Deepfake attacks on enterprises are on the rise in numerous industries. As the malicious content continues to spread across verticals, including the alternative investment industry, firms should consider how the best deepfake remedies are rooted in broader cyber hygiene programs that work against social engineering tactics and how all financial firms should have them in place.
Why Financial Firms are Especially Vulnerable to Deepfakes
As we discussed in the preceding blog, the proliferation of deepfake attacks is a two-pronged assault that can include both face-swapping, in which technology is used to create or alter video content, and real-time conversations that mimic a trusted individual’s voice.
The latter is particularly troublesome for financial firms, especially since real-time conversations can be used to prompt real-time transactions or wire transfers to fraudulent accounts that can’t be reversed. What’s more, the increasing number of publicly available media interviews and on-demand webinars with financial executives represent more source material for the audio deepfake mill – providing perpetrators with a richer audio library of an executive’s voice to generate more convincing and wide-ranging conversations with a victim.
Even more troubling are insider deepfake attacks that can draw additionally on a wealth of internal Teams or Zoom calls that are not publicly available; this adds a level of specificity and exclusivity that makes deep fake content that much more convincing to a victim. For instance, say only the executive team knows about an upcoming initiative. A fraudulent deepfake attack perpetrated by an insider could point to said initiative to establish credibility and convince victims that the request for a financial transfer is legit.
Taken together, these factors bring new urgency and complexity to deepfake prevention and detection. Yet for all their novelty and ingenuity, deepfakes are just the latest iteration of social engineering attacks that also include phishing and business email compromise. As deepfakes are just another kind of social engineering, the bulk of defense will be the same as for any other social engineering attack, albeit with some enhancements.
Updating Cyber Hygiene Programs to Protect Against Deep Fakes
Whether it’s a cutting edge deepfake or a cookie-cutter spam email, financial sector organizations should tackle the full range of social engineering threats with a cybersecurity and cyber hygiene plan founded on strong processes and policies. That means digital media watermarks, required callbacks for phone financial transactions and other deepfake protections highlighted in our previous post should align with the larger plan against social engineering attacks that financial firms should already have in place.
For instance, users would vet a suspicious voice request through the same behavioral analysis that would flag a fraudulent email – including unusual timing, impossible travel and other suspicious patterns. Beyond that however, spotting a deepfake call requires additional scrutiny for unfamiliar phone numbers or any lag in voice response – the latter potentially stemming from a malicious actor struggling to type out the synthetically spoken content fast enough to keep pace with the conversation in real time.
The callback process mentioned above can be especially useful for interdicting audio deepfakes. While phone number spoofing technology can mask a malicious actor’s outgoing call with a familiar corporate number, spoofing technology does not support return phone calls. Because of this, a call back will reach the genuine number of the real person the deepfake was trying to impersonate, thereby thwarting the intended attack.
Zooming out from processes and policies, companies can also strengthen the overall corporate culture to better protect against deep fakes. As mentioned, many social engineering attacks leverage an undue sense of urgency to confuse a victim and prompt immediate action. This fire-drill mentality will stand out more in a corporate culture that is founded on steady procedures vs. a firm whose culture is such that a malicious actor’s undue sense of urgency gets lost within an everyday sense of urgency.
