The art of deepfake is one that has become increasingly nuanced in recent years. Wikipedia describes the process as “synthetic media in which a person in an existing image or video is replaced with someone else’s likeness”.
The tools for creating the synthetic images are developing quickly, often more quickly and resulting in higher quality end results than even major motion picture giants. Such is evidenced when Lucasfilm hired the visual artist who improved their Luke Skywalker likeness in “The Mandalorian” television show.
Deepfake is very commonly used in comedic situations, including tricking Justin Beiber as to Tom Cruise’s guitar skills or other social media, but can also be used in a more nefarious manner. Some not-so-funny examples include inappropriate celebrity or revenge videos, fake news stories, and hoax/conspiracy events. Anecdotal evidence points to a trend of deepfake use for bullying among school aged children. And, additionally, there is room for criminal activity in deepfake impersonation and fraud.
Recently, the IT world was shaken by a sophisticated attack utilizing an audio deepfake. By combining with a stolen email credential, the malicious actors stole $35 million from a United Arab Emirates (UAE) company. The voice-changing software impersonated a lawyer representing the company director and targeted a branch-level manager. This is the second major known IT attack: the first happened in 2019 and cost a German company approximately a quarter million Euros.
While it can be difficult to resist an attack of this magnitude, there are several strategies to be employed in order to significantly mitigate risk. Many of these will be policy creation that creates a layered approach:
- Employ zero-trust policies as a standard. This can be slightly inconvenient in the day to day operation of a business, but maintaining security only sometimes—even most of the time—is not an acceptable risk, whether related to IT or otherwise.
- Make use of passcodes and security questions that cannot be easily accessed via the web or a personal biography. The willingness of bad actors to learn details related to common security questions should not be underestimated…and in fact, very often we give away the answers to security questions on our own. This is called OSINT in the hacker community, or Open Source Intelligence.
- Include copious amounts of common sense in your policy. If any transaction is unusual in some way, how can it best be checked? Asked another way: what should happen if a transaction falls outside of normal circumstance, whether in timing, recipient, or amount?
- Train your staff to be ready for a deepfake situation. Don’t allow a call or video from bad actors be the first exposure to the technique!
Don’t be in a position where a deepfake will catch you or your business off-guard. If you’re not sure where to start, please CONTACT US and we can set up some consulting time for our security experts to guide you…if it’s even them on the other side of the screen! (Just kidding….it will be. I think.)