In the wake of the FBI’s warning about more deepfake-based cyber attacks coming in the next year, organizations should remain vigilant against this compelling form of social engineering.
Nothing would convince you more that you should pay that invoice or purchase and email those gift cards than a call or voice mail from your boss or the CEO asking you to do so. And that’s exactly the outcome threat actors want – the compliance of their victims through clever social engineering.
And it doesn’t’ get any more clever than deepfakes. Deepfake technology has been around the last few years, and has been used to scam victims – usually in cases of attempted fraud. Lately we have seen recent advances that give it enough realism that would require a forensics expert to tell the difference from the real thing.
So, how should your users tell the difference between the real person and the deepfake?
The answer is… they shouldn’t.
Better said, they likely won’t be able to. What they can do to avoid becoming a victim is to be enrolled in Security Awareness Training that includes course material on deepfake scams so they can understand a) the possibility of a deepfake-based attack exists and b) that they need to follow establish corporate policy should a request – even from the CEO – seem suspicious or abnormal.