FBI warns that cybercriminals might use deepfakes to ace IT job interviews

That might not just be a bad Zoom connection: the FBI Internet Crime Complaint Center has warned of an increase in complaints reporting the use of deepfakes that cybercriminals might be using to impersonate other individuals while applying for remote IT jobs.

The FBI warned that “the remote work or work-from-home positions identified in these reports include information technology and computer programming, database, and software-related job functions” and some of those jobs include access to sensitive areas like financial data or proprietary information.

The complaints received by the FBI reported voice spoofing or “voice deepfakes” detected via irregularities in video chats:

There’s no further detail in the advisory, but the FBI has previously warned that phishing groups could potentially use “malicious synthetic content” for “business identity compromise.” It’s also warned of North Korean hackers posing as freelance devs.

Sam Gregory, an expert on emerging tech threats and program director at Witness, suggested to IT Brew via email that some claims about deepfakes could be rationalizations for “poor operational security or an imposter who fooled someone.”

“It is—as yet—hard to do a very convincing ongoing visual deepfake in a real-time context, but the technology is improving rapidly to enable the combination of near real-time voice generation with realistic face and lip movements that match,” Gregory wrote.

Aviv Ovadya, a technology and public purpose fellow at Harvard Kennedy School’s Belfer Center, has written extensively on how synthetic media holds the potential to become a future threat. He told IT Brew that while apps like Zoom and Google Meet currently do not offer built-in deepfake detection, a sort of Catch-22 exists in which developing those features can create more ways for bad actors to hone deepfake models.

“The problem is, as soon as you have built-in detection, like that, people who are building systems to evade detection can train on your detector,” Ovadya told IT Brew. “And so that becomes very hard to defend against. This is the deepfake-detection dilemma.”

The tech industry is developing providence standards like C2PA, which could help with tasks like verifying a video feed originated from a camera rather than a software process, Ovadya added. But he said, “I don’t believe that there’s really that much capacity that we have yet as a society, and within the technical systems that we currently use, to do that.”

Gregory noted: “In our work, we’ve found that skills in media forensics as well as access to detection tools and the ability to interpret the results are not well distributed or available, either globally or outside of law enforcement.” In the long run, he added, that means organizations developing the capacity to detect them beyond amateur guessing games.

“Companies and organizations will need to upskill or build robust connections to media-forensics expertise in order to be prepared depending on the risks they face,” he wrote. “For example, is it attempts to impersonate an individual within the company, to manipulate or synthesize data or images, or is it to pretend to be an applicant or outside person?”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.