Navigating the deepfake dilemma: how businesses can protect themselves
Unlike phishing, which has been a well-known threat for years and is now better understood by the public, deepfakes represent a newer, potentially more insidious threat. Is your organisation prepared to face the challenges posed by this evolving technology?
Introduction: The reality of deepfakes
Talk of deepfakes has been circulating in tech circles for some time, often seen as a novelty—perhaps a way to turn yourself into a celebrity or enjoy a laugh at a friend's expense. However, as more organisations are discovering, deepfakes pose a very real and present threat, far beyond harmless entertainment. Many perceive this technology as a future concern; the risks are upon us now, challenging the readiness of organisations worldwide.
The new threat landscape
Unlike phishing, which has been a well-known threat for years and is now better understood by the public, deepfakes represent a newer, potentially more insidious threat. Is your organisation prepared to face the challenges posed by this evolving technology?
The real business impact of deepfakes
While it may still seem like science fiction to some, deepfakes have already begun to impact businesses in significant ways. A stark example is the recent Arup deepfake video scam, where fraudsters used manipulated video and audio to impersonate a company executive, tricking the finance team into transferring $20 million to a fraudulent account. This incident highlights the severe financial and reputational damage deepfakes can inflict on even the most robust organisations.
The potential misuse of deepfakes extends across various business functions, from fraudulent corporate communications to undermining trust in digital content. With deepfakes, attackers can seamlessly blend truth and fiction, making it increasingly challenging for businesses to discern reality from deception.
Crafting realistic deepfakes
At A&O IT Group, our cyber division has combined commercially available software with our proprietary research and development efforts to create realistic deepfakes that can operate in real-time, both in audio and video formats. Our experiments have demonstrated the capability to bypass facial recognition on banking applications and to engage in real-time conversations designed to manipulate targets in social engineering projects. Importantly, all the resources used to create these deepfakes were drawn from publicly available information, underscoring the accessibility and threat of this technology.
Senior executives are particularly vulnerable due to their increased visibility online. Their voices and images are often widely accessible through shareholder meetings, marketing materials, and public speaking events like TED Talks. This abundance of data makes them prime targets for deepfake attackers.
Transforming identities: A case study
In just an hour, using commercially available software and a mid-range PC, we successfully transformed our security consultant, Michel Ferriera, into a convincing likeness of a well-known celebrity 'Tom.' This transformation included both voice and physical features, with the voice being crafted from a few minutes of audio taken from an interview on The Graham Norton Show. Our synthetic 'Tom' can seamlessly join and participate in live calls, delivering real-time audio and video that mirrors the actual celebrity's appearance and voice with astonishing accuracy. The image below showcases the remarkable realism of the facial features, while other features remain unchanged to highlight the transformation's impact. In both video recordings and live calls, Michel can convincingly appear and sound like Tom, demonstrating the impressive capabilities of deepfake technology.
Building resilience against deepfake threats
To safeguard against the growing threat of deepfakes, businesses must adopt a proactive approach. Here are some strategies to enhance organisational resilience:
1. Enhance awareness:
Educate employees, particularly those in high-risk roles, about the potential threats posed by deepfakes. Regular training sessions focused on recognising and responding to these threats can empower staff to act as the first line of defence.
2. Simulated attacks:
Conduct frequent simulations of deepfake-based attacks to test the effectiveness of training, mimicking techniques used by cyber criminals. This will help identify vulnerabilities and improve upon response strategies.
3. Strengthen verification protocols:
Implement robust verification processes for sensitive communications and transactions. Multi-factor authentication, conditional access, out-of-band verification, and more stringent controls can help confirm the legitimacy of requests and reduce the risk of unauthorised access using stolen credentials.
4. Leverage advanced security technologies:
Utilise AI-driven tools and solutions that detect anomalies in digital content. These technologies can be crucial in identifying potential deepfake content before it causes harm.
5. Layered defence strategy:
Establish multiple layers of protection. If one security control is breached, ensure there are additional safeguarding measures and alerting mechanisms to prevent the further progression of an attack.
6. Develop specific incident response plans:
Establish clear protocols for responding to deepfake incidents. This includes identifying key stakeholders, defining communication strategies, and ensuring rapid response capabilities.
7. Assessment & assurance:
Regularly assess and audit security measures to ensure their effectiveness. Engage third-party experts to provide an independent evaluation of your security posture.
A&O IT Group: Your partner in cyber resilience
At A&O IT Group, we are committed to helping organisations strengthen their defence against cyber threats, including deepfakes. Our team of experts provides comprehensive cyber security solutions tailored to meet the unique needs of your business. Through our innovative approaches and cutting-edge technologies, we empower organisations to build a resilient cyber security posture.
"Deepfakes are no longer the preserve of an advanced cybercriminal with specialist knowledge and an expensive PC. They can now be created by anyone after a couple of hours' research online, using commercially available software and a PC with a reasonable graphics card. It’s important everyone is aware of this threat and has the correct security controls in place.
As deepfake attacks often impersonate senior executives, it is important that these individuals are approachable and can be challenged. A common method to detect some deepfake videos is to ask the person to hold a hand closely in front of their face, as this will often distort the image. However, a more reliable method is to have established security protocols, such as asking specific verification questions to ensure they are who they claim to be."
Richard Hughes, Head of Technical Cyber Security, A&O IT Group
Conclusion
Deepfakes are no longer a futuristic concern—they are a current reality that businesses worldwide must address. By investing in education, technology, and robust security protocols, organisations can reduce their vulnerability to deepfake attacks and ensure continued trust in their operations. A&O IT Group stands ready to support your organisation in this mission, helping you stay ahead in an increasingly complex digital landscape.
For more information on how A&O IT Group can assist in building your cyber resilience, please contact us today. Together, we can fortify your defences against the evolving threats of tomorrow.