While machine learning is rapidly advancing human knowledge in fields such as biology, astronomy, and materials science, AI tools are just that – tools – and like any tool, it can be used for good or for ill. Deepfakes, meaning AI-generated facsimiles of real people’s image or voice, are one type of AI tool which is ripe for misuse.

The Problem

AI-generated images, audio, and video have legitimate uses, such as the generated images used in this blog post. Deepfakes can be used for amusement (such as putting the Pope into a puffer jacket), but they are increasingly used to defraud others and spread misinformation. Some high-profile deepfakes seen in the real world include:

• A surrender video of Ukrainian President Zelensky, which could have negatively impacted morale.
• An image of a damaged Pentagon, which caused a dip in stock price
• A video of a Voice of America journalist reporting false information.
• A group of Australian scammers using fabricated video of government officials to promote a fake investment scheme.
• A company in Hong Kong being defrauded of $25 million through use of fake Zoom meeting participants.

Less high-profile, but more common are smaller attacks, such as the use of deepfakes in credibility interviews for UK student visas, the theft of biometric data from phones to create deepfakes of individuals to steal their identities, and an overall increase in the use of the technology for fraud. Generative AI is a technology, and deepfakes are a threat – that merits attention both in and out of the workplace.

 

Protecting Yourself

There are countermeasures that you can use to help protect yourself from deepfakes which fall into three main categories: strong authentication, social awareness, and education.

 

Strong Authentication

Strong authentication and authorization can be time-consuming to get set up, but once in place, upkeep is easy, and it can help to prevent both standard and deepfake attacks. The use of a password manager can make it a breeze to use long (30+ characters), unique passwords on every website, which both reduces the likelihood of having an account compromised and prevents the compromise of one account causing a domino effect that compromises your entire online identity. Strong authentication combined with strong privacy controls on social media accounts can help prevent your biometric data from falling into the hands of malicious actors.

Multi-factor authentication is another critical line of defense for the security of online accounts you should use wherever possible. Passkeys are a new form of authentication that can be used instead of passwords: they use the ownership of a physical device and a biometric signature to determine that someone is who they claim to be and eliminate the possibility of a password being guessed or cracked. Voiceprints and facial recognition should not be used as forms of multi-factor authentication, as they’re becoming increasingly easy to fake.

 

Social Awareness

Social awareness is the last line of defense against a deepfake scam and can be very effective. While AI-generated fakes are getting better all the time, your brain is extremely good at noticing when things aren’t quite right. Any hunch or uneasy feeling when interacting with someone who you aren’t face-to-face with in the real world is worth listening to, and any person with legitimate business shouldn’t object to you verifying their information and identity. Similarly, getting a second opinion about a situation from a friend or colleague can provide a valuable outside perspective.

Any strange pauses, tone inappropriate for the subject matter, strange background noise – or a total lack of background noise – and unusual cadence or a shifting accent are all signs that the voice on the other side of the line may be AI-generated.

 

Education

You can’t be on the lookout for something if you don’t know what it is you should be looking for, so the most important thing you and your colleagues can do is to stay informed about potential threats. Keeping your data and your company’s data secure from bad actors is an ongoing process, and so is security education, which can include general security education, ongoing updates about the changing threat ecosystem, and ongoing phishing and social engineering testing.

 

How Tangible Security can help

Tangible Security can help you create a culture of security and compliance in your organization with an array of options for targeted training. We are a certified reseller of industry-leading compliance and security awareness training, and provide managed or unmanaged offerings, as well as in-person, webinar, or live awareness training.

Equip your employees with targeted training on cybersecurity risks and best practices, including phishing attacks, social engineering, password hygiene, data protection, and incident reporting. Training can include recurring simulations, such as phishing emails to evaluate training effectiveness.

Learn more