Navigating the deepfake dilemma: Essential insights for SMBs

As an HR consultant specialising in supporting small and medium-sized businesses (SMBs), I am increasingly concerned about the rise of sophisticated cyber-security threats, particularly deepfake scams. These AI-generated audio and video manipulations pose a serious risk to businesses, capable of impersonating key personnel to commit fraud or extract sensitive information.

What Are Deepfakes?

Deepfakes use advanced AI technologies to create highly convincing fake audio or video clips of real people, often used maliciously to mislead or harm individuals and organisations. They have been employed in various deceitful practices, from spreading misinformation to impersonating global leaders and celebrities in potentially damaging scenarios.

Real-Life Deepfake Incidents Impacting Businesses

Case Study 1: The LastPass Experience

Recently, a software firm, LastPass, encountered a deepfake scam targeting their employees. Scammers used deepfake audio, mimicking the voice of LastPass CEO Karim Toubba, derived from his conference speeches on YouTube. They attempted to phish sensitive information via WhatsApp, outside of regular business hours. Thankfully, the targeted employee recognised the red flags, such as unusual communication channels and timing, and reported the incident. This proactive response prevented potential data breaches and highlighted the need for vigilance.

Case Study 2: The Dubious Insurance Claim

Another disturbing instance involved a European insurance company where fraudsters created a deepfake video of the CEO asking a senior manager for confidential claim data. The video, though convincing, contained slight discrepancies in the voice tone that raised suspicion. The manager cross-verified with internal teams before taking any action, averting a potential leak of sensitive information.

Case Study 3: Real Estate Investment Ruse

A sophisticated deepfake scam also struck a real estate investment firm in Asia, where scammers used a video deepfake of a trusted investment partner to discuss non-public investment strategies. The realistic appearance and voice of the deepfake led to the sharing of strategic information, which was later used in a competitive bid, causing significant financial loss.

How SMBs Can Protect Themselves

Implement Strong Verification Processes

Adopt multi-factor authentication and enforce strict verification steps before executing significant actions like financial transactions or sharing confidential data. Ensure these protocols are understood and respected across the company.

Educate and Train Employees

Regular training on the latest cybersecurity threats, including the recognition of deepfakes, is crucial. Employees should be taught to scrutinise the authenticity of unexpected communications and be familiar with the company’s approved communication channels.

One simple step you can take today to counter the risks posed by deepfake scammers is to limit how many images your staff post online. Creating a convincing AI-generated video relies on the system accessing photos and footage of the subject it’s trying to recreate. We suggest that you encourage your employees to keep their social media profiles private and avoid posting regular images of their face.

Invest in Technology Solutions

AI and machine learning tools can help detect inconsistencies in audio and video clips that might indicate a deepfake. Investing in such technologies can provide an additional layer of security for your business communications.

Establish and Maintain Secure Communication Channels

Define and maintain secure, approved methods for internal and external communications. Encourage employees to double-check unusual requests through established channels before taking any action. E.g. in LastPass’ case the employee uncovered the fake as it came through on Whatsapp a channel the CEO seldom used.

Foster a Security-centric Culture

Promoting a culture that prioritises cyber-security can empower employees to report suspicious activities confidently. Regular updates about potential scams and reinforcing the security protocols can make a big difference.

Conclusion

The threat of deepfake scams is real and evolving. As these technologies become more accessible, the potential for misuse increases, making it imperative for businesses, especially SMBs, to stay informed and prepared. By implementing robust security measures, conducting regular employee training, and fostering a vigilant organisational culture, SMBs can significantly mitigate the risks posed by these advanced AI threats. Remember, in the realm of cyber-security, being proactive is always better than being reactive.

Privacy policy

This privacy policy sets out how HR Optimisation Ltd uses and protects any information that you choose to provide when you use this website. HR Optimisation Ltd is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy policy. HR Optimisation Ltd may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from: 25th May 2018. If you have any queries in relation to how we use your personal information, please contact hello@hroptimisation.co.uk

What we collect

No personal information has to be given in order to navigate around the HR Optimisation website. However, any information which you choose to provide via the website will be added to our marketing database and used by us for administration of our contact and client information and for marketing our services and events to those whom we believe will have an interest in these. On occasion it is possible that these messages will contain input from other companies or organisations with whom HR Optimisation Ltd is working, however HR Optimisation will never share your personal information with third parties without express permission. HR Optimisation Ltd may also store and use personal information which you have provided on the website or during email communications with us, during relationship management activities, provision of services and commercial administration. In all our dealings we abide by the principles of the Data Protection Act 2018 and General Data Protection Regulation 2018.

What we do with the information we gather

We require this information to understand your needs and provide you with our services, and in particular for the following reasons:

Internal record keeping e.g. administration of our services and for accounts processing

We may use the information to improve our products and services

Where you have supplied your details specifically in relation to our recruitment services, to provide information to prospective employers. In this regard you expressly agree that your personal details may be submitted to client contacts as appropriate in order to offer our services

We may periodically send promotional emails and newsletters about our services, special offers or other information which we think you may find interesting using the email address which you have provided.

From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail.

Law Enforcement

HR Optimisation Ltd may be obliged to provide personal information to law enforcement officials during the investigation of any alleged unlawful activities and we shall have no legal liability for disclosures of this kind.

Security

We are committed to ensuring that your information is held securely. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. All information supplied to HR Optimisation online or via any other means is stored securely and HR Optimisation will take all reasonable steps to ensure that no unauthorised third parties may gain access to this database/documentation.

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device. You can find more information about cookies at:

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests. The cookies used on this website have been categorised based on the categories found in the ICC UK Cookie guide. Our website only uses cookies for anonymous page tracking, allowing us to improve your experience of our website. No personal data is collected.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

When you request information from us, or send an email enquiry, you will be given the opportunity to unsubscribe at any time, and cease receiving any further emails, by clicking on the unsubscribe link at the bottom of our emails. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. You may request details of personal information which we hold about you in line with the Data Protection Act 2018. A small fee will be payable. If you would like a copy of the information held on you please write to: hello@HROptimisation.co.uk If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at the above address. We will promptly correct any information found to be incorrect. However, if you feel that any issue raised has not been adequately addressed, you can contact the Information Commissioner’s Office at www.ico.org.uk.