BOFH: Deepfake or just an idiot? We'll need an audit to confirm

Episode 15 "I... seem to have... uh, forgotten my password," the Boss burbles over the phone glumly. "I changed it the other day and I was pretty sure I put the new password in my password vault, only the password won't work."

">clickety< Did you try the reset password option?" I ask.

"Yes. Yes, I did. I clicked on the link to say that I'd forgotten my password – even though I don't think I did – and it said it would email me a link to reset my password.

"And did it?"

"I don't know – I can't get into my email because that's the password I forgot."

"OK, so you must have a backup email that you can send recovery information to?"

"I do, yes. But that's my personal email and it has two-factor authentication, and the default two-factor authentication thing sends a verification message to my work email address. That I can't get into."

AH, THE SWEET SWEET SOUND OF A TECHNOLOGICAL BACKFIRE!

"Hmm. >clickety-click< OK, so just to clarify. You've forgotten your password for your work email, so it's sent a recovery email message to your personal email, only you can't get into your personal email because your two-factor method for your personal email was to send an email to your work email to confirm a login to your personal email?"

"Ahhhm. Yes. I know it sounds stupid. But I only need the two-factor thing if I'm trying to access my personal email from a new location."

"And where are you now?"

"I'm at home."

"How did you forget your password in the first place?"

"I didn't. My phone got damaged and so I had to get a replacement. While I was waiting for my replacement, I needed to log into my work email to get some information on a Zoom call, but I didn't have access to my password vault, so I used the forgot-my-password email, which sent email to my personal email, which I could get into at home."

"So surely you can still get into your home email to validate your work email if that's the case?"

"Well, no. When I got my new phone, I thought that it was a good opportunity to update my home email password, but I didn't have my password vault because I didn't have my replacement phone, and I'm sure I wrote it down OK, but it doesn't work."

"Hmm. >clickety-click-click< Does it not work, or is it because now you have a replacement phone with a password vault that has your old password in it?"

"I don't know – but I was wondering if you could reset my work password?"

>clickety tappity tap<

"Done. That'll be... 50 quid. If you can just send that cash through. I assume you still have access to your banking app?"

"You can't charge me to reset my password!"

"Oh, we don't charge for password changing. We charge for the security audit we're going to have to do."

"What security audit?"

"Well, you broke your phone, you can't remember your passwords, and you can't seem to use your two-factor authentication. How do we know you're not a deepfake?"

"A what?"

"A deepfake. You could be a bot."

"I'm not a bloody bot."

"That's just what a bot would say. >clicky<"

"What was that noise? Are you typing?"

"No, no, I'm just ticking off red flags on the AI fake checklist. A phone call from an apparent colleague asking for some access changes – CHECK. Mention of lost credentials – CHECK. Claims they can't use established and trusted two-factor authentication methods – CHECK. Claims to have recently lost their phone – CHECK. I mean, the only two red flags you haven't raised are 'Claiming to have had to leave the country on an urgent trip' and 'Offering a share of the profits of a Nigerian land transfer deal.' My hands are tied, I need to do an audit."

"OK, just do the bloody audit then," the Boss snaps down the phone.

"I'll still be needing that 100 quid."

"100 quid! You said 50 quid."

"Yes, I said 50 quid before you said you weren't a bot. Claiming not to be a bot increases the threat level. Just think yourself lucky you didn't mention your Nigerian land deal."

"I don't have a Nigerian land deal!"

">clicky< No, of course not. So, if you just send me that 200 quid."

"200 QUID!?"

"Yeah, you said Nigerian land deal."

"No I didn't!"

"You did, just now."

"NO I DIDN'T!"

"You did. I heard you say it."

"YOU SAID IT! I SAID I DIDN'T HAVE IT!"

"Have what?"

"THE NIGERIAN LAND DEAL!"

">Clicky< OK then. So there's just that 250 quid."

"250 QUID!!"

"Well, you said it twice. Luckily we can do this audit and clear that up. Before you leave the country."

"..."

• BOFH: If you can't beat the AI, let it live inside you
• BOFH: The auditor is asking too many questions. We have just the laptop for that
• BOFH: Peeling back the layers of the magic banana industrial complex
• BOFH: Rerouting responsibility via firewall configs

The Boss seems to have cottoned on to what will happen if he mentions leaving the country.

"Why should I pay for an audit?" he seethes.

"It's a validity check. If you send money, I know that you're legit. A scammer wouldn't send money."

"So I'd get the cash back?"

"Of course."

"OK. Well, in that case, I need your bank details, now, as I need to get in to join a Zoom meeting..."

I send my information on and lo and behold the Boss makes the appropriate payment.

...Later that day...

>Ring<

"Hello?"

"Right, can you send my money back now?"

"Who is this?" I ask.

"YOU KNOW VERY WELL WHO IT IS. I WANT MY 250 QUID BACK."

"I already sent it to you."

"No you didn't."

"I did."

"There's nothing in my account."

"You've checked? And it's nothing to do with the different banking hours between here and Nairobi?"

"Nairobi?"

"Yeah – where you wanted your money sent when you called back earlier."

"I didn't call back earlier!" the Boss gasps.

">clickety< >clickety< >tap< Really?"

"Wait, what did you just do?"

"I locked your work account. If it's indeed you."

"You know it's me!"

"Hmmm. I think I'm going to need to do a security audit..."

• BOFH: Previous episodes on The Register
• The Compleat BOFH Archives 95-99