How can AI be used to commit fraud?

MICHAEL BIRD
have you received any phishing emails recently? I promise I haven't got an ulterior motive here.

AUBREY LOVELL
You know?

I was like, is this part of a training exercise? I actually did get one yesterday. It basically was impersonating one of our, you know, like delivery services for packages. And I thought for sure it was one of the packages that I was waiting on. But then thank goodness I checked email address and it was like a very crazy one and I knew immediately that it was definitely not real. But how about you?

MICHAEL BIRD
I too had one of those, I think it was a simulated phishing email
I think when I first joined the company, I clicked on the link because I didn't know what I didn't know. And so, yeah, I clicked on it and I got sent on one of those extended security awareness training courses. yeah, was very, like my team were like, oh, come on, Michael. But now, nowadays, I like to think I'm...

slightly more aware but I don't know I think I think it's more of a more of a when not if I click on a fishing link because man they get this they're getting so clever these days they're getting so realistic

AUBREY LOVELL
they look so realistic and convincing that anybody could potentially fall for them.

MICHAEL BIRD
But as we're going to hear in today's episode, cybercrime runs far, far deeper than your average phishing email

I’m Michael Bird

AUBREY LOVELL
I'm Aubrey Lovell

And welcome to Technology Now from HPE.

MICHAEL BIRD
So Aubrey, fraud and cybercrime have obviously been around for a quite a long time. They come at us over emails, social media, text messages. I mentioned phishing earlier because it's the most common form of cybercrime. Aubrey, did you know that according to AAG's June 2025 phishing statistics, there are well over three billion, with a B, spam emails sent each and every day.

AUBREY LOVELL
Wow. That's insane, but I also can see that, right? I mean, it makes sense, but at least lots of us are on the lookout for this type of fake email, right?

MICHAEL BIRD
The way that this type of fraud looks is changing too. cyber criminals are of course utilizing the newest tool available to them. Aubrey, what do think it is?

AUBREY LOVELL
I would have to say artificial intelligence

MICHAEL BIRD
10 points to your house of choice. Because it's often quite easy to check if an email is real. I mean, I guess you just look at where the sender is. That's like the obvious one, isn't it?

But Aubrey, what about a phone call? What about if somebody's pretending to be your boss calls you and then asks you to do a task? It's a much more compelling request when you can hear it with your own ears or I guess see it with your own eyes.

Now later on in the program, we'll be hearing from Aman Raheja, the Global Chief Information Security Officer here at HPE. Who’ll be shedding some light on how AI is used to try and scam us.

AUBREY LOVELL
Okay, so you have me intrigued now. However, before we get to Aman, I thought it would be interesting to take a dive into some of the biggest acts of fraud in history, which means it's time for Technology Then.

AUBREY LOVELL
Ok, Michael. You like quizzes right? So I’ve got a question for you.

MICHAEL BIRD
I do love a good pub quiz.

AUBREY LOVELL
Perfect. Okay, so the question is, what is the biggest scam in history? And I promise you'll know it or at least have heard of the man who ran it.

MICHAEL BIRD
Yeah, I think it might be a financial scam of some sort. Maybe there was a film made of it or something…

AUBREY LOVELL
Getting warmer, yes. It was actually the case of the infamous Bernie Madoff. I know everybody has heard that name, which is an excellent name for someone stealing money because, you know, Made-off... Love a good pun

So Madoff was an American financier that oversaw the Ponzi scheme to end all Ponzi schemes. An almost two-decade-long plot where, according to the American Department of Justice,
Madoff stole around $64 billion from investors.

I don't think I thought it was that much, but yeah, that's pretty, pretty intense. It all came to a head in late 2008. The global financial markets were crashing and Madoff's investors wanted their money back, obviously.

So according to the FBI , with only 300 million in the bank and unable to pay back the 1.5 billion requested by investors who were trying to withdraw their money, Madoff came clean.

So most acts of fraud are not quite that big. However, for an average person, they can be devastating. People can lose their entire life savings to investment or romance scams. And in the case of a company, they can lose millions. News articles from CNBC, the BBC, and NPR show that between 2013 and 2015, a series of phishing emails duped two major tech giants out of over $100 million between them.

And in 2024, CNN reported a Hong Kong-based finance worker who had transferred $25 million to scammers after being tricked by a deepfake video call.

and we have of course linked to all those figures in the show notes.

MICHAEL BIRD
Oh my goodness, the video call thing, that's scary. Now to shed some light on the topic, I spoke to Global Chief Information Security Officer here at HPE, Aman Rahe ja, but before we get into the meat of the conversation, I asked him how he got into cybersecurity because it's no t how you might expect.

AMAN RAHEJA
the way I got into cybersecurity is I was a software developer and my website got hacked and my boss came to me and said to fix it, this was in 2002. I had no idea on how to fix a website that got hacked. I bought a couple of books on hacking, learned how to hack so then I can figure out how to not let it get hacked.

AUBREY LOVELL
Wow. Well, you know, they say the best experience is, you know, you learn on the job and that's definitely what he did And thank goodness for the internet, right? I think it made it so much easier to be able to quickly, you know, bring yourself up to speed for things that you don't know

MICHAEL BIRD RESPONSE
Thank goodness for forums. That's, think, forums where you can ask a question and experts can answer and tell you how to fix things. I do quite like that. Now, Aman has an enviable CV, I believe, Aubrey, you'd probably call that a resume, having worked across banking and healthcare before joining us at HPE. And Aman started off by telling me how the tech sector is different to where he's previously worked.

AMAN RAHEJA
Definitely and significantly different. One of the primary drivers is technology organizations are going after innovation at the speed most of the sectors are not, and if you think about it. The technology companies going fast is what enables other sectors to go fast. The technology sector leads the way from an innovation standpoint now that speed comes with certain risks. So you have to figure out how to manage those risks at a completely different framework with a completely different mindset. And you have to be a lot more proactive relative to any other sector, uh, that you could think of.

MICHAEL BIRD
So attacks can be anything from small time scammers to state sanctioned attacks. Can you sort of talk through what some of these might look like?

AMAN RAHEJA
first of all, I would go to basics and say there are different kind of attackers, right? It's not easy to just say what are different kind of attacks without understanding who these attackers are. Sometimes they're scripted who sitting in their basements just trying stuff out. Other times they're hactivist because they have some motive or some notion what they want to achieve Like we saw happen during financial crisis where attackers just shut down a bunch of bank websites.

There are other times they're cyber criminals who want payout of some sort, or nation states who are looking from an espionage standpoint, state secrets or defense information or intellectual property.

Depending on what kind of attacker, what their motive is, what they want to achieve, the attacks look very different. All the way from simply someone shutting down the website, to completely sweeping away millions of records from a company.

MICHAEL BIRD
And so AI is being used as a tool by some of these attackers.

AMAN RAHEJA
more than I would like to admit.

Yes. I think, to start off with, AI obviously enabled technology and all of us in certain ways, and we haven't even seen the full extent of it yet. At the same time, attackers have also started utilizing the same capabilities, so the phishing scams are more accurate, for lack of better terms.

Now they can create perfect campaigns and easily get to people. Not to mention audio and video fakes that have also come up, so-called deep fakes that are actually taking a root into the way they operate.

MICHAEL BIRD
And there are things like, yeah, ransomware, deep fakes. I think you, we talked previously about like fake job profiles.

AMAN RAHEJA
Yes. That is actually a very interesting scam. We've recently seen where one of the nation states, because they're looking for funding, they actually had a bunch of people apply for a lot of jobs and get jobs in tech sector and get these jobs. these people never show up on video, so you actually never see who is on the other end, neither during interview, nor later on they get the jobs, they get payouts and they transfer part of the money to this nation state to fund them to continue the operation.

This is the kind of operation we have not seen in the past what I think is relatively more scary other than losing funds to fake people, is they actually have access to the networks of the company. T hey can actually say, you know what… 100 thousand dollars per year is not good enough. Why don't I just install a ransomware and get hold of maybe millions of dollars by going after an organization?

MICHAEL BIRD
‘cause of course on your first day of your job, I mean, there's that sort of joke of a site, you know, you can never get access to the IT system, you know, passwords and you know, I guess that's, that's a time when as an organization you're sort of opening yourself up a little bit so it's, that's really interesting.

AMAN RAHEJA
Yeah. There, there have been instances where not only these people got hired, number one, they were sent company laptops to connect into the network. They were given the password. I know of cases where some of these people were system administrators.

So now you're not just talking about access to any system.
You're talking about sometimes having access to the core of a company and the damage that can potentially happen now. Maybe I'm looking for the silver lining and saying the good news is these people were limited to only saying, I just want a paycheck by a fake job, and then they get fired after a month.

They go do this somewhere else. But the fact that they have the access itself presents a very different risk that people have not thought of in the past

MICHAEL BIRD
Yeah. Okay. And, and you are saying that they didn't switch their videos on maybe the answer could be, to protect yourself against this, get people to switch their videos on. But you mentioned deep fakes.

AMAN RAHEJA
Yes. Deep fakes are getting really popular. Both audio and video using either of the two mechanism.

So I can call you Michael and I can say, "Hey, I'm the CISO. I want you to change your password because we found that your password has been breached and here's the link to change your password."

MICHAEL BIRD
And I'll say, oh, Aman’s the CISO. I better do what he says. And, um, I can see he's there on video, I better do it.

AMAN RAHEJA
How do you know it's me? I just call you on the phone

MICHAEL BIRD
Cause you’re there on camera…

AMAN RAHEJA
But that is a reality. There have been incidents where people have transferred hundreds of thousands of dollars using just audio. In some cases, millions of dollars because someone appeared on a video who looked like their CFO and wasn't and had someone transfer all this money. These are real instances that have already happened.

More of this will happen until people get really vigilant on how to spot them and avoid them.

MICHAEL BIRD
Deep fakes can be used in any number of sort of cyber attacks. And I guess what we're playing on here is the human psychology of. If so and so tells me to do something, I should do it. And 2, 3 years ago, it was if you get an email from the CFO, maybe don't trust it. But now we're saying actually might even be if you get a phone call or even a video call from somebody senior to TA to do something, maybe don't trust it.

AMAN RAHEJA
I'll break it down even further.

MICHAEL BIRD
Please

AMAN RAHEJA
As a human, what do we use to verify? I can see you. I can hear you. I trust it. And they're leveraging both of these elements

MICHAEL BIRD
Okay, so video and audio can be deep faked. Are there any like signs to spot a deepfake?

AMAN RAHEJA
right now, like you can see my hands moving. That is something that's not easily doable with deep fakes. There are a few proof of concepts, for lack of better term, that are already out there where some people have actually tried to make it happen, but it's not always that feasible, that your hand gestures are always going exactly the words coming out of your mouth when it comes to deep fake. So there's little bit of still hope remaining that you can spot them. But technology will change and you'll have to find other ways of mitigating this risk.

MICHAEL BIRD
There aren't necessarily any easy signs to spot it. How on earth do you combat this? How on earth as an organization can you verify that you are speaking to the person that you think you're speaking to?

AMAN RAHEJA
I know it sounds too much of common sense, but why would I do a $25 million transfer just because on video my CFO said so? I mean, if you think about it, that's probably a very basic question. Why would I not have the right controls in place in my systems to avoid it? Hey, don't forget. We can also use AI to make our systems better. So if someone is transferring $25 million out of ordinary, why is there not a system that has enough intelligence to say, you know what, that's an odd transaction, and spot it and do something about it. And so there are ways you can build the right systems and actually leverage these technologies to get ahead of it. And that's probably the best way of addressing it.

MICHAEL BIRD
And is there an element of like, training your staff? Because of course if we're saying a $25 million, the system might think that's a bit odd, but what if the person running this attack to your organization clocks onto that and thinks, Hmm, okay, well maybe what I do is I get a thousand people to request $10,000 or, you know, whatever the equivalent would be, which maybe flies under the radar, sort of understands the system. is it just about training your staff to be aware of this? Yeah,

AMAN RAHEJA
Yeah, training helps as well. The challenge mostly in training is you have to be focused on who you are training I would turn my focus to people who actually have the ability to do a financial transaction, have the ability to change a system, have the ability to do something with passwords. So if you focus on the right people, training can actually go a long way. But on top of training, how do you then tell them how should they react when something like this happens?

MICHAEL BIRD
Okay. previously you and I talked about codes. Can you just talk about how that might work?

AMAN RAHEJA
So there are two simple two simple ways, but not easy to implement, at least the first one. Is if you call me and say, gimme $25,000, I should say, what's the password, Michael?

It doesn't scale. It's not possible that I can have that mechanism with 50,000 employees in my organization. There is two factor authentication that can be used to say if a financial transaction happens, someone has to enter a two factor authentication that only appears on your authentication mechanism.

So you can use Authenticators to actually go do this kind of authentication

MICHAEL BIRD
I mean do you think there'll be a sort of a verified, video call system where you have to put a code in before you can start using it to verify like you are who you say you are. And you get a little green tick. And so when you then speak to somebody, they say, no. Yeah, this is definitely Michael Bird 'cause he has signed in and he's given the right code…

AMAN RAHEJA
Actually that's a great point also from the mitigation standpoint, where if you call me, and that's not a proper company line, that I can tell because if we, we use the same video conferencing software, but you're calling and you're saying, oh, I couldn't get into my office computer and I'm calling you from my home machine. That right there should be a giveaway saying something's not right. Yeah. This goes back to your point of you have to train people to be able to spot these anomalies

MICHAEL BIRD
One of the things I think we talked about before was how people are using DeepFakes to have multiple people enter like a video call to sort of make it seem even more legitimate.

AMAN RAHEJA
Yeah. That's, uh, so that is an example of this technology evolving, where in the past the deep picks were only able to have one person appear on the other side. They've advanced it enough now three people can appear.

Now you have your CEO, your CFO, and Chief Risk Officer, CRO, all on the line and saying, Hey, do this transaction because the financial risk of not doing it in a timely manner. Again, are they coming from your company line?

MICHAEL BIRD
Yeah. Okay.

AMAN RAHEJA
You can still look for those anomalies. The anomalies are still similar, but yes, for someone it could be a lot more pressure. And saying not just one exec is saying, do X and you have 15 minutes. Most the times these people try to rush you into doing something, That's the only way they succeed.

MICHAEL BIRD
So you start making irrational decisions. You go, oh, they're telling me to do it. I better do it now.

AMAN RAHEJA
Yep, exactly.

MICHAEL BIRD
Okay, so Deep Fakes are hard to spot, really hard to spot. In some instances, code phrases may not be particularly scalable or passwords may not be particularly scalable. So Can we use AI to combat AI?

AMAN RAHEJA
Yeah, I, I think that is the best hope actually
that AI could at some point say, five of the six factors don't match up to this being real and tell me that it's not real. And those are the kind of capabilities companies will need to invest in to thought against these kind of attacks. I haven't seen one yet. I haven't seen one

MICHAEL BIRD
So I guess, yeah, so I mean, do you think using AI to combat ai. Is more important than staff training or do you think it's just another element of the way to combat it?

AMAN RAHEJA
The only reason I emphasize on using technology to put these controls in place is because of scalability.

There will always be a human factor. I train you, but an attacker calls you at 9:30 PM You're just about to go into your bed. You're like, okay, let me get this done and just go to bed. There are aspects these attackers take advantage of because they know enough of the human psychology to take advantage of. But if there's a technology in between that consistently scans and towards it can have a lot better than outcome that we can rely on.

MICHAEL BIRD
Wow. Okay. Okay, to sort of summarize, how worried should we be about this?

AMAN RAHEJA
Well, we should be worried. At the same time, I also have hope
That that we will be able to develop and we always have, like attacks have evolved over time and technology has always come up with an answer and say, okay, this is how we are going to deal with it.

it is worrisome where we are right now. People are moving really, really fast, adopting ai, and by the way, not only attackers are leveraging aI to do these attacks. They also understand that companies that are rushing into AI without putting the right security controls, they have an opportunity to exploit those technologies.

AMAN RAHEJA
so yeah, it creates a new kind of vulnerability. At the same time, the hope I have is. Folks in the industry, like our own organization that is not only saying adopt AI, but is also looking for how do you responsibly and securely adopt AI is extremely important. I mean, this is what I love what I do. This is to protect people from these things happening to them.

AUBREY LOVELL
Yeah, Wow. I mean, I feel like we could talk about this for hours, Michael. It's such a fascinating and interesting topic, and it is something that we need to keep our eye on because it has so much impact it just kind of affects every area, financially, you know, personally, everything.

So at the same time you're seeing all these sophisticated scams kind of just really become super sophisticated and complex. But at the same time, the technology on the side is also building up and kind of meeting it toe for toe.
-
MICHAEL BIRD
The fake job profile story, that sort of blew my mind a little bit. So the concept of somebody starting in your organization who you've never met in person because, you know, there are 100 % remote roles going on. You know, there are 100 % remote roles and
this new starter having access to your systems from day one because that's what you do when you start a new job you get you get logins etc and that person actually not being who they say they are and I think in this instance they are a sysadmin so I mean that is just that that leads on to the question of how do you how can you know for sure that who you're speaking to is the person you're speaking to I mean Aubrey how do you know that you're speaking to Michael Bird and how do know that I'm speaking to Aubrey Lovell?

AUBREY LOVELL
Right? Yeah, it makes you think, right? I don't think we've ever had to think about enablement or training in that way. It's always been like, okay, like you said before, you get an email or something, you know, that's just more of a traditional type of, alert or notification. But if you're talking to me on camera and they have a deep fake of myself with my voice, my look, my feel, my mannerisms, it's very scary to think that that's even possible.

I think actually that is probably one of the biggest threats that we have today. mean, you're seeing stories in the news right now of people using deep fake videos, I've actually heard a recent story on the news about a woman getting a phone call and she was 100 % certain it was her daughter - voice and everything and she was scammed out of I don't know $20,000 for ransom. Her daughter was saying that she was kidnapped. I mean these are actually happening in real time

MICHAEL BIRD
The technology is moving on so quickly. That's almost certainly going to be outdated. I mean, maybe even by the time this episode goes out. Technology is moving so quickly. I'm not sure. I'm not sure there are like these are the telltale signs of what's a deep fake or not. We maybe have to move to a position of, if somebody's asking me something critical, even if it's on video or an audio, maybe you have to do some additional checks to make sure actually who you're speaking to is the person you're speaking to.

AUBREY LOVELL
Yeah, I mean, the first thing that comes to my mind, right, I almost see a need for some sort of filter or indicator when people are on camera, on video, whether it's in a virtual meeting or even videos that are floating around on the internet that some sort of AI or something, some software can actually flag if it is a deepfake or not, and that alerts people to that. that's something that might be needed.

MICHAEL BIRD
I've often been thinking we need a video or an audio verification system, when we see each other next in person, we'll come up with a password. That's what we'll do.

AUBREY LOVELL
Yes, the three question rule. We're going to have three questions that only we would know. And if they don't line up, then you know for sure.

MICHAEL BIRD
Aman actually made my life a bit easier because we ended the interview with him telling me the most important things that we should be taking away from our conversation, and I hope if our listeners only take two things away from this episode, it’s these…

AMAN RAHEJA
The two messages that I leave about AI is adopt responsibility. Responsibly because there's a lot of impacts of what we are doing, not just from a security standpoint, but at a human level.

So it's extremely important. People are paying attention to that part. The second being make sure that people who are adopting and using know how to use it properly. There's a big gap from a literacy standpoint when it comes to ai. A lot of organizations have come up a lot of technologies and tools and capabilities, but until people learn how to adopt it safely is going to be a challenge.

AUBREY LOVELL
Okay, well that brings us to the end of Technology Now for this week. Thank you to our guest Aman Raheja, and of course to our listeners, thank you so much for joining us.

MICHAEL BIRD
Yeah, and if you've enjoyed this episode, please do let us know. Rate and review us wherever you listen to episodes. And if you want to get in contact with us, send us an email to technologynow at hpe.com. Just no phishing emails, all right? And don't forget to subscribe so you can listen first every week. Technology Now is hosted by Aubrey Lovell in St. Petersburg, Florida.

And myself, Michael Bird, just outside a surprisingly bright and sunny London. Makes a change. This episode was produced by Harry Lampert
and Izzie Clarke with production support from Alysha Kempson-Taylor, Beckie Bird, Alison Gaito, Alissa Mitry and Renee Edwards.

AUBREY LOVELL
Our social editorial team is Rebecca Wissinger, Judy-Anne Goldman and Jacqueline Green and our social media designers are Alejandra Garcia, and Ambar Maldonado.

MICHAEL BIRD
Technology Now is a Fresh Air Production for Hewlett Packard Enterprise.

(and) we’ll see you next week. Cheers!

Creators and Guests

person
Host
Aubrey Lovell
LinkedIn
person
Host
Michael Bird
LinkedIn
Hewlett Packard Enterprise