Researchers at Trend Micro warn that the social engineering potential of deepfakes is becoming an increasing concern. Deepfakes have already been successfully used in attacks, and Trend Micro believes this is just the beginning. The researchers explain that every photo or video of someone on social media can be used to build deepfakes:
- “There is enough content exposed on social media to create deepfake models for millions of people. People in every country, city, village, or particular social group have their social media exposed to the world.
- “All the technological pillars are in place. Attack implementation does not require significant investment and attacks can be launched not just by national states and corporations but also by individuals and small criminal groups.
- “Actors can already impersonate and steal the identities of politicians, C-level executives, and celebrities. This could significantly increase the success rate of certain attacks such as financial schemes, short-lived disinformation campaigns, public opinion manipulation, and extortion.
- “The identities of ordinary people are available to be stolen or recreated from publicly exposed media. Cybercriminals can steal from the impersonated victims or use their identities for malicious activities.
- “The modification of deepfake models can lead to a mass appearance of identities of people who never existed. These identities can be used in different fraud schemes. Indicators of such appearances have already been spotted in the wild.”
RELATED READING: "Reshaping the Threat Landscape: Deepfake Cyberattacks Are Here": https://blog.knowbe4.com/reshaping-the-threat-landscape-deepfake-cyberattacks-are-here
RELATED READING: The FBI Warns Against A New Cyber Attack Vector Called Business Identity Compromise (BIC) & Top 5 Deepfake Defenses https://blog.knowbe4.com/deepfake-defenseTrend Micro offers the following recommendations for organizations to prepare themselves against these attacks:
- “A multi-factor authentication approach should be standard for any authentication of sensitive or critical accounts.
- “Organizations should authenticate a user with three basic factors: something that the user has, something that the user knows, and something that the user is. Make sure the “something” items are chosen wisely.
- “Personnel awareness training, done with relevant samples, and the know-your- customer (KYC) principle is necessary for financial organizations. Deepfake technology is not perfect, and there are certain red flags that an organization’s staff should look for.
- “Social media users should minimize the exposure of high-quality personal images.
- “For verification of sensitive accounts (for example bank or corporate profiles), users should prioritize the use of the biometric patterns that are less exposed to the public, like irises and fingerprints.
- “Significant policy changes are required to address the problem on a larger scale. These policies should address the use of current and previously exposed biometric data. They must also take into account the state of cybercriminal activities now as well as prepare for the future.”