Case Study · Social Engineering Assessment
CEO Deepfake Vishing, Targeted Phishing Campaign, and Physical Intrusion: Multi-Vector Social Engineering Assessment of a Listed Financial Services Group
Home → Case Studies → Social Engineering → CEO Deepfake Vishing, Phishing Campaign, and Physical Intrusion
Engagement Background
The Situation When We Were Engaged
A Mumbai-listed financial services group — operating mutual fund distribution, wealth management, and corporate lending — engaged SIRI Law LLP following a Board-level decision to conduct an adversarial human-layer assessment before a major digital transformation programme.
A business email compromise (BEC) attempt targeting a competitor the prior quarter had put the Board on notice. The group had 1,400 employees across seven offices. SEBI’s cybersecurity framework for regulated entities requires documented security awareness and tested controls — the group had neither tested phishing resistance nor conducted a physical intrusion assessment.
The assessment scope: targeted spear-phishing campaign against 200 selected employees, a deepfake vishing attack simulating the CEO authorising an urgent wire transfer, and two physical intrusion attempts against the head office and a branch location. All engagements were conducted under signed rules of engagement with executive knowledge limited to the CISO and CFO.
Client Profile
Assessment Scope
Three Vectors, One Coordinated Assessment
Vector 1 — Spear Phishing
200 targeted employees across finance, operations, and IT. Custom pretext: fake SEBI regulatory notice requiring credential verification via spoofed portal. Executive-personalised variants for C-suite and department heads.
Vector 2 — CEO Deepfake Vishing
AI-cloned CEO voice used to call the CFO’s PA and two finance managers — requesting urgent ₹4.2Cr wire transfer to a new vendor account. Real-time deepfake audio synthesis with scripted urgency and confidentiality pressure.
Vector 3 — Physical Intrusion
Two-person team attempted tailgating at head office server room and impersonation of an IT vendor at a branch. Objective: USB drop, unattended workstation access, and server room entry to test physical security procedures.
Key Findings
What We Found
All findings documented with video/audio evidence, screen recordings, and physical access logs under legal privilege.
46 of 200 employees clicked the phishing link. Finance and operations teams showed 41% and 35% click rates respectively. 12 employees entered credentials into the spoofed portal. SEBI-themed pretexts outperformed generic pretexts by 3.2×. No security alert was raised during the campaign.
The CFO’s PA began the vendor onboarding process for the fraudulent transfer account without verifying the instruction through a secondary channel. One finance manager escalated correctly to the CISO — the only successful detection. Detection rate: 33% (1 of 3 targets). Deepfake voice was not identified as synthetic by any target.
Assessors gained access to the server room corridor via tailgating — no challenge issued by three employees who held doors open. USB device planted on unattended workstation in open-plan area. Branch impersonation was challenged and turned away correctly — branch physical controls rated adequate.
The CEO’s voice was cloned using 11 minutes of publicly available investor call recordings and conference presentation footage. LinkedIn profiles of finance team members provided direct targeting data. Organisational structure, reporting lines, and vendor names obtained from regulatory filings — all publicly accessible.
Engagement Timeline
Phase-by-Phase Execution
OSINT & Reconnaissance
Open-source intelligence gathering on executive profiles, organisational chart, vendor relationships, and publicly available audio/video. Voice samples extracted from investor calls. Finance team mapping via LinkedIn and regulatory filings.
Spear Phishing Campaign
Custom phishing portal deployed on lookalike domain. 200 personalised emails sent over 10 days simulating SEBI regulatory notices. C-suite received executive-grade variants referencing specific regulatory matters. Real-time click and credential capture tracked.
CEO Deepfake Vishing
AI voice synthesis deployed against three finance targets. Calls scripted with realistic urgency, vendor context, and confidentiality framing. PA interaction recorded and used as evidence of transfer initiation risk. Post-call verification procedures (or lack thereof) documented.
Physical Intrusion Attempts
Tailgating attempt at head office — server corridor accessed. USB device planted. IT vendor impersonation at branch — correctly challenged. Video evidence and door access logs reviewed. Security response time measured at each location.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
SEBI Cybersecurity Framework
SEBI’s cybersecurity framework for regulated entities requires tested phishing and social engineering controls. The undetected vishing and physical intrusion represented direct SEBI non-compliance — exposable in an audit or post-incident regulatory enquiry.
BEC Liability — IPC / IT Act
Had the deepfake wire transfer succeeded, the group faced loss of ₹4.2Cr with limited recovery prospects. Under IT Act Sections 66 and 66C — identity theft via electronic means — the attacker is liable; however, internal procedural failure may limit insurance recovery under cyber liability policy exclusions.
DPDPA — Credential Data Breach Exposure
12 employees who entered credentials into the spoofed portal — if this were a real attack, those credentials could enable access to customer data systems. A resulting data breach would trigger DPDPA notification obligations and potential DPB proceedings.
IT Act Section 43A — Negligent Data Security
The absence of trained security controls — no challenge culture, no out-of-band verification for wire transfers, no tailgating awareness — constitutes negligent security practice under Section 43A, creating civil liability to customers and counterparties affected by a downstream breach.
Outcomes & Remediation
What Changed After Our Assessment
Mandatory Out-of-Band Verification for All Wire Transfers Above ₹50L
Board-approved policy change: all transfers above ₹50 lakh require a recorded callback to a registered number — voice instructions from any channel are insufficient alone.
Deepfake Awareness Training — All Finance & C-Suite Staff
Mandatory training programme on AI voice synthesis detection, vishing red flags, and verification protocols. Embedded in onboarding and SEBI annual training requirements.
Physical Access Controls Upgraded — Head Office Server Corridor
Mantraps and anti-tailgating vestibule installed at server corridor. Challenge culture policy implemented. Security guard briefings updated. USB port blocking deployed on all unattended workstations.
SEBI Cybersecurity Framework Compliance Documented
Assessment report and remediation evidence submitted to Board Risk Committee and filed in readiness for SEBI audit. Phishing simulation programme institutionalised on quarterly basis.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Legally privileged engagement — findings protected from regulatory disclosure
Real deepfake voice synthesis capability — not simulated awareness exercises
SEBI, RBI, AMFI regulatory context integrated into every finding
Legal + technical team — policy changes drafted and implemented same engagement
Director GRC & Legal — Adv. Chetan Seripally
Related Services
Is Your Human Layer Your Weakest Link?
Contact SIRI Law LLP for a confidential social engineering assessment scoping call.