In a recent statement on March 10, the Federal Bureau of Investigation’s Cyber Division released a Private Industry Notification (PIN) warning of deepfake attacks. The FBI noted that the emerging security threat is a real one, and that “Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.”
The PIN also warned that “cyber actors may use synthetic content to create highly believable spearphishing messages or engage in sophisticated social engineering attacks,” and offers general guidance for defending your company from these disinformation content campaigns.
This official statement from the United States government agency is only just one of the latest confirmations of deepfakes as a serious danger to both business and other organizations alike. Over the past few years, Technologent's Chief of Information Security Operations (CISO), Jon Mendoza, has initiated a rallying cry against these cybersecurity attacks and is paving the way in regards to data protection and threat prevention best practices within various industries.
In an interview with BuiltIn.com in 2020, Mendoza outlined the current state of phishing attempts, deepfakes and how sophisticated, deceptive and damaging these attacks have become for companies.
“We’re creatures of habits,” Mendoza said. “If I can get you in a state where you’re busy, you’re distracted, and I know all of your habits and your organization’s habits... it could just simply be impersonating an executive, which is most often what we see. Or perhaps impersonating a trusted third party.”
But for those who are still catching up, what is a deepfake exactly?
In recent years, the emergence of fake news has brought the concept deepfake to the public spotlight. Deepfake leverages the use of deep learning (machine learning) and artificial intelligence to create, edit, or modify content such as video, audio, or photo artifacts. The intention is to deceive the consumer of information, obfuscating the truth in order to influence behavior or opinion.
Recent examples involve former President Barack Obama, Facebook CEO Mark Zuckerberg, and actor Tom Cruise. Prominent female public figures — celebrities and athletes, for example — have been added to deep fake content in pornography. Potential misuse of deepfake can extend far beyond smearing one's character or reputation.
We have also seen the rise of business email compromise (BEC) and advancement in social engineering techniques, such as spear phishing. According to the FBI, BEC scams typically run the gamut from bogus invoice schemes to C-level impersonation, account takeover, attorney impersonation, and data theft.
These scams do not normally have attachments or even links for the user to open and activate. Instead, they prey on user's normalcy bias and the lack of security awareness. Often the request comes with a sense of urgency and a requirement for immediate, expedient action.
It is easy to see why some people would fall victim to these types of scams, because they often include communications that appear to come from trusted or authoritative figures such as the CEO, president, or CFO of an organization. The email request might even contain specific information such as the customer's name, a valid invoice number, and the correct dollar amount. These types of scenarios play out every day and almost all our technical (security) controls do not prevent these exploits from succeeding.
In the meantime, what can we do to prepare and protect our organizations from sophisticated social engineering techniques?
Introspection is helpful in improving your organization's security posture, as it almost always presents avenues for identifying and remediating gaps in strategy. The defenders are evolving but so are the hackers and the criminals.
If your organization is struggling with protecting its data, or even if your business is currently dealing with the aftermath of a deepfake attack, Technologent's team of cybersecurity experts are here for you. Reach out to us and let's empower your business for today's assortment of ever-evolving challenges.