Johannesburg, 14 Jun 2023
In late May, someone attacked the Pentagon, the heart of the US military world. A photo showed plumes of black smoke rising from the complex, evoking memories of 9/11 when terrorists attempted to strike the complex with an aircraft.
Only, there was no attack in May. The photo wasn't real. Someone generated the image using artificial intelligence and then hijacked a well-known news brand on social media to spread the false information.
This event shows how deepfakes will change our world and challenge our security. But it's not only used for propaganda and fake news. Deepfakes are becoming alarmingly frequent in cyber attacks and companies must take them seriously. Fortunately, we already know what to do about them.
The rise of deepfakes
Deepfakes use artificial intelligence to produce photo-realistic images and videos, even voices. Anyone can create such material using freely available online services. The trend is deeply concerning, prompting the US Department of Homeland Security to release a guide called Increasing Threat of FAKE Identities to give guidance on the issue.
Criminals are increasingly using these tools. In April, as an example, a scammer in the US tried to stage a kidnapping by using fake voice recordings. Cyber criminals, in particular, are among the most enthusiastic deepfake users, targeting companies and their senior executives. The trend has arrived in South Africa, says Guy Shannon, Liquid C2’s Executive Head of Cyber Security Operations:
"It's already here. This is not pie-in-the-sky, science fiction stuff. We're seeing voice instructions and now even video instructions from C-suite executives, in particular chief financial officers, issuing instructions to the finance department to make payments into bank accounts that are controlled by criminals, and the money gets spirited away."
Deepfakes are not just used to mimic senior executives. Another tactic is to create compromising images or videos of someone to blackmail them. In the high-stakes corridors of power in enterprises where reputation is crucial, even the suggestion of impropriety is enough to scare executives and general users into paying extortion fees or clicking on malicious links, which they wouldn’t normally do.
How to fight the fakes
We have ways to combat the problem at a cyber security level, says Shannon. To understand how, it's helpful to understand how cyber crime has evolved: "Automation and what I call crimeware have really lowered the barrier for entry to become a cyber criminal in terms of the sophistication and skills that you need. You can go into a dark web marketplace and obtain malware kits to open up your own criminal enterprise. It's just so much easier."
Deepfakes used to require specialised skills such as a Photoshop guru, not to mention hours of effort. But new AI services can generate images and videos in seconds, allowing more criminals to use fakes against many more targets, hence the alarming rise in their use. And yet, there's little new going on.
"We can compare deepfakes to business e-mail compromise (BEC). That's when criminals create fake e-mails to trick companies into making payments. They don't even need to break into anyone's system. If they make an e-mail that looks right and use a domain that almost matches the company they are mimicking, they can coerce payment without hacking anything."
This parallel is good news because it shows how companies can fight deepfake threats.
Vigilance and protection
How do we protect companies and their people against deepfakes? The answer hides in this paragraph from the Homeland Security document: "The threat of deepfakes and synthetic media comes not from the technology used to create it, but from people's natural inclination to believe what they see, and as a result, deepfakes and synthetic media do not need to be particularly advanced or believable in order to be effective in spreading mis/disinformation."
Human vigilance is the best counter against attacks using fakes. The easiest and often most effective way to defuse BEC attacks is to pick up the phone and check with the company that supposedly sent the payment request. Likewise, ransomware attacks are stopped when an employee spots a phishing attack attempting to download dangerous software. When vigilance combines with proven cyber security solutions, even deepfakes become a far smaller risk.
Shannon recommends the following steps:
- Do a 360-assessment of the business and identify the most apparent or likely targets;
- Train staff in general security awareness; provide focused training for high-risk groups such as executives and others with authoritative access to company systems;
- Ring-fence the C-suite with special training and specific security protection for their devices;
- Create policies and channels for people to discreetly report and handle attacks using deepfakes, such as blackmailing; and
- Add layered security to impede any successful initial attacks.
"In a way, deepfakes are a lot like ransomware. They are helping raise awareness about security and what we can do to fight back," says Shannon. "Even though the tactics are new, what these guys are doing in itself is not new. The right strategy, policies and awareness can blunt their attacks and see them go looking for other targets."