[masto]

When I'm on a company video call, the people I'm meeting with are logged into their company accounts, through the fancy company authentication system. Large warnings are displayed if there are any external participants, and I wouldn't be surprised if it's possible to disable the ability to even have guests. Third-party video conference software is banned and blocked from installation on work computers.

I am not in the finance department, but in software engineering and operations, two-party controls are everywhere. I can't check in code without reviews. I can't access production systems or make changes without approval from another team member. I would think that similar processes could be put into place for transferring tens of millions of dollars.

In other words, there are ways to deal with this that don't come down to "mistrust all technology and revert to face-to-face meetings and handing cash to each other".

[michaelt]

If I was the attacker, I'd use credential-stuffing or something to get access to some random employee's account. Doesn't have to be anyone important.

Then I'd set up a short-notice multi-way meeting between the target, the CEO and the hacked account. The deepfake 'CEO' then turns up with no alarms raised, except one wrong name - easily dismissed as a glitch, or an assistant having booked the meeting.

[echoangle]

So your method assumes you can easily take over an employee account? Isn't that the hard part?

[macintux]

Employees are typically the weak point in corporate security.

[david_allison]

$10k/week in crypto lets you easily 'hack' a random corporate account

[r00fus]

But that CEO account would be marked as (guest/unverified) in Teams or Zoom.

[bongodongobob]

Almost everywhere I've worked disallows external participants on Teams by default. We add exceptions when needed. I don't know if this is standard, but has been at the larger companies I've worked at.

[onion2k]

I imagine the people at Arup who fell for the scam were confident in their systems protecting them too.