CEOs, How Do You Protect Yourselves From Deepfake AI?
Imagine an employee on a Zoom call with their boss and a few colleagues. The meeting is going fine when suddenly the CEO asks the employee to transfer a large sum of money into an account. Having no reason to question the request, the employee makes the transaction—only to learn later that everyone on that meeting was an AI deepfake.
In February, CNN and many other news outlets reported that fraudsters used AI tools to do just that—to pose as a multinational firm’s chief financial officer and other employees on a conference call. They tricked a Hong Kong finance worker into paying out $25 million.
We have entered a new epoch in the Age of Disinformation, that of the deepfake. Bad actors now have the tools to influence politics (a robocall last year of Joe Biden telling voters to stay home during the New Hampshire primary), shame celebrities with sexual images (as was the case with Taylor Swift), and conduct financial fraud (the above story, as well as scammers who are using audio to trick banks into moving customers’ money).
In this story we look at how execs can protect themselves and their companies from this new digital threat.
What is a deepfake?
Fraud on the internet is nothing new. What makes the next generation of deception so scary is the AI tools that give users the ability to replicate people to a degree unseen or heard before, and how accessible and easy to use these tools are.
Deepfakes can duplicate faces, voices, and even entire body movements. In the Hong Kong case, the scammers drew upon easily obtainable photos, videos, and audio samples for their trickery.
In the case of the duped Hong Kong finance officer, he was skeptical upon first receiving a message that mentioned a secret transaction. But when everyone in the call looked and sounded real, he cast his doubts aside.
A recent Axios report predicts that advanced deepfake technology will be available to everyone sometime this year.
Types of deepfakes
Deepfake is an umbrella term for a few different kinds of digital deceptions. Some types include:
Synthetic content. These are entirely fabricated videos or audio recordings of things that never happened, like the Biden robocall.
Impersonation. In this scenario, the scammer substitutes someone’s face or voice in an existing video or audio. This can be used to trick employees into disclosing sensitive information or performing spurious acts.
Audio. Using even limited audio samples, a fraudster can replicate someone’s voice for phone scams, phishing attacks (where callers try to extract your personally identifying details, usually to gain access to your bank account), or impersonating customers.
Hybrid. The more ambitious hacker can combine deepfakes with other cyberattack techniques, making the fraud even more difficult to detect. Other weapons in their arsenal include social engineering/psychological manipulation and malware.
How to protect yourself against deepfakes
“Deepfake technology is incredibly convincing, which means businesses and their employees need to be educated on recognizing a deepfake and defending against it by heightening existing security,” said Kaarel Kotkas, founder and CEO at Veriff, an identity verification company in Tallinn, Estonia.
“Many organizations’ current hybrid work preference provides bad actors with even more opportunities to infiltrate companies. These scams are especially effective when deepfakes are used against an enterprise with disjointed and inconsistent identity management processes and poor cybersecurity.”
Although security experts are expecting a rapid rise in AI-fuelled fraud, there are tools already in place that CEOs and business leaders can use to protect themselves. Here are some key steps you can take to avoid falling victim to an AI deepfake scam:
- Learn about deepfakes and AI. AI is changing rapidly and the deepfakes of today will look like kids’ stuff six months from now. Stay abreast of the latest developments by following news about these technologies so you can know what’s coming down the pike and help you recognize potential red flags.
- Offer training/educate employees and partners. Many people aren’t even aware that deepfakes are a threat, so alert employees, vendors, and partners to its existence so they can be on the lookout for scams. Many cyberattacks are successful because of human error, so encourage employees to trust their gut if they’re unsure of a request or command.
- Share with care. Don’t be an oversharin’ Karen. Be judicious in the kinds and amount of data about yourself that you make available. High-quality photos and videos are live bait to digital outlaws.
- Enable strong privacy settings. Most websites have privacy settings to control who can access your personal information and content. You ignore these at your own peril, particularly in cases of websites used to store photo files and social media platforms.
- Watermark photos. For the photos and videos you do use online, consider adding a digital (and traceable) watermark. Photo-editing sites like Canva offer watermarking services.
- Use multi-factor authentication (MFA). Whether or not you feel threatened by the prospect of a deepfake scam, implementing multi-factor authentication for all of your accounts is just good sense. The extra layer of security means another login step but helps prevent unauthorized access. Other security measures include biometric verification
- Use strong passwords. According to Cybernews, the most popular passwords in 2023 were 123456, 12345678, qwerty, and password. Is this you? If not, congratulations—but using your pet’s name or your mom’s maiden name doesn’t let you off the hook. A strong password should be 16 characters long, contain a random mix of upper-case letters and, well, you know the rest. To remember all these unique passwords store them in a password manager with MFA turned on.
- Keep software up to date. Another pain-in-the-butt for those of us who can’t even keep up with yoghurt expiration dates, keeping devices and software up to date is a necessary evil that gives you the latest security patches and updates.
- Require multiple levels of approval. Make sure more than one person has to sign off on certain actions, such as transferring money over a specified amount.
Scared yet? We don’t want to say that you should be. But for business leaders, educating yourself about a new threat is one way to arm yourself against it. And you should probably have stronger passwords anyway.