In a recent deepfake phishing scam, an employee at an multinational corporation was fooled into paying out $25 million to scammers in an elaborate deepfake video conference. This is the first reported incident of this kind and may be a sign of more elaborate scams involving deepfakes and evolving AI technologies.
The scam involved a digitally recreated version of the company’s chief financial officer, along with other colleagues, who appeared in a video conference call instructing an employee to transfer funds. Authorities said publicly available footage of the CFO and other employees was used to create the deepfake images, and the victim was the only person on the conference call who was not a deepfake.
The finance worker ultimately transferred $200 million HKD, or the equivalent of about $25.6 million USD, to five different bank accounts across 15 transactions, following the fake colleagues’ instructions on the video call.
What is a deepfake phishing scam?
A deepfake phishing scam is a new form of scam that combines two deceptive techniques: deepfake technology and phishing tactics.
- Deepfake Technology: Deepfake technology utilizes artificial intelligence (AI) to create highly convincing manipulated videos or audio recordings. These manipulated media files can make it appear as though someone is saying or doing something that they never actually did.
- Phishing Tactics: Phishing is a type of cyber attack where attackers use fraudulent emails, messages, or websites to trick individuals into providing sensitive information such as passwords, financial information, or personal data.
In a deepfake phishing scam, attackers may use deepfake technology to create convincing videos or audio recordings of high-profile individuals, such as CEOs, government officials, or celebrities, delivering a message. The message might urge recipients to take urgent action, such as clicking on a link to update their account information, transfer funds, or disclose sensitive data.
The combination of the realistic deepfake content with the urgency and authority conveyed through phishing tactics can make recipients more likely to fall for the scam and unwittingly divulge sensitive information or perform actions that compromise their security.
How to combat deepfake phishing scams?
Combatting deepfake phishing scams requires a combination of awareness, technological solutions, and security practices. Here are several strategies to help combat these scams:
- Education and Awareness: Educate yourself and your organization about the existence of deepfake technology and its potential use in phishing scams. Training sessions on recognizing phishing attempts, including those involving deepfakes, can help individuals become more discerning and cautious.
- Verify Sources: Encourage skepticism and verification of sources, especially when receiving unexpected or urgent requests via email, text, or social media. If a message seems suspicious, independently verify the information through trusted channels before taking any action.
- Use Multi-Factor Authentication (MFA): Implement multi-factor authentication wherever possible to add an extra layer of security to accounts. Even if attackers obtain login credentials through phishing, MFA can prevent unauthorized access.
- Implement Email Security Measures: Use email security measures such as email authentication protocols (SPF, DKIM, DMARC) and anti-phishing tools to detect and block phishing attempts, including those involving deepfakes.
- Establish Communication Protocols: Establish clear communication protocols within your organization to verify the authenticity of requests for sensitive information or actions involving financial transactions. Encourage employees to verify any unusual requests through a known and trusted communication channel.
To protect against deepfake phishing scams, individuals should remain vigilant when receiving unsolicited messages, especially those that demand immediate action or contain unusual requests. Verifying the authenticity of requests through alternative channels, such as contacting the purported sender through a known and trusted means of communication, can help prevent falling victim to such scams.
Additionally, being cautious about clicking on links or downloading attachments from unknown or suspicious sources can mitigate the risk of phishing attacks.
Need assistance fighting phishing scams?
Is your organization prepared to combat the rising tide of cyber attacks, including phishing scams and deepfake threats? Ensure your staff are equipped with the knowledge and skills needed to defend against evolving cyber threats.
At Pennyrile Technologies, we specialize in comprehensive cybersecurity training tailored to your organization’s needs. Our expert-led courses cover essential topics such as phishing awareness, deepfake detection, and best practices for safeguarding sensitive data.
Benefits of partnering with us:
- Training programs to fit your schedule and requirements.
- Engaging and interactive learning experiences for all skill levels.
- Practical strategies to mitigate cyber risks and protect your assets.
Don’t wait until it’s too late! Contact us today to schedule cyber security training for your staff and fortify your organization’s defenses against cyber threats.