If you saw a deepfake of your company’s CEO, would you be able to tell it wasn’t real? This is a concerning challenge that organizations around the globe are dealing with on a frequent basis. In fact, just recently, an advertising giant was the target of a deepfake of its CEO. A publicly available image of the executive was used to set up a Microsoft Teams meeting in which a voice clone of said executive – sourced from a YouTube video – was deployed. While this specific attack was unsuccessful, it paints a larger picture of the emerging tactics cybercriminals are using with publicly available information – and this is just the tip of the iceberg.
Technology has become so sophisticated that only about half of IT leaders today have high confidence in their ability to detect a deepfake of their CEO. Making matters worse, cybercriminals are not only impersonating CEOs, but the entire leadership team, with CFOs becoming popular targets, as well. Deepfakes are becoming increasingly easy to create. In fact, a quick Google search of “how to create a deepfake” produces various articles and YouTube tutorials on exactly how to create one. Costs are becoming negligible, meaning that deepfakes are essentially the new spam calls.
Spam calls are all too common today. In fact, the Federal Communications Commission (FCC) claims that U.S. consumers receive approximately 4 billion robocalls per month, and advancements in technology make them extremely cheap and highly lucrative, even with a low success rate. Deepfakes are following suit. Cybercriminals will utilize deepfake technology to trick unsuspecting employees even more so than they are today, and deepfakes will eventually become an everyday occurrence for the average consumer. Let’s explore strategies that leaders can implement to best protect their organization, employees, and customers from these threats.
Establish Strong Guidelines
First, leaders need to establish strong guidelines within their organization. These guidelines need to come from the very top, starting with the CEO, and be communicated frequently. For example, the CEO needs to firmly explain to the entire company that they will never make an odd or random request to an employee, such as buying several $100 gift cards – a frequent phishing tactic. These attacks are often successful because they come from a place of leadership and aren’t questioned. However, as CEO deepfakes become more common, we are becoming more aware that they are, in fact, not real. As a result, I anticipate they will work their way down the organization, to include VPs, Directors, front line managers and even peers.
Just think: having a peer or your immediate manager ask a request of you is pretty common. Why should you have a reason to question it? Guidelines can also be related to the use of these deepfake tools within your organization, including banning the use of them on company-owned technology. Setting these guidelines and guardrails is just the first step.
Confirm Requests Through Multiple Channels
Second, when requests do need to be made, there should be a strategy in place to confirm them via multiple modes of communication. An example could be if a request comes from the CEO, that request will be shared over email and will also include a follow-up via an instant messaging platform used in the workplace. If there is no follow-up, the employee should either ignore the request or proactively confirm it over Slack themselves, then notify internal security teams per their security policy. Similarly, perhaps a request is made via a Teams meeting, similar to the tactic used for the advertising company deepfake. This request then needs to have an email confirmation and/or a Slack confirmation. Better yet, confirmed via a quick phone call if walking over to their physical desk is not an option. These processes should be communicated often and to the entire organization to keep them top of mind. Then, when an attempt is known, establish a process to share the example broadly throughout the organization to create pattern recognition of the types of threats everyone should be aware of.
Hold Frequent Trainings
Third, organizations should implement frequent company-wide training to keep deepfakes, and other types of identity fraud attacks, at the forefront of employees’ minds. These are helpful for a few reasons. An employee may not even know what a deepfake is or know that voices and videos could be faked. Additionally, employees may defer to the “out of sight, out of mind” mindset – if deepfakes aren’t top of mind, they may easily fall victim to an attack. Research shows that employees who received cybersecurity training demonstrated a significantly improved ability to recognize potential cyber threats.
Deepfakes aren’t going anywhere, and they are becoming increasingly frequent and hard to detect. However, by establishing guidelines, verifying requests via multiple routes, and implementing consistent training across your organization, we can be better prepared and protect against these threats. In an increasing digital world, our diligence to trust less and verify more will be essential in maintaining the security and integrity of our digital identity.