In a recent statement on March 10, the Federal Bureau of Investigation’s Cyber Division released a Private Industry Notification (PIN) warning of deepfake attacks. The FBI noted that the emerging security threat is a real one, and that “Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.”
The PIN also warned that “cyber actors may use synthetic content to create highly believable spearphishing messages or engage in sophisticated social engineering attacks,” and offers general guidance for defending your company from these disinformation content campaigns.
This official statement from the United States government agency is only just one of the latest confirmations of deepfakes as a serious danger to both business and other organizations alike. Over the past few years, Technologent's Chief of Information Security Operations (CISO), Jon Mendoza, has initiated a rallying cry against these cybersecurity attacks and is paving the way in regards to data protection and threat prevention best practices within various industries.
In an interview with BuiltIn.com in 2020, Mendoza outlined the current state of phishing attempts, deepfakes and how sophisticated, deceptive and damaging these attacks have become for companies.
“We’re creatures of habits,” Mendoza said. “If I can get you in a state where you’re busy, you’re distracted, and I know all of your habits and your organization’s habits... it could just simply be impersonating an executive, which is most often what we see. Or perhaps impersonating a trusted third party.”
But for those who are still catching up, what is a deepfake exactly?
What is a Deepfake?
In recent years, the emergence of fake news has brought the concept deepfake to the public spotlight. Deepfake leverages the use of deep learning (machine learning) and artificial intelligence to create, edit, or modify content such as video, audio, or photo artifacts. The intention is to deceive the consumer of information, obfuscating the truth in order to influence behavior or opinion.
Recent examples involve former President Barack Obama, Facebook CEO Mark Zuckerberg, and actor Tom Cruise. Prominent female public figures — celebrities and athletes, for example — have been added to deep fake content in pornography. Potential misuse of deepfake can extend far beyond smearing one's character or reputation.
We have also seen the rise of business email compromise (BEC) and advancement in social engineering techniques, such as spear phishing. According to the FBI, BEC scams typically run the gamut from bogus invoice schemes to C-level impersonation, account takeover, attorney impersonation, and data theft.
These scams do not normally have attachments or even links for the user to open and activate. Instead, they prey on user's normalcy bias and the lack of security awareness. Often the request comes with a sense of urgency and a requirement for immediate, expedient action.
It is easy to see why some people would fall victim to these types of scams, because they often include communications that appear to come from trusted or authoritative figures such as the CEO, president, or CFO of an organization. The email request might even contain specific information such as the customer's name, a valid invoice number, and the correct dollar amount. These types of scenarios play out every day and almost all our technical (security) controls do not prevent these exploits from succeeding.
3 Best Protective Practices
In the meantime, what can we do to prepare and protect our organizations from sophisticated social engineering techniques?
- Enable and integrate single sign-on and multi-factor authentication for your critical applications and services, if your organization/company has not done so already. Review how your organization provisions and de-provisions its users.
- Ensure that your organization has a robust password policy, one that is not so obtrusive that it is rendered ineffective but not so permissive that it is easy to nullify. Get into the habit of continuously reviewing your policies and guidelines to ensure that they match your organization's culture and users.
- Establish protocols for urgent ad-hoc requests. Perhaps require approval from two key approvers before a request is successfully processed. Consider out-of-band channel communications and utilizing share secret/passcode to validate the authenticity of the individual on the other end.
Introspection is helpful in improving your organization's security posture, as it almost always presents avenues for identifying and remediating gaps in strategy. The defenders are evolving but so are the hackers and the criminals.
If your organization is struggling with protecting its data, or even if your business is currently dealing with the aftermath of a deepfake attack, Technologent's team of cybersecurity experts are here for you. Reach out to us and let's empower your business for today's assortment of ever-evolving challenges.