Deepfakes and Cyber Espionage: Is That Really Your Boss on the Phone?
August 17, 2022
Imagine a finance officer receiving a frantic, late-night phone call from a CEO. The executive requests the transfer of $5 million to a specified account, and the finance officer complies. The problem? The call came from a cyber criminal using deepfake technology to impersonate the CEO.
The vastness of the internet and the nefarious nature of the dark web have made the tools for cyber fraud more freely available and more convincing than ever. Two cyber threats — deepfake technology and insiders selling access to company information — are putting organizations at a greater risk of financial loss and much worse.
Deepfakes use modified video or audio to create a disturbingly accurate likeness of a different person. Although video deepfakes are relatively well-known, audio deepfakes are a growing threat to organizations. “Audio deepfake technology is becoming increasingly sophisticated and more accessible,” says Dennis Lawrence, senior consultant in the Intelligence Group at Aon’s Cyber Solutions. “More mainstream bad actors are able to engage in this activity now versus even a year or two ago.”
Cyber criminals are also targeting businesses and CEOs by trying to gain access to company records through insiders, a phenomenon that has likely worsened amidst the global shift to remote work during the pandemic where employees working from home have less supervision. Though many threats targeting companies are entirely external, Catarina Kim, managing director of the Intelligence Group at Aon’s Cyber Solutions, says cyber criminals sometimes enlist the help of current employees. “Insider threat has become a greater concern in the current work environment with the acceleration of hiring and departures because once you’re in the firm with access to company data, there is a sense that you’re a trusted colleague.” says Kim.
Tech-enabled fraud is big business for cyber criminals. Stolen data can put powerful company information in the wrong hands, and manipulated audio has the potential to defraud CEOs, businesses and their unsuspecting representatives of large sums of money.
“Some companies may feel embarrassed about having fallen victim to this type of activity,” Lawrence says. But business leaders should recognize that even the savviest executives may be deceived by a cyber impersonation.
Deepfakes, Real Risks
In the past, cyber criminals looking to defraud a company were potentially able to target employees unfamiliar with the voice of their CEO. Now, thanks to social media and company videos, employees are much more likely to recognize their executive leadership. But thanks to videos being available on YouTube and other commonly accessed sites, a deepfake creator can find a voice recording of a business leader, run the recording through a machine-learning program, and use the modified recording to have an interactive phone conversation aimed at manipulating an employee to make a payment to a third-party bank account. Audio deepfake technology can mimic accents, speech patterns, and other vocal signifiers to create a startlingly convincing impersonation of an executive.
Though Kim points out that deepfakes have a history of being used in government and military operations, this technology is now readily available online and primed for a host of criminal purposes. The growing availability of recordings, paired with advances in audio technology, means impersonators are increasingly able to defraud organizations of large sums of money. “What we’ve seen play out in the commercial space is largely monetarily driven,” Kim says.
How Cyber Impersonators Convince
Any employee can fall for a deepfake — including seasoned executives. Kim says an understanding of human behavior is key to cyber deception, and criminals use this approach to target busy executives as well as employees with limited organizational knowledge. “They either use a way for you to quickly connect with them — something that resonates with you that makes them want to connect — or they’re convincing because they leverage business lingo and research the reporting structure.”
The fraudsters also rely on the power of intimidation when impersonating an executive, according to Lawrence. “When a CEO calls the comptroller or whoever may be in charge of overseeing wire transfers for the purposes of this type of transaction, the individual is more inclined to just submit to the demand.”
Access for Sale
Cyber criminals seek paths to company data and all the financial gains that it can bring. Sometimes, enlisting the help of other people is more effective than technological trickery alone. Kim and Lawrence note that cyber criminal groups target employees to help them access secure networks. “Typically, they’re looking for an admin user — someone who has not only entitlements, but lots of different credentials that get into systems. In some cases, threat actors and fraudster seek out disgruntled employees or individuals who can be financially incentivized to actually sell access,” says Kim.
What Organizations Can Do
Though robust cybersecurity and increased information about threats can help businesses, Lawrence says simpler strategies can also have an impact. “One of the most cost-effective and simple methods that a company can use is called the word of the day. Employees have access to an intranet, and if they receive a phone call from someone unfamiliar claiming to be an employee, they ask, ‘What’s the word of the day?’” Since both parties should have access to it, it’s a very simple, reasonable request. As high tech as what we’re talking about is, that’s a very low-tech solution.”
To identify potential insider threats in the staffing process, companies should determine how they’ll thoroughly vet candidates and what methods they’ll use. Governments use rigorous clearance models to research potential employees, with the goal of keeping applicants from breaching the security of national institutions. Companies can also vet job candidates for possible red flags, though Kim explains that businesses must scale their interview process in accordance with the needs of their fields. “In the private sector, people don’t want to go through a lengthy 18-step process just to be cleared to do a job like in parts of the public sector,” Kim says, adding that some companies are purchasing insider threat programs to detect security risks.
The cyber threats facing today’s businesses are no longer limited to familiar schemes like ransomware or email scams. Cyber criminals are making use of developing technology and the willingness of disgruntled — or financially motivated — individuals to breach company security for access to data and funds. Though these frauds are increasingly convincing, executives can protect themselves and their companies by being alert, informed and proactive in their approach to digital security.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or Technology Department before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.