(This column originally appeared in The Guardian)
Is that really Tom Cruise about to wrestle an alligator? Keanu Reeves dancing like nobody is watching? Or Robert Pattinson getting shade from his cat? No — it’s a deepfake.
Deepfake technology is advanced artificial intelligence that replaces actual video and audio with video and audio that was artificially created from other sources. While it may look like harmless fun on TikTok, it’s also becoming a huge security risk for businesses of all sizes.
According to a just released report from the cloud service firm VMware, deepfake attacks are on the rise.
“Cybercriminals are now incorporating deepfakes into their attack methods to evade security controls,” said Rick McElroy, principal cybersecurity strategist at VMware. “Two out of three respondents in our report saw malicious deepfakes used as part of an attack, a 13% increase from last year, with email as the top delivery method.”
According to McElroy, their new goal is to use deepfake technology to compromise organizations and gain access to their environment. How? By duping employees into thinking they’re dealing with real people.
That’s what happened to a bank manager in Hong Kong, who received deep-faked calls from a bank director requesting a transfer. The impressions were so good that the manager eventually transferred $35m, and never saw it again. A similar incident occurred at a UK-based energy firm where an unwitting employee transferred approximately $250,000 to criminals after being deep-faked into thinking that the recipient was the CEO of the firm’s parent. Deepfakes are being used to dupe people to buy products and the FBI is now warning businesses that criminals are using deepfakes to create “employees” online for remote-work positions in order to gain access to corporate information.
It’s the new security challenge. And considering how much video and audio exists of us online thanks to social media and YouTube it’s not hard for a scammer using readily available tools to make people believe we are saying and doing things that we aren’t — or talking to people that don’t actually exist. Big tech companies like Microsoft and Google have been developing tools to detect these threats and federal legislation is also in the works in an attempt to limit damage. But these steps can only go so far. So how do we protect our businesses from this growing danger?
Training. And controls.
The most common reason for security breaches — deepfakes or otherwise — remains human error. The bank manager, the CEO, the HR person that was duped by the fake remote employee all could have avoided these mistakes if they were better versed in recognizing deepfake scams.
Many of my clients today invest extra in training tools like KnowBe4 or Phishingbox to continuously test their employees’ awareness of potential danger. Others pay IT professionals to keep their staff current with quarterly update sessions. Training is the best first line of defense against these threats.
But training won’t completely protect us against deepfake technologies. That’s why having strong internal controls are now more important than ever. Ensuring that there are multiple layers of approvals required for significant transactions must be a requirement for any business, regardless of size. Owners and senior managers must not be tempted to override these policies as doing so will open the door to potentially unauthorized transactions by mistake.
Like all security threats — spam, viruses, malware and now deepfakes — there will be new technologies to help minimize their impact. But, as ever, we can’t rely on these technologies to fully protect us. As business owners and managers we have to take responsibility for the actions of ourselves, and our employees by making the effort to better understand and recognizing these threats. This isn’t a movie. It’s real life.
