The Next Step in Social Engineering: Deepfakes

Deepfakes have made the news numerous times in the last few years for good reason: they are becoming more and more sophisticated and more realistic. What are deepfakes? At their core, they are forgeries of images, video, or audio recordings. They have been around for a very long time but are only now becoming advanced enough to move out of the uncanny valley and actually fooling people into believing that they are real.

Inherently, there is nothing wrong with using or creating a deepfake. Snapchat, for example, utilizes many filters that alter faces based on real-time data input and running it through an algorithm. Unfortunately, for every good use, someone will (and has) come up with a nefarious use as well. This technology has been used to impersonate influencers, political figures, and others in both real time and recorded sources of media

For businesses, the idea can be applied to phishing schemes in which bad actors try to deceive employees in order to obtain sensitive information. This could be through the use of emails (as was commonplace in the past), but it is now increasingly being used in more complex ways. One such way could be through the creation of a video or audio clip impersonating the CEO of a company that tricks employees of that company into taking some kind of action that will benefit the scammer.

The unfortunate reality is that humans are always the weakest link in the security chain when it comes to social engineering. Even with the best computer protections in the world, fooling the right person can often open every door for a criminal to get in and do whatever they want. Deepfakes make that threat even more real than it was before.

When it comes to actually protecting your business from the dangers of deepfake schemes, the following are good starting points:

  • Utilize detection software: Not only is AI being used to create and enhance deepfakes but it is also being implemented to detect them. Many larger corporations are already putting this type of software in place to automatically remove deepfakes from their platforms after detection.
  • Establish a strategy for response: In the event that your company becomes the target of an attack, a plan needs to be in place for how to handle it. The strategy should be focused on mitigation of the crisis while clearly outlining how to escalate, communications, and individual responsibilities.
  • Train employees: The first line of defense against any sort of social engineering scheme, deepfakes included, are going to be the employees within the organization. Train people to understand what deepfakes are and how they might be used against the organization.

Contact us today for more information on how we can help strengthen, improve, and protect your organization’s cybersecurity risk management program.