While phishing is most commonly executed via emails, it has now evolved into utilizing voice (vishing), social media, and SMS in order to seem more legitimate to the victims. With deepfakes, phishing is reemerging as the most severe type of cybercrime.
What are Deepfakes?
According to Steve Durbin of the Information Security Forum, deepfake technology (or deepfakes) is "a kind of artificial intelligence (AI) capable of generating synthetic voice, video, pictures, and virtual personalities." Users may already be familiar with this via their smartphones, consisting of apps that tend to revive the dead, exchange faces with famous persons, and produce effects that are quite lifelike like de-aging Hollywood celebrities.
Although deepfakes were apparently introduced for entertainment purposes, threat actors later utilized this technology to execute phishing attacks, identity theft, financial fraud, information manipulation, and political unrest.
Recently, deepfakes are being created by numerous methods, such as swapping (an individual’s face is superimposed upon another), attribute editing, face re-enactment, or entirely artificial content in which a person’s image is entirely made up.
One may assume deepfake as a futuristic concept, but a widespread and malicious use of deepfakes is in fact readily available and being used in reality.
A number of instances of deepfake-enabled phishing have already been reported, such as:
- AI voice cloning technology conned a bank manager into initiating wire transfers worth $35 million.
- A deepfake video of Elon Musk promoting a crypto scam went viral on social media.
- An AI hologram, impersonating a chief operating officer at one of the world’s biggest crypto exchanges on a Zoom call and scammed another exchange into losing all their liquid funds.
- A deepfake make headlines, showing former US president Barack Obama speaking about the dangers of false information and fake news.
How Can an Organization Protect Themselves from Deepfake Phishing?
Deepfake phishing could be the reason for massive damage to businesses and their employees. Businesses could face harsh penalties and a higher risk of financial fraud. Since deepfake technology is currently widely available, anyone with even the smallest bad intent may synthesize audio and video and carry out a sophisticated phishing assault.
The following steps must be followed to ensure prevention.
- Conduct sessions regarding security awareness, so that the employees could understand their responsibility and accountability pertaining to cybersecurity.
- Run phishing simulations to expose employees to deepfake phishing so they may learn how these frauds operate.
- Implement technologies such as phishing-resistant multi-factor authentication (MFA) and zero-trust in order to mitigate risks of identity fraud.
- Encourage people to report suspicious activities and check the credibility of requests, especially if they involve significant money transactions.
One could not possibly prevent activities like deepfakes from happening, but the risks can still be mitigated by taking certain measures such as nurturing and developing cybersecurity instincts among employees. This will ultimately reinforce the overall cybersecurity culture of the organization.
