Why your organization should plan for deepfake fraud before it happens?

Some teens floss for a TikTok dance challenge. A couple posts a vacation selfie to let friends know about their travels. A budding influencer uploads their latest YouTube video. Everyone is unconscious adding fuel to an emerging fraud vector that can become a huge challenge for both companies and consumers: deepfakes.

Deepfakes defined

Deepfakes take their name from the underlying technology: Deep learning, a subset of artificial intelligence (AI) that imitates the way people acquire knowledge. With deep learning, algorithms learn from huge data sets, without the help of human supervisors. The larger the data set, the more accurate the algorithm is likely to become.

Deepfakes use AI to create highly convincing video or audio files that mimic a third party, e.g. a video from a celebrity say something they didn’t actually say. Deepfakes are produced for a wide variety of reasons – some legitimate, some illegal. These include satire, entertainment, fraud, political manipulation and the generation of ‘fake news’.

The danger of deepfakes

The threat of deepfakes to society is a real and present danger because of the clear risks associated with being able to put words in the mouths of powerful, influential or trusted people such as politicians, journalists or celebrities. In addition, deepfakes also pose a clear and increasing threat to companies. Among which:

• Extortion: Threatening to release falsified, compromising images of an executive to gain access to company systems, data, or financial resources.
• fraud: Using deepfakes to impersonate an employee and/or customer to access company systems, data, or financial resources.
• authentication: Using deepfakes to manipulate ID verification or authentication that relies on biometric data such as voice patterns or facial recognition to access systems, data or financial resources.
• Reputation risk: The use of deepfakes to damage the reputation of a company and/or its employees with customers and other stakeholders.

The impact on fraud

Of the risks associated with deepfakes, the impact on fraud is one of the most worrisome for businesses today. This is because criminals are increasingly using deepfake technology to offset the declining revenues of traditional fraud programs, such as phishing and account takeover. These older types of fraud have become more difficult to execute as anti-fraud technologies have improved (for example, through the introduction of multi-factor authentication callback).

This trend coincides with the rise of deepfake tools made available as a service on the dark web, making it easier and cheaper for criminals to launch such fraud programs, even if they have little technical understanding. It also coincides with people posting massive amounts of images and videos of themselves on social media platforms – all great input for deep learning algorithms to become more and more persuasive.

There are three major new types of fraud that enterprise security teams need to be aware of:

• Ghost fraud: Where a criminal uses a deceased person’s details to create a deepfake that can be used, for example, to access online services or apply for credit cards or loans.
• Synthetic ID fraud: Where fraudsters mine data from many different people to create an identity for a person who does not exist. The identity is then used to apply for credit cards or to carry out large transactions.
• Application Fraud: Where stolen or fake identities are used to open new bank accounts. The criminal then maximizes the associated credit cards and loans.

There have already been a number of high-profile and expensive fraud programs that have used deepfakes. In one case, a fraudster used deepfake speech technology imitate a manager who was known to a bank branch manager. The criminal then defrauded the bank for $35 million. In another case, criminals used a deepfake to imitate the voice of a chief executive and demanding a fraudulent transfer of €220,000 ($223,688.30 USD) from the executive’s junior officer to a fictitious supplier. Deepfakes are therefore a clear and present danger, and organizations must act now to protect themselves.

Defending the Company

Given the increasing sophistication and prevalence of deepfake fraud, what can companies do to protect their data, their finances and their reputation? I’ve identified five key steps that all businesses should take today:

1. Plan for deepfakes in reaction procedures and simulations. Deepfakes should be included in your scenario planning and crisis testing. Plans should include incident classification and outline clear incident reporting, escalation and communication procedures, especially when it comes to mitigating reputational risks.
2. Train employees. Just as security teams have trained employees to detect phishing emails, they must likewise raise awareness of deepfakes. As in other areas of cybersecurity, employees should be seen as an important line of defense, especially given the use of deepfakes for social engineering.
3. Provide secondary verification procedures for sensitive transactions. Do not trust; always verify. Provide secondary authentication or callback methods, such as watermarking audio and video files, step-up authentication, or double checking.
4. Provide insurance protection. As the deepfake threat grows, insurers will no doubt offer a wider range of options.
5. Update risk assessments. Integrate deepfakes into the risk assessment process for digital channels and services.

The future of deepfakes

In the coming years, technology will continue to develop and it will become more difficult to identify deepfakes. As people and businesses move to the metaverse and the web3, avatars are likely to be used to access and use a wide variety of services. Unless adequate protection is in place, these are digitally native avatars will probably be easier to fake than people.

But just as technology advances to exploit this, it will also advance to detect it. For their part, security teams need to keep abreast of new developments in detection and other innovative technologies to help combat this threat. The direction of travel for deepfakes is clear, companies should prepare now.

David Fairman is the chief information officer and chief security officer of APAC at Netskope.