Security awareness training just got longer, as IT pros consider how to train employees and execs to defend against an emerging enterprise threat: digital impersonations known as the deepfake.
IT practitioners who spoke with IT Brew recommended a checklist of strategies and policies to fend off lookalike, soundalike fraudsters.
Shannon Murphy, senior manager of global security and risk strategy at cybersecurity firm Trend Micro, has advised customers to revisit verification processes and retrain employees to defend against the emerging deepfakes.
“It’s still very novel, and it’s not prolific. With that said, this is the perfect time to start planning for it,” Murphy said.
Deepfakin’ it til they keep makin’ it. Over 10% of companies admitted to facing successful or attempted deepfake fraud, according to a Business.com web survey, conducted in May 2023 and consisting of 244 CEOs, C-suite execs, and other business leaders.
CNN confirmed in May that fake images and voices led a Hong Kong employee of the British design and engineering company Arup to pay $25 million to fraudsters. In May, the Guardian reported that threat actors (unsuccessfully, it appears) tried to impersonate Mark Read, CEO of global ad and PR agency WPP, using a fake WhatsApp account and a voice clone during a Microsoft Teams meeting.
Tim Rawlins, senior advisor and director, security, at cyberconsultancy NCC Group, has been talking with private-banking clients about how to confirm client identities. One idea: the trusty, old shared secret—one not written down.
According to a Bloomberg report in July, an unnamed Ferrari employee deployed just that, when confronted with a suspicious call from what appeared to be a digitally imitated Chief Executive Officer Benedetto Vigna. The employee asked: What was the title of the book that the CEO recently recommended?
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“With that, the call abruptly ended,” Bloomberg reported.
Other ideas. Murphy recommended some additions to the awareness training and policy:
- Have multiple stakeholders for big approvals and transfers.
- Keep a safe list of contact numbers for sensitive transactions. (Do not call a new number presented in an email.)
- Question if a requested action is consistent with job-role responsibilities, and when a requested action feels phishy, go offline for a bit. “You can always say yes on the call, and then vet that once you get off the call as well, if that puts the employee in a position where they feel safer, or like they're not being insubordinate,” Murphy said.
- Formalize a policy that defines what execs will never ask from their employees and execs—perhaps sensitive customer data, financial transactions, certain types of contracts.
Having access to an org’s security team and easy mechanisms to raise concerns when behavior is deemed suspicious is also essential, the Trend Micro team said.
“This tendency of not challenging authority in some environments is ultimately what makes for the biggest weaknesses in the case of the deepfake attack. Because if you are in a company where you feel safe, not necessarily disobeying, but at least challenging certain decision from your executives, even as a junior employee, that makes the company more resilient to certain kinds of attacks,” Vincenzo Ciancaglini, senior threat researcher at Trend Micro, said.
Trend Micro, in a July 30 post, revealed greater accessibility to deepfake tools, including those that allow impersonation during real-time phone calls. Ciancaglini has seen sophisticated deepfake applications run on a common laptop.
“It is astonishing when you see it in action, which means that until you’ve seen it in action, you won’t believe it’s doable,” he said.