As an HR consultant specialising in supporting small and medium-sized businesses (SMBs), I am increasingly concerned about the rise of sophisticated cyber-security threats, particularly deepfake scams. These AI-generated audio and video manipulations pose a serious risk to businesses, capable of impersonating key personnel to commit fraud or extract sensitive information.

What Are Deepfakes?

Deepfakes use advanced AI technologies to create highly convincing fake audio or video clips of real people, often used maliciously to mislead or harm individuals and organisations. They have been employed in various deceitful practices, from spreading misinformation to impersonating global leaders and celebrities in potentially damaging scenarios.

Real-Life Deepfake Incidents Impacting Businesses

Case Study 1: The LastPass Experience

Recently, a software firm, LastPass, encountered a deepfake scam targeting their employees. Scammers used deepfake audio, mimicking the voice of LastPass CEO Karim Toubba, derived from his conference speeches on YouTube. They attempted to phish sensitive information via WhatsApp, outside of regular business hours. Thankfully, the targeted employee recognised the red flags, such as unusual communication channels and timing, and reported the incident. This proactive response prevented potential data breaches and highlighted the need for vigilance.

Case Study 2: The Dubious Insurance Claim

Another disturbing instance involved a European insurance company where fraudsters created a deepfake video of the CEO asking a senior manager for confidential claim data. The video, though convincing, contained slight discrepancies in the voice tone that raised suspicion. The manager cross-verified with internal teams before taking any action, averting a potential leak of sensitive information.

Case Study 3: Real Estate Investment Ruse

A sophisticated deepfake scam also struck a real estate investment firm in Asia, where scammers used a video deepfake of a trusted investment partner to discuss non-public investment strategies. The realistic appearance and voice of the deepfake led to the sharing of strategic information, which was later used in a competitive bid, causing significant financial loss.

How SMBs Can Protect Themselves

Implement Strong Verification Processes

Adopt multi-factor authentication and enforce strict verification steps before executing significant actions like financial transactions or sharing confidential data. Ensure these protocols are understood and respected across the company.

Educate and Train Employees

Regular training on the latest cybersecurity threats, including the recognition of deepfakes, is crucial. Employees should be taught to scrutinise the authenticity of unexpected communications and be familiar with the company’s approved communication channels.

One simple step you can take today to counter the risks posed by deepfake scammers is to limit how many images your staff post online. Creating a convincing AI-generated video relies on the system accessing photos and footage of the subject it’s trying to recreate. We suggest that you encourage your employees to keep their social media profiles private and avoid posting regular images of their face.

Invest in Technology Solutions

AI and machine learning tools can help detect inconsistencies in audio and video clips that might indicate a deepfake. Investing in such technologies can provide an additional layer of security for your business communications.

Establish and Maintain Secure Communication Channels

Define and maintain secure, approved methods for internal and external communications. Encourage employees to double-check unusual requests through established channels before taking any action.  E.g. in LastPass’ case the employee uncovered the fake as it came through on Whatsapp a channel the CEO seldom used.

Foster a Security-centric Culture

Promoting a culture that prioritises cyber-security can empower employees to report suspicious activities confidently. Regular updates about potential scams and reinforcing the security protocols can make a big difference.

Conclusion

The threat of deepfake scams is real and evolving. As these technologies become more accessible, the potential for misuse increases, making it imperative for businesses, especially SMBs, to stay informed and prepared. By implementing robust security measures, conducting regular employee training, and fostering a vigilant organisational culture, SMBs can significantly mitigate the risks posed by these advanced AI threats. Remember, in the realm of cyber-security, being proactive is always better than being reactive.