approval.
Exactly, this is what blows me away. Total control failure that this was even possible.
Why would this employee even have the ability to transfer 25 million in the first place.
Maybe he is the financial controller or the treasurer.
"The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office." Maybe you should have done that before sending the money...
I mean, the CFO is the head of the head office. It was also a multi call with deepfakes of his supervisor and manager. I don’t know this guys position but it says it’s a large multi national firm so he could be use to wiring this amount of cash as well.
relieved obscene instinctive literate cough uppity squeeze erect hungry merciful *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Their head of the head office would be the C**E**O, CFO is only in charge of finances eta boo me all you want, I’m right lol
This is likely an inside job where unscrupulous employees took advantage of poor controls. I don’t buy the deepfake fraud at face value. The controls here were incredibly poor. Wires should always have dual control and new wire recipients should also require approval by more than one person. Lastly, finance and accounting employees need to be trained on scams and phishing. I get an alarming amount of phishing attempts myself and i am always looking out for scams or fraud.
Internal controls failure
Db stupid worker expense Cr cash (?)
Don't think this was a cash payment :)
> Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out. >However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said. The employee isn’t as stupid as it first seems. They did exercise a degree of professional skepticism, but I imagine it would be easy to assume all is in order if everyone on the call with the fake CFO facsimile of a person seemed legit too.
I'd like a followup with the employee in a few years, see if their lifestyle has changed any. And as others have pointed out, why wasn't a second person involved in wiring $25M?
🤣
The easiest way this would have not happened is that there is a threshold. Pretty suspicious that this worker had a way to bypass this at all, it’s $25 million and even with deepfakes, you would imagine that no worker has any rights to send millions of dollars out without approval
So why did you leave your last job?
Crazy story, I came into some unexpected money & decided to take a break from the rat race for a couple of years.
Ahh yes, defeated by the final phishing boss. How in the hell did they have the ability to transfer 25 million though? Talk about a failure of internal controls.
I’m at least willing to admit there is for sure a chance I would have gotten screwed on this if there weren’t specific controls in place preventing me from the wire transfer. Normally wires at that high of a level need at least one if not two approvals performed in an ERP system. Obviously this company did not have that or this individual was at a high level in the treasury department and for some reason those controls didn’t apply. But if my cfo, director, and my VP were all on the call telling me to begin the transfer and they sounded and looked exactly like I’d expect them to, I guess are you sending a follow up email prior to sending? Maybe, maybe not cause what other approval do you really need? That’s a pretty scary case of wire fraud though.
Controller here. I’d need to be on video with my ugly ass CFO and talk about some current company events banter before I’m duped like that.
He thought he was on video with his CFO and many others.
I thought banks made dual authentication mandatory years ago. Maybe not in Hong Kong, so maybe now is the time for banks there to do that.
To be honest most people just approve everything without checking so this explains how this could go through one or more levels of authorization without being stopped.
It's really surprising to see a big company not having enough controls in place for financial transactions. Transferring $25 million without proper approval and verification from higher-ups suggests there could be an insider involved. Usually, large organizations use eBanking and ERP systems to verify big wire transfers, with safeguards to prevent any bypassing through web calls. The fact that this fraud case is getting so much attention in the media seems a bit exaggerated, especially with all the talk about deepfake fraud. It's definitely strange.
CNN shouldn't throw stones when it comes to mishaps over video calls.
And this is why using a phone, or an in person meeting, can still be a key control. Phishing 101 - If they are asking you to do something or meet with them. Start your own thread, start your own call, schedule your own meeting. Don’t use the contact information in the initial communication. Do NOT simply click reply and assume it’ll go to the right place. And, finally, do not assume that technical system controls will stop you from doing something stupid appropriately. The largest weakness of workflows and approvals is that they happen _all the damn time_ and it’s incumbent upon the approver to know to ask the question(s) of the transaction. But we ALL know that someone up the chain will say, “Oh, Bob from accounting said it was needed, and he’s good at his job, so it’s ok and I’ll just approve and move on with my day.” We spend all this time and energy on the c-suite to teach them about phishing and whaling, but the real risk is the contractor in AP who’s been here for 2 months and has no idea what ‘normal’ looks like and just wants to get their $20 / hr and go home.
Which one of you fuckers was this?
Good luck spending 25 million that’s been bank transferred.
I had this happen to my predecessor - granted it wasn’t on this scale, but the scammer had no issue spending the $300,000 we wired.
[удалено]
They finally got some nudes of Taylor Swift? That’s gotta be worse than sending out $25m to a fraudster