Nicoleta Mehlsen, Vice President of APCF, Association for the Protection and Combating of Fraud, said in FRAUD SUMMIT that fraud will never disappear; it transforms and evolves with the socio-economic environment. Indeed, the tools and methods by which a person or a company can be defrauded are constantly evolving. They diversify, on one hand, because the teams of anti-fraud investigators quickly dismantle the techniques used by fraudsters, and on the other hand, because they keep pace with the rapid development of technology and adapt it to their own interests.
One of the newest methods by which technological advancement can be used to the detriment of companies is deepfake.
What is deepfake and how does deepfake technology work?
Deepfake are images / audio / video recordings that have been manipulated with the help of Artificial Intelligence and that render actions or statements that did not actually happen.
To create a deepfake, images or audio / video files are superimposed over a content generated using machine learning algorithms, which mimic and then render extremely realistic the faces, movements, or voices of those people.
By analysing a large amount of real audio and video recordings, algorithms are trained to identify a person’s tone of voice, gestures, facial expressions, physiognomy from various angles, characteristics, and behavioural patterns. Subsequently, with the help of computer graphics techniques, facial or speech patterns learned by algorithms, and which can be manipulated, are superimposed over the real files.
How is deepfake used for fraud?
Although there are many funny deepfake videos, the fraudulent potential of this technology is very high, ranging from social hacking and the spread of fake news to widespread economic and financial fraud.
In most deepfake frauds, the identity of a person, sometimes even deceased, is stolen. Cyber fraudsters thus gain access to bank accounts, withdraw, or transfer large sums of money, apply for loans or credit cards, make high value purchases or transactions or access loans that will never be returned.
There are also situations where fraudsters mix fragments of information and create a new false identity, instead of stealing an existing one, and then use it to request and obtain material benefits.
How can deepfake affect your company?
In addition to the examples of economic and financial fraud above, deepfake technology can be the gateway to your company for other types of fraud.
In 2019, the CEO of a UK energy company received a phone call from his superior, the CEO of the mother company in Germany, who asked him to urgently transfer 220,000 euros to a supplier in Hungary, which the director did. Except that the voice at the other end of the line was nothing more than a deepfake, the first known case of fraud using this technology.
The second known case, about which the press recently wrote in Romania, is that of a bank in Dubai. With the help of deepfake technology, the director of the financial institution was asked to transfer $ 35 million. The voice on the phone was familiar, he had already received by email the necessary transaction documents from the lawyer, everything seemed fine, so he authorized the money transfer.
What does this have to do with your company? How would you feel if one day you find out that:
– you transferred all the money in the company’s account to a supplier’s account?
– you sold the company’s headquarters?
– you called an employee and told him to give access in the company’s IT system to a new supplier?
– you made defamatory statements against someone?
– you made sexual advances to a colleague?
– you asked an employee to send you all the credentials and customer database?
– you called an employee and told him to disable all cyber protection systems?
– you blackmailed a business partner or a competitor?
Does it seem impossible to you? This is deepfake fraud, the technology that renders extremely plausible actions or statements that did not actually happen.
How do you protect yourself and your company from deepfake fraud?
- Be aware of the existence of danger!
As with all other anti-fraud measures taken for your company, one of the first steps is to raise awareness – of yourself and of your employees. Deepfake fraud is one of the main methods of cyber fraud that experts warn will evolve rapidly.
- Recognize the signals!
A high level of awareness and constant education sessions with cybersecurity measures will make you and your employees more attentive to any of the following signals when talking about audio / video calls or recordings:
- The rhythm of speech is slightly unnatural.
- The movements or speech seem to belong to a robot.
- There are unnatural shadows or colour differences.
- There are mismatches between spoken words and lip movement.
- The audio / video file is of poor quality.
- Set strict warning and verification procedures!
Establish and communicate to the organization what are the procedures for warning and verification in case of deepfake fraud suspicion. Constantly remind employees that good security outweighs bad danger and that they can call for additional checks even if they have the slightest suspicion of deepfake. If their suspicion is not verified, do not discourage them! Otherwise, they will be reluctant to report, and the risk of corporate fraud increases.
In the case of the UK energy company, whose CEO transferred 220,000 euros after a deepfake call, the fraudsters called 3 times that day. After the first call, they got the money, at the second call they said that they returned the money and that they would get back to the company’s account, so that at the third call, the fake CEO would request a new transfer. As the reimbursement transfer had not yet arrived and the third call was made from an Austrian telephone number, the victim CEO became suspicious and did not make the second payment.
- Invest in cyber protection measures!
And when we say investment, we do not refer only to the direct financial one. Protect your company through your team’s access to resources, processes and procedures, anti-fraud specialists, due diligence and risk management, cybersecurity solutions.
For example, more and more companies are beginning to use Multi-Factor Authentication (MFA) as an additional measure to defend against cyber fraud.
AI and machine learning are tools that companies will use more and more often to replace or supplement the human factor and they can also be used to detect deepfake fraud.
- Don’t ignore the emotion!
Even if you feel prepared, don’t ignore the emotional reaction! People react differently to fear or stress, both of which are feelings they may feel when they receive a phone call from their direct superior. Emotional reaction is an aspect that fraudsters know and rely on to achieve their fraud goal.
Still in its infancy compared to other technologies, deepfake is one of the methods of fraud that worries organizations the most and a topic that cybersecurity companies have been constantly warning about for the last 2-3 years. Both companies and individuals will have to find new ways to secure their data and defend themselves against increasingly sophisticated cyber-attacks.
Cyber fraud is no stranger to us. We help companies find out the truth and protect themselves, whether we are talking about due diligence and risk management services, corporate investigations or cybersecurity investigations. If you want your business to be immune to fraud, contact us.