Deepfake phishing example: Protect your employees from deepfake scams
They say seeing is believing, but with the sudden rise in AI-generated deepfakes, what you see or hear on your next Zoom call might not be real. Deepfakes have been plaguing social media, news content, and professional meetings, and cybercriminals are becoming increasingly comfortable using them to defraud victims.
A deep fake can look and sound convincing enough to fool even attentive, detail-oriented employees into divulging sensitive information or sending money. Therefore, training your employees on what deepfakes are and how to avoid falling for them is essential.
The FBI highlighted the danger in a recent official warning, noting that "these AI-driven phishing attacks are characterized by their ability to craft convincing messages tailored to specific recipients and containing proper grammar and spelling, increasing the likelihood of successful deception and data theft." Whether it's an audio or video-based deepfake, the best way to avoid being deceived is to understand how to recognize them and what to do if you suspect an attack.
We've created a video to help explain the deepfake challenge to organizations and employees.
In this episode of Hacker Headlines, Keatron Evans, VP of Portfolio Product and AI Strategy for Infosec, explains how a deepfake Zoom call duped one employee.
See Infosec IQ in action
What is deepfake phishing?
So, what is a deepfake? A deepfake is when an attacker manipulates a video, image or audio clip to make one person look or sound like another. In many cases, it involves a combination of AI and phishing in an attempt to steal information or trick someone into sending money.
Using deepfake technology, people can turn themselves into virtually anyone they want. For criminals, that's a payday just waiting to happen. Sadly, it's not hard to find real-life examples of deepfakes — all it takes is a brief search through the news headlines.
Deepfake phishing example
Recently, a Hong Kong corporation lost millions of dollars to a deepfake social engineering.
The scam began with a phishing attack, but the deepfake sealed the deal. The scammers emailed an employee in the finance department. The message supposedly came from the company's chief finance officer (CFO), who lived in the UK. It told the employee to carry out a secret transaction. The employee was suspicious, so he joined a video call with the CFO and several other people — and recognized all of them.
They told him to go through with the transaction. He did. Ultimately, he made 15 transfers to five different banks, totaling more than $25 million.
But something still didn't feel right. After approving the money transfer, the employee reached out to the company's head office, and that's when the scam came to light.
All of the people in that meeting were scammers. They used deepfake technology to impersonate the CFO and other executives. In this case, the employees couldn't even trust the evidence of their eyes or ears. Deepfake video scams — and deepfake audio scams — are here, and they're going to stay.
Phishing simulations & training
Keeping your organization safe from deepfakes
So, what does all this mean for you? More importantly, how can you avoid it? Here are some steps you can take to minimize the chances of becoming a deepfaker's next victim.
1. Be suspicious
With AI deepfakes becoming more believable, they're getting harder to spot. So, always start with a healthy suspicion. If you're being asked to break company policy or do something unusual, pause the interaction until you can verify that it's legitimate.
For example, if an "executive" asks you to transfer money, you can kindly explain that you must verify the request due to recent deepfake activity. At that point, you can call people from other departments, such as finance, accounting and other executives, to verify the legitimacy of the request.
In many cases, a deepfake video works by animating someone's face and upper body. Therefore, you can take several actions to spot a faker quickly:
- Ask them to take out their ID, cover up any sensitive information and position it in front of the camera.
- Have the person take a book off a shelf, pick up a stapler or move something else in their background or foreground. If it's a deepfake video, the things around them will be static, digitized images.
- Have the person stand up and turn around or walk over to a door to open it.
Currently, a deepfaker can't perform any of these tasks because their software only digitizes a person's face and body and positions them against a static background.
2. Only use trusted verification methods
It's best to use a verification method that you trust. For instance, you can call them using their work number or send them an email using an address you trust.
However, it's important to never reply to a suspicious message and never use the contact methods in that message. For example, if they offer to verify their identity by having you call a number they provide, don't do it. The number may simply connect you to the deepfaker.
Similarly, if they offer to verify their identity by having you click on a link in a text message or email, that could also be a trap.
3. If you suspect a scam, say something
If you think you've been scammed, report it. Concealing a problem won't make it go away. It's always smart to share your suspicions. While it may feel embarrassing, especially if you've already done what the deepfake artist wanted, it's best to let someone know. In this way, you can contain the problem and maybe even protect your company from financial damage.
Keeping your employees educated is the key to preventing deepfake scams from impacting your organization. Deepfakes are relatively easy to spot — but only if employees know what they look like and how to test the veracity of the video or audio they see.
See Infosec IQ in action
During your employee education sessions, it's just as important to establish a company culture that rewards, instead of shames, overly cautious employees. For instance, an executive should avoid irritation if asked to verify their identity during a video call. Instead, they should commend the employee asking for verification to remain vigilant.
You can get the inside scoop on deepfakes and various other attack techniques by checking out our Hacker Headlines videos. For more security awareness training resources for your organization, speak to someone at Infosec.
In this Series
- Deepfake phishing example: Protect your employees from deepfake scams
- The best 9 phishing simulators for employee security awareness training (2024)
- Keeping your inbox safe: How to prevent business email compromise
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
