You've no doubt heard the term "deepfakes" by now. With all the generative AI tools we have at our fingertips, you know the attackers and fraudsters will be using them as well.
As smaller businesses, we haven't been huge targets for deepfakes because, despite the growing ease of creation, they still take more work than most attackers are willing to invest without a higher guarantee of return.
We do see a possible exception, though.
Generally, attackers will cast a wide net and then focus in on the prospective victims that respond. In some cases, they will send phishing emails out to millions of addresses and wait for a response. Once they get responses from the few that fall for the scam, they sharpen their tools and target those responders further. Their continued communication with these victims becomes more and more personal.
At our level, it's too much work for too little reward to randomly target with deepfakes. However, when attackers know that you are susceptible to attacks, the return on investment (ROI) for that added work becomes more acceptable.
Imagine if you get an email from "your boss" asking you to buy some gift cards or wire some money to somewhere. If you bite on that email, the attackers know that you are a soft target. That makes it worthwhile for them to do a little more research and find audio or video or your boss to feed into a specialized GenAI platform for manipulation. When you respond again with your phone number, they can use that AI generated audio to further convince you that their request is legit.
As with all phishing prevention, the key is to be skeptical. Additionally, you should:
- Verify any requests involving money or sensitive information before taking action.
- Only contact through known good means (not the number or email of the phish sender).
- Train your new and younger employees to spot and avoid these attacks.
- Establish company protocols and restrictions for money transfer and account changes.
Overall, the fear of deepfakes is a bit overblown. With education and planning, it can be defeated just as phishing is prevented so often. The real threat from deepfakes is the untrained users. Knowledge is power.
