How Ferrari dodged a deepfake scam attempt

As AI advances, so do deepfake scammers. It has been said time and time again: No one is safe when it comes to sophisticated and elaborate scam attempts. Deepfake scams have been on the rise, with criminals impersonating loved ones, colleagues as well as celebrities and people in power. If you have not heard of a deepfake scam before, in short, a scammer will use AI to recreate the voice of another person or even their face. This type of scam is widely used to lure individuals into giving money and personal details.

A lot of victims are caught off guard because they think they are talking to someone familiar when in fact, they are not. Most of the time, deepfake scams involve excuses as to why they are contacting the victim from a different number. These usually include:

Trouble with the police: The scammers will claim that they are a loved one who is held by police and are asking for bail or money for a lawyer
Lost phone: Another way to get money is by requesting cash to buy a new phone, as the old one was lost or damaged in some way
Kidnapping: This scam usually targets parents and grandparents. The scammer threatens that they have someone’s loved one and they want money to let them go. They also give an excuse as to why the person shouldn’t directly contact their loved one.
Confidentiality: Scammers who impersonate celebrities or people in power (e.g. the President of America) say that they are using a secret phone number to ensure that the conversations remain between them. They send deepfake photos to the victims to convince them that they are genuine.

As deepfake scams are becoming smarter, it is necessary that people recognise the red flags and take steps to protect themselves.

Ferrari deepfake attempt

Recently, Ferrari narrowly dodged a bullet when a scammer approached an executive and pretended to be the CEO, Benedetto Vigna. The executive noticed a few red flags, enough to make them suspicious of what was going on:

For one, the scammer was contacting them from a different phone number, not the one Benedetto was usually contacting them from
The profile picture of the scammer was depicting Benedetto but it looked off
There was urgency in the messages received with very little context behind them

All of these red flags caused the Ferrari executive to be cautious. When the scammer called them in the CEO’s voice, it actually sounded real. The criminal had a southern Italian accent as well as the right tone of voice. However, because of the red flags mentioned, the Ferrari executive asked them a question to verify their identity: ‘What was the title of the book Mr Vigna had recently recommended?’. This led to the criminal hanging up the phone as they knew their cover had been blown.

As a result, Ferrari launched an internal investigation, but they avoided a huge disaster as the executive thought quickly about an appropriate question only Benedetto could answer. This is a great example of employees being risk-aware and always paying attention to who they are talking to. When we discussed this here in the office at Polonious, we also liked what a low-tech solution this was, borrowed straight from movies like The Thing and Terminator 2.

Not the only incident

The Ferrari executive noticed the red flags early. But what would have happened if they had not? Earlier this year, a finance worker of Arup fell victim to a deepfake scam that ended up costing them $25 million USD ($38 million AUD). Again, there were red flags:

The employee received an email that looked like a phishing scam, with the sender claiming that they were colleagues from the UK office
The email, similarly to Ferrari’s case, mentioned a secret agreement that would require a lot of money

The scammers invited the finance worker to a conference call where they deepfaked UK colleagues with whom the employee was familiar. This caused them to let their guard down and send them the money as part of the deal. The employee only found out after they contacted the head office.

How to protect your company from deepfake scams

It is very clear that deepfake scams do not discriminate. This means that the thought process of ‘They will probably not target us, it’s not going to happen to us’ does not apply. Here are some strategies to help you combat deepfake scams:

Strengthen your IT security
Train employees
Develop a response plan
Encourage staff to trust their feelings

Strengthen your IT security

The most dangerous deepfake scam is the one where scammers have access to the real employee’s accounts. The scammer will be able to send and delete emails before the actual person sees them. If they reach out to a colleague, it will be more likely that they will be believed. It is necessary that employees learn ‘IT hygiene’ such as:

Using a strong password which they change regularly. This password shouldn’t be used across other platforms
Using multi-factor authentication, preferably by using a trusted authenticator and not necessarily a phone number
Always being on the lookout for phishing attempts. This would require them to not click on SMS links as well as the company not sending out important information through SMS links.
Regularly performing software and system updates. Older versions can leave employees vulnerable.

It is also up to the company to protect staff by using strong email filters, a reliable firewall and threat detection technologies.

Train employees

In these two cases, there were two different responses, each with its own outcome. There are many factors that may make someone suspicious. However, employees need to know what they may have to deal with. Deepfake scams can make people look very realistic and they only need a short voice sample or a short clip of someone’s face. Showing staff examples of how realistic these deepfakes can be can give them a better idea than simply saying ‘They can look authentic’.

They need to see exactly how sophisticated the problem can be so they know that even though the person can look real, they are not.

Develop a response plan

If employees are using their training knowledge, they may, at some point, become suspicious of the person who is texting them. There are a few routes they can take:

If the scammer is contacting them from a different phone number, it will be wise for the employee to contact their colleague through their usual means of communication. It is very unlikely that a topic will be so ‘secretive’ to the point that the colleague will refuse to confirm whether it is them or not.
Similarly, always have a second approver on any payment. For example, if the supposed CEO/CFO calls someone from Accounts Payable and tells them to pay an invoice, final approval for that payment should go through them via the accounting system and their normal contact channels. If they didn’t truly request the payment, it will be stopped there.
If there is a lot of urgency presented, this is the best indicator that the matter should not be taken with urgency. Employees should do their due diligence and check with other colleagues on whether the agreement they are presented with is indeed real, especially if confidential details or money are at stake
Just like the Ferrari executive did, suspicious cases call for smart responses. Employees should seek to verify that the person they are talking to is indeed who they claim to be. Questions they only would know the answer to are a quick way to double-check someone’s identity

Encourage staff to trust their feelings

If employees receive a questionable email, followed by a realistic-sounding call or realistic-looking video, it is best that they trust their gut. If they notice inconsistencies, audio gaps or beeps, video lag, all these should raise red flags. It is advisable to give employees the power to step back and say ‘hold on a second’ and check bona fides, rather than feeling pressured to do something immediately because the CEO or CFO asked.

They should also be provided with resources as well as contacts they can reach out to if they suspect illegal activity. If they think the email, phone number or personal account of a colleague has been compromised, then they should not feel pressured to give out information or money.

It is better that a genuine agreement might be slightly delayed rather than a fake one going through.

Avoiding deepfake scams is easier said than done

Deepfake scams will continue to evolve, and with every technological advancement, there will be disadvantages. Companies need to stay vigilant as there is a lot to lose. Ferrari’s immediate response after the deepfake attempt was reported was to initiate an internal investigation to find any evidence that could point to what happened.

Internal investigations can highlight any weaknesses in the organisation’s security system and any suspicious activity that might occur. If you are looking for a reliable case management system that will help you finalise a case quickly, Polonious is here to support you. We have helped and continue to help many investigators worldwide respond quickly to illegal activity to ensure that their companies and clients are protected. We provide investigators with all the tools they need to carry out an efficient process. From a streamlined workforce to confidential evidence storage, we assist businesses with accessing everything as securely as possible.

Do you want to hear more? Book a demo today.

Let's Get Started

Interested in learning more about how Polonious can help?

Get a free consultation or demo with one of our experts

Get a Demo

Eleftheria Papadopoulou

Eleftheria has completed a Bachelor's of Business with a major in Marketing at the University of Technology Sydney. As part of her undergraduate studies she also obtained a Diploma in Languages with a major in Japanese. Following her graduation she has been working as a Marketing Coordinator and Content and Social Media Specialist.

Eleftheria is currently finishing her Master in Digital Marketing.