Is Tom Cruise really ready to fight an alligator? Keanu Reeves dancing like nobody’s watching? Or is Robert Pattinson shadowed by his cat? No – it’s a deep fake.
Deepfake technology is advanced artificial intelligence that replaces actual video and audio with video and audio that is artificially created from other sources. While it may seem like harmless fun on TikTok, it’s also becoming a major security risk for businesses of all sizes.
According to a newly released report from cloud service firm VMware, fake attacks are on the rise.
“Cybercriminals are now incorporating deep spoofing into their attack methods to avoid security controls,” said Rick McElroy, chief cybersecurity strategist at VMware. “Two out of three respondents to our report saw malicious spoofing used as part of an attack, an increase of 13% from last year, with email as the best delivery method.”
According to McElroy, their new goal is to use deep spoofing technology to compromise organizations and gain access to their environment. How? By tricking employees into thinking they are dealing with real people.
This is what happened to a bank manager in Hong Kong who received fake calls from a bank manager requesting a transfer. The impressions were so good that the manager finally transferred $35 million and never saw him again. A similar incident occurred at a UK-based energy firm, where an unwitting employee transferred approximately $250,000 to criminals after being tricked into thinking the recipient was the parent firm’s CEO. Deepfakes are being used to trick people into buying products, and the FBI is now warning businesses that criminals are using deepfakes to create online “employees” for remote work positions in order to gain access to corporate information.
It is the new security challenge. And considering how many videos and audios exist of us online thanks to social media and YouTube, it’s not hard for a con artist to use readily available tools to make people believe we’re saying and doing things we’re not. – or we’re talking to people we don’t. in fact they do not exist. Big tech companies like Microsoft and Google have developed tools to detect these threats, and federal legislation is also in the works in an effort to limit the damage. But these steps can only go so far. So how do we protect our businesses from this growing risk?
Training. And the controls.
The most common reason for security breaches – deepfakes or otherwise – remains human error. The bank manager, the CEO, the HR person who was scammed by the fake remote worker, all could have avoided these mistakes if they were better able to recognize fake scams.
Many of my clients today invest more in training tools like KnowBe4 or Phishingbox to constantly test their employees’ awareness of potential risk. Others pay IT professionals to keep staff current with quarterly update sessions. Exercise is the best first line of defense against these threats.
But training will not fully protect us against counterfeit technologies. That’s why having strong internal controls is now more important than ever. Ensuring that there are multiple layers of approvals required for important transactions should be a requirement for any business, regardless of size. Owners and senior managers should not be tempted to override these policies, as doing so will inadvertently open the door to potentially unauthorized transactions.
Like all security threats – spam, viruses, malware and now “deepfakes” – there will be new technologies to help minimize their impact. But, as always, we cannot rely on these technologies to protect us completely. As business owners and managers, we must take responsibility for the actions of ourselves and our employees by making efforts to better understand and recognize these threats. This is not a movie. It’s real life.