The Rising Threat of Deepfakes in Cybersecurity
In recent years, the cyber threat intelligence community has been increasingly alarmed by the rapid proliferation and sophistication of deepfake technology. Originally known for their role in political misinformation campaigns, deepfakes are now a burgeoning concern in the corporate sector due to their potential use in fraud against companies and individuals.
What are Deepfakes?
Deepfakes leverage generative artificial intelligence to create convincing fake audio or video recordings. By using existing audio or visual samples of individuals, this technology can generate new content where the targeted individual appears to say or do things that never actually happened. The realism of these creations is startling, and the ease of making them is equally concerning; numerous websites and apps now allow almost anyone to craft deepfakes without significant technical skill.
Deepfakes in Corporate Fraud
The private sector's alarm is not without merit. One of the earliest reported cases occurred in 2019 when a UK-based company was defrauded by an audio deepfake. An employee was tricked into transferring money to a bad actor who used voice-generating AI to impersonate the company’s CEO. More recently, a finance worker at a Hong Kong-based multinational company was duped into transferring $25 million during a video call rigged with deepfakes of company executives.
These incidents illustrate a chilling evolution in fraud tactics, where deepfakes are used to subvert traditional security measures through executive impersonation. The realism and accessibility of deepfake technology grant malicious actors a powerful tool for deception.
A Recent Real-World Example from LastPass
Even tech-savvy organizations are not immune. LastPass recently detected an attempted deepfake scam targeting one of their trained employees. An employee received calls, texts, and voicemails via WhatsApp featuring a convincing audio deepfake of their CEO. Thankfully, due to the unusual communication channel and the presence of social engineering red flags like undue urgency, our employee was skeptical of the authenticity of the communication and did not engage. Instead, they reported the incident to their internal security team, allowing them to quickly mitigate any potential threats and use the incident to raise awareness.
Lessons Learned and Moving Forward
This experience underscores the need for vigilance and ongoing education about the capabilities and threats posed by deepfake technology. Companies must impress upon employees the importance of verifying unusual or unexpected communications through established, secure channels. It is crucial to remain skeptical of communications that deviate from normal procedures, especially those that create a sense of urgency or pressure.
Proactive Measures and Collaboration
Deepfakes represent a significant and growing cybersecurity threat. It is imperative for organizations of all sizes to understand the risk and implement strategies to protect themselves from this sophisticated form of phishing. Awareness, education, and stringent verification processes are key components in defending against the misuse of this advancing technology.
Reach out if we can be of assistance.