Avoid being duped by deepfakes

Deepfakes 101

“Deepfake” refers to digital images, video, or audio created using artificial intelligence (AI) and machine learning technology. In addition to producing images and sound recordings of people who do not exist in real life, deepfake technology can be used to mimic a real person’s face, voice, and likeness.

The name deepfake comes from technology used to create them. Examples of a person’s voice or image are used to train a deep learning model, which uses an algorithm to generate an imitation of that person. Depending on the specific type of technology used, deepfake creators can train AI to create real-looking images of completely fake people, to superimpose one person’s face onto another person’s body, or to manipulate existing images or recordings of real people to create convincing artificial video or audio.

Deepfakes in corporate scams

In 2019, a CEO in the U.K. wired more than $200,000 to cybercriminals¹ who had used deepfake technology to imitate the voice of an executive at the firm’s parent company in Germany. The AI-based software was able to imitate the German executive’s accent and the “melody of his voice” over the phone, so when the caller made an urgent request for funds to be transferred to a Hungarian supplier within the hour, the U.K. CEO believed he was following an order from his boss.

Similarly to email phishing schemes that prompt unsuspecting employees to reveal sensitive information to hackers and fraudsters, deepfakes can facilitate a variety of crimes in corporate settings. In addition to the above example, where hackers used a voice “skin” or “clone” to manipulate an employee into initiating a fraudulent payment, cybercriminals can also use deepfakes in extortion scams or to commit identity theft and financial fraud. Deepfakes can also be used to enhance common email phishing scams. For instance, criminals may send a phishing email posing as a familiar vendor, then follow up with a deepfake phone call imitating the person’s voice in order to extract confidential information or initiate fraudulent transactions. Deepfake scams are not yet widespread, but businesses should be aware of the potential threat they pose and take steps to protect their organizations.

How to identify a deepfake

When it comes to identifying a deepfake, which signs to look for depends on the medium. In the case of images and videos, various visual cues can alert you that you’re looking at a fabrication.

• In still images, out-of-focus or misaligned backgrounds can be a telltale sign. A person wearing a garment with an unusual collar, or jewelry that appears to be misshapen, often indicates that a photo has been manipulated or is a deepfake composite of other images.
• And in videos, signs of a deepfake include unnatural eyebrow and eye movements, a lack of blinking, bad lip-syncing, and facial morphing.

Identifying deepfake audio can be more challenging, especially over the phone. A robotic-sounding voice may be a tip-off to a poor-quality deepfake. But if you suspect the person you’re talking to may not be who they say they are, the best thing to do is ask questions that an imposter will not be able to answer correctly.

• Establishing a set of security questions in advance can help safeguard your business against scammers who use deepfake technology to commit theft and fraud.
• Confirm identity using a known callback number. Never offer sensitive financial or personal identifiable information (PII) over the phone.
• Make sure your company’s financial dual controls are well-established so that employees don't make significant fund transfers without verification.

Fortunately, the possibilities and opportunities that AI creates for businesses vastly outweigh the threat of cybercrime via deepfakes. Still, businesses need to be aware that deepfakes exist and vigilant about ensuring the privacy and security of their confidential information. Visit key.com/cybersecurity for more information on keeping your business secure.