Deep fakes are highly realistic photoshopped images/edited videos of people spreading misinformation – being used to polarize political stances on social media. Now, as businesses have become dependent on collaboration tools like Zoom, Slack and Microsoft Teams in our distributed workforce, not even our office communication is safe from the threats that deep fakes pose.
As deep fakes grow in popularity, organizations need to prepare employees for how to spot and handle them.
We spoke with Garth Landers, Theta Lake to discuss the threat of deep fakes in more depth and how organizations should approach defending against them.
What is a deepfake and how do you make one?
A deepfake is a video of a person with their face or body digitally altered to appear to be someone else. A deepfake video is typically used maliciously or to spread false information and has been notably used in political battles to spread propaganda and ill will.
The technology to create a deepfake is very available online. There are many online services, applications and sites, some free and some at a cost– with numerous pre-made filters, sounds, and more to choose from. You even have the capability to create a deepfake on your mobile phone.
Deepfakes can be convincing, but they often still have what is called an “uncanny valley” effect. The uncanny valley is the feeling you have when a digital simulation has a resemblance to a human being, but the emotional response doesn’t match.
What are some of the implications of deepfakes?
It's important to point out that although its typical use is malicious, it can be used for good fun, but the implications and worst-case scenarios for everyday mayhem are severe. Let’s look at it from a personal level. For example, elderly mobile users could be duped into thinking they’re speaking with relatives or long-lost friends in an attempt to gain their trust or access to financials. These types of phishing attempts happen every day with audio/voice. The power of video can make fraud even more believable and the leap to the corporate world is not far away. With most of our work being done via virtual meetings and people’s increasingly growing online network of colleagues, partners, and customers, the opportunity for greater cybercrime via deepfakes is real.
Why should organizations beware of deepfakes?
Deepfakes are essentially another vehicle to create mayhem similar to present day threats like phishing emails, audio calls, voice phishing (vishing), and text messages (smishing). Unlike communications, like email and texts, deepfakes typically do not carry the potential for viruses or installation of ransomware, but present potential business impacts that could result in loss of proprietary information, transfer or loss of funds, loss of reputation and a lack of confidence in conducting virtual work.
Thus far, the number of deepfake phishing attempts in the private and public sector have not yet approached the rate of attacks at the “consumer level,” but we can expect that to change. A notable high-profile case involving an audio deepfake phishing attempt, rather than video, proved to be very successful for the fraudster. The employees of an energy company were duped into hearing the AI produced voice of who they thought was their CEO, resulting in employees sending $243,000 (USD) to the cybercriminals. With recent reports indicating that the number of expert-crafted video deepfakes doubles every six months, deepfakes will become an increasingly common problem for organizations. The technology is getting better, as technology always does, and it's only a matter of time until we see examples of deepfakes that fool users in the virtual workplace.
What can employees and security teams do to be protected against deepfakes?
As always, the most important safeguard to an organization is security awareness training and education to employees and users. In general, there are increasingly good awareness programs circulated on traditional phishing attempts and vehicles that deliver them such as email, text and voice, but video is another piece of the puzzle.
From a technology perspective, it's important to use the security features that many unified communications platforms offer. Unfortunately, many organizations disable them due to complexity, and to expedite productivity and collaboration. Compliance and security software, like Theta Lake, allow organizations to take advantage of these native security features - while unifying and simplifying the process, and identifying users who may not belong in the meeting. Integrating security software that monitors communications platforms is just the first step in stopping deepfakes, with the rest of the steps relying heavily on security training and awareness.
###