Deepfake-driven fraud remains a top concern for CISOs and security professionals, as the frequency and complexity of these scams continue to escalate.
The Team 8 2024 CISO Survey Report, presented at their annual CISO Summit, identified deepfake-enhanced fraud as the second highest perceived threat, with 56% of respondents expressing concerns over voice or video fraud.
Similarly, another survey found that over half of businesses in the U.S. and UK have been targeted by financial scams using deepfake technology, with a concerning success rate of 43%. This survey reported an even higher level of concern, with 85% of respondents labeling deepfake-driven fraud as an “existential threat” to organizational financial security.
What are Deepfake Scams and How Do They Work?
A deepfake is media—typically video or audio—of a real person that has been digitally manipulated, often using generative AI, to misrepresent them. In the business context, deepfakes can be employed to impersonate executives or clients, aiming to defraud companies through social engineering tactics.
Perhaps the most notable case involved a Hong Kong finance worker who was deceived into transferring $25 million to a fraudster impersonating the company’s CFO during a conference call. A similar incident happened in China, where a financial employee was tricked into transferring more than $260,000 to a fraudster who impersonated her boss on a video call.
As generative AI technology becomes more accessible and advanced, deepfake scams are on the rise, highlighting the need for enhanced security training. Traditionally, organizations have focused training on the dangers of phishing through emails, texts, and phone calls—threats that can often be easier to identify. However, with the growing remote workforce, video calls have become a primary communication method, making it essential to educate employees about the risks of deepfake technology in this context.
How to Spot and Avoid Deepfake Scams
But what happens when you receive an incoming video call from an AI-version of somebody you trust or know at work? Here are some best practices and tips to recognize a potential deepfake.
Ask Questions and Think About Requests
If you receive an incoming video call from your CFO asking you to wire money immediately, it’s wise to pause and ask some questions. First, consider whether this is a typical request from your CFO, or if such requests usually come from a manager. Second, if you ask company-specific questions and they can’t answer or sound rehearsed, it could indicate a deepfake. Third, you could always say you’re on mute and wait for a reaction—just kidding… sort of!
Look for Visual or Audio Glitches
While video conferencing quality has improved with the rise of remote work, it’s still not perfect. Deepfakes may exhibit noticeable video and audio glitches since generative AI, while advanced, is not flawless. If you receive unusual instructions or requests, pay close attention to any visual or audio distortions that could suggest you’re speaking to an AI imposter.
Watch Out for Phishing Red Flags
While deepfake scams can be sophisticated, they often exhibit the typical signs of phishing attacks. If the video or audio call is unsolicited, demands urgent action, or simply doesn’t sound like the person they claim to be, it’s likely a deepfake. In such cases, end the call and report it to your IT department.
While these tips may not guarantee complete protection against deepfake scams, being aware of their existence is half the battle. If you receive an audio or video call that resembles someone you know but feels off, trust your instincts. Consider verifying their identity through another method, such as an in-person meeting or by calling them back on a verified line or video platform.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.
To learn more, visit our dedicated Cybersecurity page.
