Deepfakes, the realistic and thoroughly convincing fabrication of imagery, video, and audio that fakes the identity of some person in ways that are difficult to detect, have aroused concern recently. They seem to open the prospect of extraordinarily effective disinformation and social engineering campaigns. Deepfakes have already found their way into advertising campaigns.
The Wall Street Journal reports that some campaigns have begun to feature celebrities, or rather their deepfaked personae. “None of these celebrities ever spent a moment filming these campaigns. In the cases of Messrs. Musk, Cruise and DiCaprio, they never even agreed to endorse the companies in question.”
The potential for deepfake abuse in advertising is accompanied by a comparable potential for disinformation. The Wall Street Journal quotes Ari Lightman, professor of digital media and marketing at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy, who says, “We’re having a hard enough time with fake information. Now we have deepfakes, which look ever more convincing.”
So far, however, the feared, industrial-scale use of deepfakes in social engineering scams has yet to fully materialize. The Register reports that the familiar tools of the con artist are still by far the norm.
“Panic over the risk of deepfake scams is completely overblown, according to a senior security adviser for UK-based infosec company Sophos.
“‘The thing with deepfakes is that we aren't seeing a lot of it, Sophos researcher John Shier told El Reg last week.
“Shier said current deepfakes – AI generated videos that mimic humans – aren't the most efficient tool for scammers to utilize because simpler and cheaper attacks like phishing and other forms of social engineering work very well.
“‘People will give up info if you just ask nicely,’ said Shier.”
Deepfakes undeniably represent a concern, but don’t let them distract you from the obvious. As Sophos’s Shier explained, usually all it takes is for someone to ask nicely.
Criminals continue to use old, low-tech approaches to social engineering because those approaches still work. A human problem calls for a human solution. New-school security awareness training can help your employees avoid falling for social engineering, whether it’s high-tech or low-tech.
The Register has the story on the prevalent low-tech reality.