A $25 Million Wake-Up Call
On an otherwise ordinary Monday in February 2024, a finance clerk at a multinational firm’s Hong Kong office joined an urgent video meeting. Staring back at her were the familiar faces—and perfectly cloned voices—of the CFO and several senior colleagues. They said a confidential takeover was closing and asked her to wire a series of “bridge” payments immediately. Fifteen transfers and HK $200 million (≈ US $25 million) later, the clerk learned the awful truth: every “executive” on the call was a deep-fake. The real team had never even logged in.[1]
This wasn’t an isolated fluke. Analysts now estimate deep-fake–enabled fraud cost businesses $12 billion in 2023 and could hit $40 billion by 2027. Financial institutions admit that generative AI is super-charging criminals faster than banks can respond.
Why Our Usual Defenses Fail
- (One-Time) Passwords: Criminals routinely intercept one-time codes by convincing victims to “read the text aloud” or by SIM-swapping.
- 2-Factor Authentication (2FA): If the second factor is a voiceprint or a video presence check, a high-quality clone can sail right through.
- Biometrics & KYC selfies: AI avatars can now blink, nod, and answer liveness prompts in real time.
The hard lesson from recent attacks: anything a fraudster can see, hear, or record can be faked.
Enter the Secret Pass-Phrase
A pass-phrase – or “safe-word” – is a short, pre-shared verbal code known only to the legitimate parties. Because the phrase is never posted online, emailed, or used in routine logins, an attacker has no data to clone. Security researchers now recommend that families and businesses adopt pass-phrases as a last-mile authentication check—simple, memorable, and devilishly hard to counterfeit.[2]
Key advantage: A deep-faked CFO can imitate tone and mannerisms, but it can’t guess a phrase you agreed upon privately yesterday.
Designing a Pass-Phrase Program
| Step | What to Do | Why It Works |
| 1. Agree offline | Exchange phrases in person, by courier, or over an end-to-end-encrypted channel. | Keeps them out of an attacker’s digital reach. |
| 2. Make it nonsensical | Use two unrelated words + a number (“Quartz Bicycle 73”). | Hard to guess, easy to remember. |
| 3. Scope & rotate | Different phrases for (a) family emergencies, (b) wire approvals, (c) vendor onboarding. Refresh every 6–12 months. | Minimizes damage if one phrase leaks. |
| 4. Challenge-response | Don’t just ask for the phrase. Give half and expect the counter-half back, or require the caller to insert it naturally in a sentence. | Defeats attackers who overheard the full phrase once. |
| 5. Multi-channel cross-check | If a request feels odd, confirm via an unrelated channel (SMS → video, email → phone). | Adds friction without much overhead. |
Start with your Family!
Pick a pass-phrase with your loved ones today and store it like a password manager note, not in your phone’s contact nickname.
Rehearse: if you get a “Mom, I’m in jail—send money!” call, ask for the phrase before you panic.
Deep-fake voices and AI avatars will only get better. Your defense doesn’t need to be high-tech; it just needs to be yours.
Pick the phrase. Share the rule. Don’t lose USD 25m.
[1] Dan Milmo, “Company worker in Hong Kong pays out £20m in deepfake video call scam”, The Guardian, February 5, 2025.
[2] Matt Burgess, «You Need to Create a Secret Password With Your Family”, Wired, December 25, 2024
