Cyber Incident Victim: Centrica
Date:
Mar 2019
Location:
United Kingdom
Summary
Fraudsters utilized AI-based voice impersonation to mimic a German executive's voice, deceiving a UK energy firm's CEO into authorizing a €220,000 transfer to a fraudulent Hungarian supplier. The attackers made three calls, initially demanding urgent payment, later falsely claiming reimbursement, and attempting a second transfer that was thwarted when the executive noticed discrepancies. The stolen funds were routed through Mexico and dispersed, with no suspects identified. This incident highlighted emerging AI-driven social engineering threats, bypassing traditional cybersecurity defenses, as commercial voice-generating tools enabled realistic spoofing without requiring advanced technical expertise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2019, criminals executed a voice impersonation attack against a U.K.-based energy firm using artificial intelligence to mimic the voice of the CEO of its German parent company. The attackers placed a phone call to the U.K. CEO, who believed he was speaking with his superior due to the accurate replication of the German executive’s accent and speech patterns. The impersonator urgently instructed the U.K. executive to transfer €220,000 ($243,000) to a Hungarian supplier within one hour, presenting the request as time-sensitive. The executive authorized the payment. Following the transfer, the attackers called a second time, falsely claiming the parent company had reimbursed the funds. Later that same day, they initiated a third call—this time from an Austrian phone number—again impersonating the CEO to demand a second payment. The U.K. executive grew suspicious when the promised reimbursement failed to materialize and due to the Austrian caller ID, leading him to decline the additional transfer. Investigators later traced the initial transferred funds from Hungary to Mexico, where the money was dispersed to other locations. Law enforcement did not identify any suspects, and the police investigation concluded without involvement from Europol.
The incident resulted in a direct financial loss of $243,000, which was fully covered by the victim company’s insurer, Euler Hermes Group SA. This case marked one of the first publicly confirmed cybercrimes involving AI voice-spoofing technology, highlighting vulnerabilities in traditional cybersecurity defenses that lack mechanisms to detect synthetic audio. Euler Hermes noted no prior claims involving AI-enabled fraud, underscoring the novelty of the attack method at the time. Cybersecurity experts confirmed that commercially available voice-generation software enabled the attack, requiring no advanced technical expertise to deploy. The attackers exploited publicly accessible voice recordings to create a convincing deepfake, though the exact method—whether real-time AI interaction or stitched audio samples—remained unverified. In response, cybersecurity firms accelerated development of deepfake detection tools, while organizations faced heightened awareness of social engineering risks posed by AI-synthesized media. The U.N. Interregional Crime and Justice Research Institute emphasized the potential escalation of such threats if combined with video manipulation, which could further undermine authentication protocols reliant on visual or auditory recognition. The case demonstrated operational limitations in tracing cross-border financial flows linked to AI-driven fraud, as jurisdictional complexities hindered recovery efforts.