CGj reviews an Institute seminar held in May 2025 that explored how emerging technologies are redefining the landscape of corporate operations – and how innovation is fuelling increasingly sophisticated fraud – as well as what governance professionals can do to stay ahead.

The evolving sphere of digital deception

As technology reshapes every aspect of business, it is also rewriting the playbook for corporate fraud. At an Institute seminar held on 8 May 2025, titled Digital Deception: Navigating Fraud in the Era of Emerging Technology, expert speakers discussed how tools like AI, blockchain and biometrics have become both enablers and defenders of deception.

In the first part of the seminar, Henry Chambers, Managing Director and Co-leader, Disputes and Investigations Asia, Alvarez & Marsal, set the stage with an overview of the technologies reshaping the fraud landscape, and clarified how they are being weaponised against individuals and corporations.

Mr Chambers highlighted four technological domains driving new forms of digital deception – artificial intelligence (AI), blockchain, quantum computing and biometrics. Each, he explained, comes with both extraordinary opportunities and escalating vulnerabilities.

Beginning with AI, Mr Chambers outlined its layered evolution, from machine learning and deep learning to the recent rise of generative AI. These technologies enable machines to perceive, interact, understand and make decisions, driving advances in content creation while also introducing new risks. ‘The longer we spend doing this process, the more realistic these outputs become – and what we also see is fraudsters using the same technologies,’ Mr Chambers said.

AI’s ability to fabricate convincing imagery and voices has already fuelled large-scale scams. Mr Chambers cited a local example in which a finance worker at a multinational firm was incited to send over HK$200 million to fraudulent bank accounts after attending a fake Zoom call, where all participants were AI-generated deepfakes. ‘This incident illustrates how the barriers to entry for a scammer using AI are incredibly low – you now only need a room and the ability to use ChatGPT or its equivalent,’ he said.

Turning to blockchain and cryptocurrency, Mr Chambers described this as ‘a well-trodden path for threat actors’, pointing to anonymity, decentralisation and limited regulation as risk factors. Despite growing awareness, cryptocurrencyrelated fraud remains rampant. ‘My team and I are still making regular calls related to problems generated by investments into crypto or exfiltration from cryptocurrency accounts,’ he said, adding that many scams rely on unrealistic promises such as guaranteed 1,000% returns.

The discussion then turned to quantum computing, an area Mr Chambers characterised as both exciting and problematic. By allowing computers to operate in multiple states simultaneously, quantum technology promises exponential processing power, but could also break the secure hash algorithms that protect our bank accounts, cryptocurrency and even nuclear codes. ‘When quantum computers become mainstream, it will be a global problem that financial institutions will have to address by creating new post-quantum security systems,’ he said.

Mr Chambers also touched on biometric vulnerabilities, remarking that voice and facial recognition systems are no longer foolproof. With personal data and voice samples widely available online, such systems can be easily manipulated. ‘Each of these areas is evolving almost weekly and, as professionals, our challenge is not only to understand how they work, but also how they can and will be used against us,’ he concluded.

The dos and don’ts of digital investigations

Following Mr Chambers’ deep dive into the evolving fraud landscape, Davin Teo, Managing Director and Co-leader, Disputes and Investigations Asia, Alvarez & Marsal, turned to the practical realities of digital investigations in the corporate world.

Mr Teo walked attendees through the dos and don’ts of internal investigations. ‘It’s critical to understand what you can and cannot do legally.’ He warned that without proper consent, especially when employees use personal devices for work, companies risk breaching privacy rules. ‘If someone says “I’ve been doing company work on my personal phone,” we need to ask whether that company has a bringyour-own-device policy. If not, you will need the individual’s consent to check their phone data.’

Another recurring mistake, he noted, is letting internal IT teams collect sensitive evidence. ‘Your IT team can look at data, but you have to be careful,’ Mr Teo cautioned. ‘Metadata – the data about data – can be changed simply by copying a file to a USB stick and that could compromise your evidence.’ He emphasised the importance of maintaining a forensic chain of custody, ensuring that evidence is collected and preserved properly in case it ever goes to court.

Mr Teo also shed light on the new realities of communication data. With multiple platforms such as Teams, WeChat, WhatsApp and others becoming entrenched in business communications, companies must ensure they can access and preserve these datasets when needed. ‘You really need to look internally and ask: “Do we have policies in place to safeguard and retrieve this type of data?”’

The challenge, he added, is compounded by auto-deleting or encrypted messaging apps. ‘These apps are designed to be user-friendly, not investigator-friendly,’ he observed. ‘They’re thinking about how to get rid of data, not how to keep it.’ Still, his team often finds creative ways to retrieve hidden or deleted information by tracing backups across devices, laptops and cloud servers.

Mr Teo urged governance professionals to be proactive. ‘You may never have to deal with an investigation, but if you do, make sure your company has clear policies, proper authorisation processes and a single point of contact. And most importantly, handle data in the right forensic manner,’ Mr Teo suggested.

Turning technology into your ally

Concluding the presentation, Mr Chambers highlighted how organisations can harness emerging technologies as part of the solution, not just as a source of new risks.

He pointed out that many corporations are already leveraging AI within their enterprise resource planning systems to strengthen fraud detection. ‘There is so much data being fed into companies, from finance and human resources to inventory and logistics, that it’s almost impossible for one individual – even a chief compliance officer or internal counsel – to monitor everything, but AI can make that much more efficient.’

Mr Chambers illustrated how machine learning algorithms can be trained to understand what ‘normal’ looks like for a particular business, then flag anomalies in real time. In the same way, AI can detect irregularities in transaction patterns, inventory fluctuations or staffing anomalies, helping auditors and investigators focus their attention on potential red flags.

Turning to biometric and voice authentication, Mr Chambers outlined practical measures to safeguard against impersonation and system compromise. ‘Multifactor authentication remains crucial,’ he said. ‘Don’t just rely on a single input, combine face or voice recognition with PINs or security tokens.’ He added that continuous monitoring, regular software updates and user education were essential to maintaining robust defence systems.

Mr Chambers recommended that companies do not abandon humanbased controls, even as they embrace new technologies. ‘Some of the simplest controls can still be the most effective,’ he said. Referencing the earlier case of a finance worker deceived by an AI deepfake video call, he noted that if someone had simply picked up the phone to confirm the instruction, the fraud could have been prevented.

Professional scepticism

The panel discussion that followed the speaker presentations delved deeper into the human, regulatory and technological dimensions of fraud prevention and digital asset security.

Opening the session, Angelina Kwan, Senior Advisor, IMC Asia Pacific, drew on real-life experiences to illustrate how easily even seasoned professionals can fall prey to scams. She stressed that vigilance and verification were indispensable, especially as fraudsters’ methods have grown more sophisticated. ‘I’ve seen scams from accounting firms supposedly calling in asking for transfers and I’ve seen staff from other offices supposedly calling in asking for money to be moved. But what’s really scary is how easily scammers can obtain your personal or company information, because once they get a bit here and a bit there, they can piece it all together.’

She recalled an incident from a former workplace in which a managing director approved a fraudulent transfer without verifying the caller’s identity. ‘It was just one misstep. It’s so worth it to take additional steps to protect yourself and it’s just one more call, one more check. It’s going to save you a whole lifetime of agony.’

Mr Chambers echoed her view, defining this mindset as professional scepticism. ‘We should be sceptical of everything that is presented to us. It may seem like a sad way to live, but you need to question everything. Don’t robo-click, sign or approve anything without being sure it’s legitimate.’

Mr Teo added that security awareness must extend beyond senior management. ‘Your secretary at the front desk is the gatekeeper to your office,’ he said, recalling how easily his team once talked their way into a client’s data centre during a security audit. ‘It proved how you need to secure things even at that front line.’

Data governance and cybersecurity

As the conversation turned to corporate data governance, Mr Teo highlighted the need to localise and secure data even within cloud environments. ‘Even if your systems are cloud-based, you can still direct them to a particular region and ensure they comply with local data rules,’ he said.

Mr Chambers specified that using third-party AI plugins may inadvertently expose sensitive corporate data. ‘If you’re using an external plugin in your Teams channel, that data is going to someone else,’ he said. ‘You’re exporting company data outside the four walls.’ He recommended that organisations develop or procure in-house AI summarisation tools, rather than relying on external providers.

Ms Kwan raised an important question about the growing concentration of digital assets and corporate data on cloud service providers such as Amazon Web Services. Mr Teo responded that firms should never rely solely on the provider’s assurances. ‘Do your own independent assessment and ask questions. When was your last security audit? How often do you test for vulnerabilities? Do you have twofactor authentication in place?’

Mr Chambers added that, while cloud providers have strong incentives to maintain security, firms must still conduct regular audits and contingency planning. ‘It’s about ensuring you’re comfortable that your cloud provider is fit for purpose,’ he said.

Ms Kwan agreed, recalling her experience as a former global CEO of several exchanges. ‘We hired the best of the best security consultants and worked with firms like Alvarez & Marsal for constant reviews. Having the best staff and continuous checks is what protects you.’

She praised regulators for tightening oversight of the digital asset sector, especially in Hong Kong. ‘Traditional finance is moving into digital assets. Within the next three to five years, every major firm will be offering them. You just have to have your controls in place.’