Last year, Lithuania recorded nearly 15,500 fraud cases targeting both businesses and individuals, with criminals attempting to siphon off a staggering €58.8 million. According to data from the Lithuanian Centre for Excellence in Anti-Money Laundering, these figures represent more than just a statistical spike; they signal a fundamental shift in how corporate entities are being targeted. The era of generic, mass-produced phishing emails is being replaced by highly targeted, AI-driven ‘spear phishing’ that mimics the faces and voices of company leadership.
The €58.8 Million Price Tag of Corporate Deception
While the total attempted loss of €58.8 million is a national figure for Lithuania, the mechanics of these crimes are increasingly sophisticated. Experts note that scammers are no longer choosing victims at random. Instead, they are conducting deep-dive research into specific companies, analyzing their operations, identifying key partners, and mapping out employee roles.
By integrating Artificial Intelligence (AI) into their workflow, criminals can now generate correspondence that is virtually indistinguishable from legitimate business communications. This precision targeting makes the initial point of entry—often a simple email or a message on a platform like Microsoft Teams—far more likely to succeed than traditional ‘spray and pray’ tactics.
From Intercepted Emails to AI-Generated Deepfakes
One of the most financially damaging schemes currently affecting the Baltic business landscape involves the interception of ongoing email chains between partners. In these scenarios, scammers gain access to a conversation and wait for the moment an invoice is discussed. They then intervene, posing as the partner, to provide ‘updated’ bank account details.
In one documented case, a Lithuanian clinic ordering interior decor worth €30,000 from an international gallery fell victim to this tactic. The clinic transferred the funds, but the gallery never received them. It was later discovered that fraudsters had intercepted the correspondence and swapped the gallery’s account number for their own. The transition was so seamless that the clinic had no reason to suspect they were no longer speaking with their legitimate partner.
Even more alarming is the rise of ‘Boss Fraud.’ Scammers are now using AI to replicate the voice and even the video appearance of high-level executives in real-time. A finance officer might receive a Teams call from their ‘CEO’—with a familiar face and voice—demanding an urgent, confidential transfer to secure a major deal. The pressure of authority combined with a false sense of urgency often bypasses standard verification protocols.
Why Traditional Red Flags Are No Longer Enough
Historically, employees were taught to look for spelling mistakes, poor grammar, or suspicious email addresses. However, Žygeda Augonė, Head of Information Security at Swedbank, warns that AI has rendered these red flags obsolete. AI tools can now replicate not just language, but the specific communication style, mannerisms, and even the emotional tone of a specific individual.
When a scammer can mimic the exact way a CEO phrases a request or the specific urgency they use during a high-stakes negotiation, the psychological barrier to compliance is significantly lowered. The threat is no longer just a technical one; it is a sophisticated form of social engineering powered by high-tech tools.
Building a Culture of ‘Friendly Suspicion’
To combat these evolving threats, security experts are advocating for a shift in corporate culture toward what they call ‘friendly suspicion.’ This approach prioritizes disciplined internal processes over blind trust in digital identity.
Technological safeguards are essential, but they must be paired with human vigilance. The most effective defense against AI fraud is the implementation of rigid, multi-channel verification steps that cannot be bypassed by a single ‘urgent’ phone call or email.
Practical Steps to Shield Your Business Assets
To mitigate the risk of falling victim to these sophisticated schemes, businesses are encouraged to adopt several key security protocols:
- Multi-Channel Verification: If a request for a payment or a change in banking details is received via email, it must be confirmed through a secondary, previously known contact channel—such as a direct phone call to a verified number.
- The ‘Secret Phrase’ Protocol: For high-value or urgent transactions, executives and authorized employees can agree on a specific ‘safe word’ or phrase that must be used to verify identity during voice or video calls.
- Dual Authorization: No single employee should have the power to initiate and finalize a large payment. Implementing a ‘four-eyes’ principle, where at least two people must approve a transaction, creates a critical safety buffer.
- Automated Payment Data: Whenever possible, automate payment systems to reduce the manual entry of account details, making it harder for intercepted invoices to be successfully altered.
- Regular Process Audits: Access to financial systems should be reviewed and updated regularly, ensuring that only current, necessary personnel have the authority to move company funds.
Source: BNS
Comments