A First of Its Kind: The $25 Million Deepfake Scam

AI Deepfakes are on the hype cycle today, thanks to a CFO who was tricked into paying $25M to a scammer.

This is a very real and current threat to organizations of all types and sizes. While the regulatory landscape around deepfakes continues its struggle to strike a balance of depth and breadth, all business leaders should prepare to respond to an inevitable attack (currently, there's no federal law governing deepfakes, though the creation and/or distribution of deepfakes is illegal in some U.S. states).

For those new to this technology, deepfakes are AI-generated videos or audio clips that make it appear as though someone is saying or doing something that they never did. In this instance, a finance worker was tricked into processing a $25.6 million payment to scammers using deepfake AI to pose as the company’s CFO on a conference call (in fact, every single person on the call was fake). Here are some tips to help prevent and detect deepfakes.

How to Prevent Deepfakes at Your Business

• Start with prioritizing cyber awareness training
• Incorporate a corroborative verbal and/or physical approval process for certain financial transactions
• Maintain a secret code word/phrase with other organizational leaders
• Test your response to a variety of incidents through a tabletop test scenario
• Tighten up and TEST logical security controls (MFA, password-management or PAM tool, etc.)

How to Detect Deepfakes at Your Business

There are several signs of deepfakes which, when you know what to look for, are still perceptible to your human eye. Be on the lookout for: 

• Any irregularities on the skin or body parts
• Blurred or misaligned visuals
• Inconsistencies in audio/video
• Unnatural coloring/shape (lips, teeth, skin coloration or facial hair compared to face)
• Unrealistic beauty marks on the face
• Unusual emotional response
• Unusual eye movement or blinking, mouth/body movements or posture or facial expressions
• Unusual glare on eyeglasses
• Unusual shadows around the body or eyes

From a software perspective, you should also consider tools that automatically look for AI-generated glitches and patterns to separate legitimate audio/video from fake through hashtag discrepancies, digital fingerprints and reverse image searches.

Deepfake attacks are evolving rapidly in sophistication and accuracy, and failure to swiftly recognize the very real potential of these attacks can have severe implications for businesses across all industries.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe. 

To learn more, visit our dedicated Cybersecurity page.