In just a couple years, deepfakes have gone from cartoonishly silly and largely academic exercises to sophisticated audio and video creations with the potential to trick just about anyone into believing they’re the real thing.
On top of that, the technology has gone from being exclusive to nation-states and organized crime to something accessible and easy to use for even the lowest-level cybercriminal with the most basic of technical abilities.
Perry Carpenter, KnowBe4’s Chief Deception Strategist, is an expert in the deepfakes and how they fit into the broader worlds of social engineering and disinformation. He demoed real-life deepfakes, as well as a few he created himself, at KnowBe4’s annual KB4-CON conference last week in Orlando, Florida.
In between talks, he took time out to chat about where the deepfake threat stands now and the dangers it might pose in the future. The responses below have been edited for length and clarity.
Q: How did you first get interested in deceptions and ultimately deepfakes?
Carpenter: I started as a computer programmer and moved into cybersecurity. About 25 years ago, I realized that despite all of the money that people spend on technology, there's still this human component that can get exploited over and over and over. I really wanted to find ways to deal with that situation, and so that's where a lot of the psychology comes in. I'm definitely not a formally trained psychologist, but I've got a broad spectrum of experience around behavior science, psychology, illusion, deception science and those kinds of things together. I've done classes in theatrical hypnosis and pickpocketing, because it all comes down to attention management and psychological framing, so I can look at all those different snapshots of how it gets used. Then you can start to draw these broad connections, and how it gets used within the cybersecurity context.
Q: During one of your talks, you pointed to a deepfake video of an Irish presidential candidate. The video used old footage of her, but added new audio, then altered the video to re-lipsync the footage to make it look like she was announcing her withdrawal from the race. Is this how most convincing defakes are still done, or are people just feeding pictures to LLMs and asking them to do it?
Carpenter: It depends on the situation. If I know that person's baseline well enough, then I could probably find the right photo or set of photos to create the deepfake. But if I want to lean into credibility, I would probably still harvest video and resync the audio. It would depend on the type of disinformation you want to create.
Q: Political figures in others in positions of authority have created and shared deepfakes to further their own political desires. What impact could this kind of disinformation have on the American psyche?
Carpenter: I think we're going to end up with a society that has a default disbelief in anything that they see, but the way that that default disbelief works is, it's only going to reinforce their core beliefs that they already have. You get into this thing that's called the liar's dividend, which means that the deceiver is the only one that stands to gain from the fact that deepfakes exist. So, if I create a deepfake that proves my point as the deceiver, well, then everybody that already wants to believe that does. But if I come out with a true video and somebody doesn’t agree with it, they'll go, ‘well, that's just a deepfake.’
Q: Most cybercriminals aren’t out there to disrupt democracy, they’re out there to make money. What does the rise of deepfakes mean for the organizations KnowBe4 protects?
Carpenter: It's just an extension of the same playbook as before. Anything that you can imagine a phishing email being used for, or a QR code scam being used for, there's going to be the deepfake equivalent of that. And I think that scammers are always going to go with what takes the least effort for the best payout. Deepfake scams where companies lose millions take a lot of work. I think there's going to be a whole bunch of low-grade deception that starts to just erode everybody's trust and then there's going to be a weapons-grade deception or two where people are spending weeks or months planning for that orchestrated event.
Q: Are these low-grade deceptions still threats?
Carpenter: Potentially. If you're trying to do a face-replacement deepfake and become someone else, with current technology, there's some glitches with that. But if you know what the glitches are, you can lean into them. With video calls, there's always frame rate issues, there's always audio issues. If I say this, ‘this crappy hotel Wi-Fi!,’ everybody gets it. If you can get a good-enough plausible deepfake and sustain it for 30 seconds, then just go off camera and interact over the chat, nobody notices. Everybody's dealt with that.
Q: So how do we protect against these threats?
Carpenter: There's a deepfake detection market that’s trying to do some really good work. It’s not 100% yet, and will probably never be, because of the arms race of technology. I'm not going to discount what they're doing fully, because I do think that they've got a noble goal for it, but I'm also not going to rely on it. As soon as I know the way that that works, I'm going to find a work around for it.
I don't want to give the easy answer, I just, I think we have to lean into the fact that the best thing we can do as a society is just learn to slow down and ask a critical question, either of ourselves or the thing that we're talking to.
