Trending Cyber Threats: Deep Fake
We all know the basic steps to take to protect ourselves from cyber security threats - patch your computer, install and maintain malware protection software, be careful when clicking on links, and so on. Although these tactics provide important protection, what is evolving is the difficult task of determining if a digital encounter is authentic or a way of getting you to lower your defenses. Newly emerging technologies are making it increasingly difficult to detect what is not real – known as Deep Fake.
We have all probably experienced a call supposedly from the IRS, threatening arrest if you do not take swift action or the fake email impersonating your boss asking for your assistance in an urgent private matter. Now imagine you are working from home and you receive an invitation to a video conference with a leader in your organization. Everything seems to be going fine, and you know who you’re speaking with. Maybe you’ve even met them before. Their appearance and presence are as you expected, and they seem to be familiar with aspects of the business. However, it’s not them, and you just shared sensitive information throughout the meeting and maybe even agreed to act on something.
You may have heard of Deep Fake over the last year or so on the news regarding fake news tactics, or even from an entertainment perspective. This is technology’s ability to focus artificial intelligence and machine learning on audio, video and image artifacts. By altering these artifacts in various ways, the result is something almost impossible to validate. The intention is to deceive the recipient with the finished product in order to influence your behavior or opinion.
Let’s take a spear phishing (a cybercriminal disguised as someone else) email that claims to be from the CEO. With some basic homework, the email request might even contain specific information such as the customer's name, a valid invoice number, an accurate dollar amount and even a copy of the real CEO email signature. Information security professionals direct people to use second-level validations, such as actually calling the sender directly on the phone, using instant messaging or cellular texting. But what if threat actors can gain the ability to mimic or impersonate a boss?
This Applies To Everyone
Last year, there was a successful scam of this type where they synthesized the voice of a company's executive, demanding the person on the other line to pay an overdue invoice. It was then followed up with an email from the fake executive with accurate financial information and a message reiterating the urgency. The attack was successful, and $250,000 later, the suspects are still at large.
The Threat Is Growing
Major companies like Google and Facebook formally recognize the threat and are developing technologies to help detect Deep Fake instances. For now, the technology is not readily available and user-friendly enough to be a wide-spread threat. But that won’t be the case for long. In the meantime, here are some tactics to start protecting yourself from Deep Fake social engineering efforts:
- Utilize two factor and Multi Factor Authentication features in the applications and systems you use at work and at home.
- Utilize unique and complex passwords. We recommend utilizing a password management tool to assist in this daunting task.
- At work, create an enhanced process for urgent ad-hoc requests. We suggest requiring two key approvers before a request is successfully processed. Consider using an offline verification technique, such as verbal passcode that is shared internally and changes daily to validate the authenticity of these types of requests.
- Start avoiding the long-standing notion that “Seeing is believing.” Until protective technologies start surfacing to help detect these Deep Fake, be cautious about what you see and hear; verify and research independently before accepting as a fact or a truth.