When you saw a deepfake of your organization’s CEO, would you give you the chance to inform it wasn’t real? This can be a concerning challenge that organizations across the globe are coping with on a frequent basis. In reality, just recently, an promoting giant was the goal of a deepfake of its CEO. A publicly available image of the chief was used to establish a Microsoft Teams meeting wherein a voice clone of said executive – sourced from a YouTube video – was deployed. While this specific attack was unsuccessful, it paints a bigger picture of the emerging tactics cybercriminals are using with publicly available information – and that is just the tip of the iceberg.
Technology has change into so sophisticated that only about half of IT leaders today have high confidence of their ability to detect a deepfake of their CEO. Making matters worse, cybercriminals will not be only impersonating CEOs, but your complete leadership team, with CFOs becoming popular targets, as well. Deepfakes have gotten increasingly easy to create. In reality, a fast Google search of “easy methods to create a deepfake” produces various articles and YouTube tutorials on exactly easy methods to create one. Costs have gotten negligible, meaning that deepfakes are essentially the brand new spam calls.
Spam calls are all too common today. In reality, the Federal Communications Commission (FCC) claims that U.S. consumers receive roughly 4 billion robocalls per 30 days, and advancements in technology make them extremely low cost and highly lucrative, even with a low success rate. Deepfakes are following suit. Cybercriminals will utilize deepfake technology to trick unsuspecting employees much more so than they’re today, and deepfakes will eventually change into an on a regular basis occurrence for the typical consumer. Let’s explore strategies that leaders can implement to best protect their organization, employees, and customers from these threats.
Establish Strong Guidelines
First, leaders need to ascertain strong guidelines inside their organization. These guidelines need to return from the very top, starting with the CEO, and be communicated often. For instance, the CEO must firmly explain to your complete company that they may never make an odd or random request to an worker, similar to buying several $100 gift cards – a frequent phishing tactic. These attacks are sometimes successful because they arrive from a spot of leadership and aren’t questioned. Nevertheless, as CEO deepfakes change into more common, we have gotten more aware that they’re, in reality, not real. Consequently, I anticipate they may work their way down the organization, to incorporate VPs, Directors, front line managers and even peers.
Just think: having a peer or your immediate manager ask a request of you is pretty common. Why should you could have a reason to query it? Guidelines can be related to using these deepfake tools inside your organization, including banning using them on company-owned technology. Setting these guidelines and guardrails is just step one.
Confirm Requests Through Multiple Channels
Second, when requests do should be made, there ought to be a method in place to verify them via multiple modes of communication. An example may very well be if a request comes from the CEO, that request will likely be shared over email and can even include a follow-up via an easy messaging platform utilized in the workplace. If there isn’t any follow-up, the worker should either ignore the request or proactively confirm it over Slack themselves, then notify internal security teams per their security policy. Similarly, perhaps a request is made via a Teams meeting, much like the tactic used for the promoting company deepfake. This request then must have an email confirmation and/or a Slack confirmation. Higher yet, confirmed via a fast phone call if walking over to their physical desk shouldn’t be an option. These processes ought to be communicated often and to your complete organization to maintain them top of mind. Then, when an attempt is understood, establish a process to share the instance broadly throughout the organization to create pattern recognition of the varieties of threats everyone should pay attention to.
Hold Frequent Trainings
Third, organizations should implement frequent company-wide training to maintain deepfakes, and other varieties of identity fraud attacks, on the forefront of employees’ minds. These are helpful for a couple of reasons. An worker may not even know what a deepfake is or know that voices and videos may very well be faked. Moreover, employees may defer to the “out of sight, out of mind” mindset – if deepfakes aren’t top of mind, they might easily fall victim to an attack. Research shows that employees who received cybersecurity training demonstrated a significantly improved ability to acknowledge potential cyber threats.
Deepfakes aren’t going anywhere, they usually have gotten increasingly frequent and hard to detect. Nevertheless, by establishing guidelines, verifying requests via multiple routes, and implementing consistent training across your organization, we might be higher prepared and protect against these threats. In an increasing digital world, our diligence to trust less and confirm more will likely be essential in maintaining the safety and integrity of our digital identity.
