Deepfake video and audio are becoming a growing cyber threat for many businesses. With all the advancements in web-based applications, convincing deepfakes can be created and posted for public viewing across the internet.

A deepfake is audio or video software that leverages complex algorithms to mimic voice, mannerisms, facial expressions and lip movement to create a close or nearly indiscernible match to the likeness of a person or object. Easy-to-use software enables the nontechnical to join the ranks of the most skilled Hollywood computer-generated imagery artists. Even more concerning are the many services available to hide or obfuscate the identity of those behind the deepfake postings. This means high-quality video deepfakes can be directed at anyone, by an anonymous attacker, with limited recourse for the victim. 

According to cybersecurity firm Deeptrace, “in less than a year, the amount of deepfakes, circulating the internet, has doubled.”

What Is Powering This Phenomenon?

Deepfakes can be created from artificial intelligence and machine learning (ML) algorithms — often the same kinds of algorithms that are the basis for many apps we use or benefit from on a daily basis. Credit card fraud detection, targeted ads you see as you browse the internet and those surprisingly well-crafted streaming music service playlists all use ML algorithms. 

Deepfakes are a significant cybersecurity risk. Have you ever received a phone call from a scammer telling you about how your computer is infected with a virus that only they can help remove? Now imagine getting a call from someone who sounds like your CEO demanding that a wire be sent immediately. 

Earlier this year, a deepfake scammer convinced a U.K.-based firm that its CEO was on the line and urgently needed more than 200 thousand pounds ($257 thousand) wired to a supplier in another country. Needless to say, the money was sent, bouncing country to country, until it was irretrievable. 

Policies to stop deepfake attacks should be a part of every sound cybersecurity strategy for businesses.

How to Prepare for Deepfakes

Even if you have a substantive cyber insurance policy, you still might not be adequately protected against such threats. Transferring your risk can never replace the need for a sound cybersecurity strategy. There are a few critical steps businesses should take to be prepared to fend off a deepfake attack:

• Document and test an incident response and crisis management plan. As Benjamin Franklin said, “By failing to prepare, be prepared to fail.” When confronted with a cybersecurity crisis, it’s difficult to focus, think on your feet and remember each and every action needed in the most effective way. That’s why it’s critical to gain a consensus among key decision-makers before the crisis happens, make checklists to follow and, when the time comes, execute against an established playbook with set roles and responsibilities.
• Get to know the take-down request process for various video hosting services and social media platforms. Make a short list of points of contact where deepfakes targeting your business might be posted. Find out what the pull-down requirements are beforehand, along with the correct points of contact, and be ready to send demands. 
• Ensure employees understand how to identify a scam phone call or video. With all social engineering scams, people are the weakest link. Therefore, training is the most reliable way to reduce the risk of a deepfake. Educate by team and business function on any specific phishing and social engineering techniques they might encounter. Training should reinforce the procedures employees should follow when confronted with a potential deepfake:
• Always adhere to a two-step approval process for all cash transfers. Tell your employees that it is never OK to wire-transfer funds based on a simple phone request. Finance teams should know there is no exception to the rule. It should be clear that strict consequences will be enforced if they bypass the process, even for the CEO. American Bankers Association provides clear guidance on wire transfer best practices.  
• Warn team members that a caller might claim to be someone who needs account names or passwords. Make it clear that your organization does not provide this information over the phone.
• Use multifactor authentication for all systems access. Even if an employee falls victim to this scam and reveals a password, the bad guy won’t be able to access the network.

Deepfakes are becoming just one more aspect of cyberattacks that businesses are exposed to. Policies to stop them should be a part of every sound cybersecurity strategy.