What Is Deepfake Phishing?

Deepfakes use artificial intelligence (AI) to make convincing fake audio or video of a notable person, such as an executive or even the CEO. Deepfakes can make it appear that someone did or said something they never did.

This technology has been around for some time, however, with modern artificial intelligence combined with audio and videos of people on the Internet, deepfakes are becoming more convincing and easier to create than ever before. This article will discuss what deepfake phishing is, how it may usher in phishing 3.0, and how to protect your business before a successful attack occurs.

The Threat of Deepfake Phishing

Phishing is one of the most common methods attackers use to deceive people and infect devices. Spear phishing, which is a more specific targeted version, has a greater success rate than the average phishing email. Scammers have learned to leverage deepfake technology to manipulate employees by using a recording with the voice of executives and even CEOs.

Deepfake phishing attacks can be broken down into one of two categories:

• Real-time attacks: a successful real-time attack uses deepfake audio or video to trick victims into believing the person on the other end of a call is who they claim to be. Attackers often express urgency in these situations, giving fake deadlines, penalties, and other consequences to get victims to panic and react.
• Nonreal-time attacks: nonreal-time attacks are when a cybercriminal impersonates someone using deepfake audio or video messages that they then distribute through communication channels, such as email, voicemail, or social media. This reduces the pressure on criminals to craft a believable response in real-time, letting them perfect a deepfake clip before distributing it. A nonreal-time attack may be less likely to raise user suspicions and may also be more likely to slip past security filters than traditional, text-based phishing campaigns when distributed via email.

This could be the start of the evolution of Business Email Compromise (BEC) attacks and the introduction of Phishing 3.0.

Impact of The Attack

Executing a deepfake phishing attack requires that hackers use AI and machine learning (ML) to process images, videos, and audio clips to create a digital imitation. With this approach, threat actors can mimic an individual’s physical attributes to fool human users via social engineering as well as avoid biometric authentication solutions. Experts warn that users do not rely on biometric certification for user authentication applications unless it uses effective deepfake detection to ensure user legitimacy.

Some other ways deepfake technology can be used to commit fraud include:

• Sophisticated vishing: vishing attacks are a form of social engineering as most people trust phone calls, especially when the caller’s voice is recognizable.
• Out-of-band validation: staff are often trained to validate unusual requests out-of-band, such as calling the sender of an email. With deepfakes, an attacker may masquerade as the other party and appear to confirm the request.
• Coercion and blackmail: threat actors also use blackmail to coerce their victims using deepfakes to send convincing “proof.”
• Smart devices: devices like Siri or Alexa respond to voice commands and may be programmed to only work with a particular voice. Deepfakes could allow an attacker to send commands to these devices to record audio or other harmful actions.

How To Protect Your Business

Education and awareness are critical when it comes to phishing protection, especially concerning deepfake phishing which is that much more difficult to detect. Some simple practices that you should implement to avoid taking the bait in a phishing attack include:

• Check for spelling and grammatical errors which can indicate that an email is fraudulent or malicious.
• Keep an eye out for suspicious subject lines and signatures.
• Don’t trust the display name. Just because an email says it’s from a known and trusted sender doesn’t necessarily mean it really is. Even if the email address is legitimate, the message could be coming from a compromised account.
• Be cautious of nonspecific language. Phishers typically use vague language in their campaigns to evade spam filters.
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email.
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
• Beware of urgency. Phishing emails often try to convince recipients to act quickly, without thinking things through.
• Scan all attachments for viruses or dangerous code.

Your business stands a greater chance of preventing an attack by adopting best practices.

Security Awareness Training 

Provide or take part in security awareness training designed to educate employees on how to identify phishing emails and how to proceed if they feel that they have received a malicious email. While no amount of training will prevent all employees from ever being taken in by a highly sophisticated phishing attempt, it can decrease the likelihood of security incidents and breaches.

Fight AI with AI 

Artificial intelligence tools helps reduce the risk of a breach and improve security posture. AI and machine learning quickly analyze millions of events, identify different types of threats, and learn from the past to identify new and emerging attacks using previous behavior to build profiles on users, assets, and networks, allowing AI to detect and respond to deviations from the norm.

Implement Fully-Managed Email Security Services

Investing in fully-managed email security services and accessible support can also improve security, maximize productivity, simplify deployment and ease the load on your IT department by assisting with setup and providing the ongoing system monitoring and maintenance that will keep your organization safe online.

Artificial Intelligence-Based Software Used to Transfer of €220,000

In March of 2019 cybercriminals used AI technology to impersonate the CEO of a German energy firm and demanded the transfer of  €220,000 ($243,000). The CEO of the U.K.-based firm thought he was speaking on the phone with his boss, the chief executive of the firm’s parent company, who asked him to send the funds to a Hungarian supplier. The impersonator said the request was urgent, requesting the executive to pay within an hour.

After the initial transfer of the $243,000, the hackers called to say the parent company had transferred money to reimburse the U.K. firm. They called once more later that day, again impersonating the CEO, requesting a second payment. Because the U.K. branch still hadn’t been reimbursed and the third call came from an Austrian phone number, the executive grew suspicious and didn’t make the second payment.

The money that was transferred to the Hungarian bank account was moved to Mexico and distributed to other locations. Experts were unsure if the attackers used bots to react to the victim’s questions, which would have made it even more difficult for authorities to investigate.

Keep Learning

Increasingly sophisticated AI, audio, and video technology have made deepfake phishing an emerging attack vector that should concern CISOs. Protection of your business and staff has never been more of a necessity as attacks continue to emerge.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.