Why People, Process, Technology are Key.
Verify more and trust less.
What Business Leaders need to know about Deepfake Defense.
There is no silver bullet for Deepfake and no solution is bulletproof. Deepfake is a complex problem that impacts employees and businesses in different ways. Watermarking isn’t a viable option to protect your business, attackers won’t use them.
Deepfakes are not just scams either. They’ve been used in breaches, ransomware attacks and infiltrating organizations.
Many back to the basics controls such as approver requests and secondary verifications will help address this, and is honestly one of your best defenses. But, it’s not infallible by any means.
Read on to understand why and how to address it.
Understanding the threat: Who are They?
First and foremost is understanding your adversary. What is the motivation and how do they operate? Who are they?
With Deepfake the barrier for generating Deepfake is very low, making it easy for anyone to do. As of late 2024, only one photo and a few seconds of audio are needed to train a model for a fairly realistic Deepfake. Video is no longer needed as a source. The advice about monitoring your digital footprint on social media is becoming less effective. Unless, you can eliminate all photos of you, and any examples of your voice being used from the entire internet.
With the barrier being lower, this means your adversary could potentially be any one motivated to commit fraud against an organization. Or, anyone that has ill will towards your business.
Disgruntled employee who wants to smear the image or brand… that’s possible.
Someone that wants your data or trade secrets.. That’s fair game too.
Ransomware attacker trying to get an initial foothold in your organization.. It’s already been done.
The thing to keep in mind, it’s not just scammers that are leveraging AI. It’s also hackers and nation state actors.
Examples:
MGM Ransomware Attack – AI Voice Modulation.
KnowBe4 North Korea Infiltration – Deepfake.
Arup $25 Million Heist – Deepfake.
Your adversary is diverse.
The motivation isn’t always financial either. Access credentials are being targeted. Sensitive data is being targeted, like trade secrets.
We’ve seen Deepfake attacks that are targeted as small as $1,000 towards non-profits and ones as large as multiple millions of dollars targeted towards large multinational corporations.
Any one is potentially a target, and there are numerous motivating factors. It’s largely financial related…. But, credentials and data are being targeted as well.
What do you do? Trust Less and Verify More.
Knowing your risk and exposure is first and foremost. Do not be complacent with this threat and say it’s not going to happen to me. Over 30% of businesses in North America have already been targeted. Globally, Deepfake attacks exploded by 3000% in 2023. It’s not a matter of “if” but when. Taking a proactive approach will potentially save you down the road.
Assess what departments are susceptible and vulnerable to Deepfake. It’s typically the following: Finance, Helpdesk, HR, Data Controllers (Admins.)
Do not assume that your employees are not susceptible because you have processes in place. Our evaluations have revealed that approver requests are not always followed.
Do a comprehensive risk assessment of your organization and what departments are exposed. Larger and Geographically dispersed companies are generally going to be a favorable target. But, again any one is potentially a target. There is no preferred company profile, finance, construction, technology, engineering have all been targeted.
Assess your controls first
Do you have procedures in place for high risk transactions? Like resetting passwords, generating new accounts, wire transfers for funds.
If you do, great! You’re ahead of the curve. But keep reading on.
If you don’t have these procedures and processes in place, you should do that immediately.
Secondary approver processes, and email checks are critical to stopping this. Process and procedures are key.
Having a protected passphrase in place is a good example.
Having a policy in place where a transaction cannot occur unless secondary approval by email.
If you have these in place, keep reading…You’ve taken the most important steps but you’re still not fully covered. You have gaps, and we’ll explain further.
Attack Surface: It’s bigger than you think.
Your attack surface for Deepfake is expanded. It’s far more broad and much more diverse. The assumption this is an email based threat is incorrect. It’s through social media, SMS, phone calls, email, video conferencing…
Bad News, you don’t have security tools in place on some of these. Your EDR is not going to prevent a phone call. So, you have to rely on corporate policy and awareness training.
This leaves your employees exposed and vulnerable.
Attackers are increasingly turning to mobile devices and social media.
You have an expanded attack surface, with less tools to protect your users. Phone calls, SMS, audio file via social media like WhatsApp.
What can you do?
People Always First: Awareness Training
People should always be first, but especially true with Deepfake. People are your greatest asset, invest in their education. User awareness training is fundamental, it helps protect users not only in the workplace but at home too.
This is especially true with Deepfakes.
Why awareness training is important: In some cases there is no other line of defense.
The notion that employees are your last line of defense is true. But, they’re also your first in many cases. Phone calls, SMS, Social Media are a few examples.
Awareness is the best tool to empower your employees. Education, awareness, policy and procedures.
Your employees faced with Deepfake are susceptible. User awareness training is your first tool in the arsenal and most powerful.
Great! So, we’re good… We have procedures and controls in place to stop Deepfake and educated our employees. We should be fine..
Not quite.
Processes: Do they work?
MGM was a $100,000,000 breach that could have been prevented if someone picked up the phone and tested the help desk by calling. The process and procedure didn’t work.
With Deepfake, you can potentially bypass some of these procedures. As an example, if you have biometrics in place to verify transactions remotely like facial recognition… Are these vulnerable? Voice Authentication?
Uh oh…
These may work, they may not..
Only way to know is by testing them. Pick up the phone and verify them.
More bad news.
Your employees, they don’t always adhere to policies and procedures. They are busy, and corporate policy isn’t always top of mind. They can be tricked.
We’ve seen in our testing that the approver requests are skipped when presented with a deepfake.
Why?
Because in some cases the person of authority that’s being Deepfaked overruled that secondary verification check.
Are your employees going to challenge a Deepfake of their CEO? The answer is not always. Why challenge the CEO if they are clearly telling you to do something? Add in a layer of urgency and your employees may fall victim.
So, you need to test those controls as well and your employees.
What do we do?
We test them both at once. We verify they work. We find employees who are vulnerable and educate them.
Recap: You have policies and procedures in place. You’ve educated your employees. You’ve tested both against Deepfake.
Great! I’m all done right? Don’t have to stress anything else.. Right??
Almost.
What do your employees do when they are faced with a Deepfake? Do they have the right escalation path in place? What do you do when you’ve been targeted with a Deepfake? How do your employees know that it is actually a Deepfake?
Do you have an incident response plan that is able to handle Deepfakes?
Technology
This is where we can help the most. We give employees and organizations a line of reporting suspected Deepfake to us directly for verification.
We can perform digital analysis on content and verify and debunk.
This also gives evidence which can be used to take corrective action against it.
Finally, we have the ability to help employees during conference calls to be able to detect Deepfake in real time during meetings. Prompt them to verify and challenge a transaction.
Sadly, as Deepfake becomes more realistic these technologies will become more needed.
As many awareness companies have eluded to look for glitches and irregularities.. Those won’t exist in the very near future.
If a Deepfake attack occurred against your organization today, what would you do?