New Report: Addressing deepfake threats, ‘the next generation of cyber security concerns’
In September of this year the U.S. National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) teamed to produce the report, “Contextualizing Deepfake Threats to Organizations” as a warning of the rapidly-increasing threat from developing technologies to banks and other large-scale U.S. infrastructure.
What are deepfakes?
Deepfakes manipulate text, video, audio, and images for a variety of malicious purposes online and in conjunction with communications of all types, utilizing artificial intelligence/machine learning (AI/ML) to create believable and highly realistic media. When it comes to banks, these techniques can impersonate top executives and threaten an organization’s brand with fraudulent communications designed to access sensitive information from employees.
While the tools and techniques that can be used to manipulate authentic multimedia have been around for decades, what took days or weeks to put together a sophisticated “fake” with the software and computing speed of yesteryear now can be put together in a matter of hours.
Deepfake impacts
The most popular deepfake social engineering, according to U.S. government agencies, includes:
- Fraudulent texts
- Fraudulent voice messages
- Faked videos
Some of the simpler fakes include:
- Selectively copying and pasting content from an original scene to remove an object in an image and thereby change the story.
- The slowing down of a video by adding repeat frames to make it sound like an individual is intoxicated.
- Combining audio clips from a different source and replacing the audio on a video to change the story.
- Using false text to push a narrative and cause financial loss and other impacts.
Some of the more sophisticated deepfakes have included:
- LinkedIn experienced a huge increase in deepfake images for profile pictures in 2022.
- An AI-generated scene that was the product of “AI hallucination” — made-up information that may seem plausible but is not true — that depicted an explosion near the Pentagon was shared around the internet in May 2023, causing general confusion and turmoil on the stock market.
- A deepfake video showed Ukrainian President Volodomyr Zelenskyy telling his country to surrender to Russia.
- More recently, several Russian TV channels and radio stations were hacked and a purported deepfake video of Russian President Vladimir Putin was aired claiming he was enacting martial law due to Ukrainians invading Russia.
- Text-to-Video Diffusion Models, which are fully synthetic videos developed by AI.
- In 2019, deepfake audio was used to steal $243,000 from a UK company.
How banks can fight deepfakes
Banks and other organizations can take a variety of steps to prepare to identify, defend against, and respond to deepfake threats:
- Select and implement technologies to detect deepfakes such as real-time verification capabilities and procedures.
- Reverse image searches, like TinEye, Google Image Search, and Bing Visual Search, can be extremely useful if the media is a composition of images.
- Consider plug-ins to detect suspected fake profile or other pictures.
- Protect public data of high-priority individuals, and use active authentication techniques such as watermarks and/or CAI standards.
- Ensure plans are in place among organizational security teams to respond to a variety of deepfake techniques.
Google, CNBC and other media outlets have begun to label photos and videos that have been manipulated by AI. While the number of deepfakes on the internet in 2019 hovered around 15,000, today it is well over a million.
“Businesses need to view this as "the next generation of cyber security concerns,” says Matthew Moynahan, chief executive of authentication provider OneSpan, speaking to the Financial Times. “We’ve pretty much solved the issues of confidentiality and availability, now it’s about authenticity.”
To view the entire report, “Contextualizing Deepfake Threats to Organizations,” click here.