Deepfakes, phishing and policies

Butterfly wing as an example of deepfakes

Recently, an employee in a big finance company was tricked by scammers using deepfakes. The scammers sent a successful phishing email, which resulted in a video call where the scammers posed as the CEO and CFO of the organisation—and the employee was persuaded by follow-up emails, video-calls, and other messages to pay out millions of dollars over several transactions.

These scammers managed to create a meetings-worth of multiple deepfakes to extract this money, followed by additional deepfake meetings. Unsurprisingly, being on a video-call that appeared to be with the group of people at the top of the organisation was convincing, and the money was transferred. And it all started with a phishing email.

In an earlier blog post, we’ve discussed the need in some circumstances for two or more people to confirm that an action should go ahead—particularly financial transactions, or business-critical activities. This unfortunate person believed that he had approval from at least two of his most senior colleagues, not only because of this (fake) meeting, but also because of the follow-up messaging.

Reducing the risk of deepfakes and phishing scams

Several measures could be put in place to reduce the risk that this would happen.

  • In an ideal world, the phishing email would have been spotted by email controls and deleted or moved to spam automatically, so that it wasn’t read.
  • Failing that, the phishing email would have been reported and ignored. This is where security awareness training comes in. This should cover the most recent kinds of attack, including the risks of deepfakes, not simply Nigerian princes.
  • A policy could be created requiring that a request for a financial transaction via one medium should be confirmed by a request via another, using standard company-specific procedures—not simply an instruction via video call followed up by an email.
  • A policy could be created that there should always be a documented audit trail of approvals, and two people involved in creating the transactions. Separation of duties would mean that the unfortunate employee wouldn’t have been able to both initiate and complete the transfers.
  • Given the size of the money transfers, perhaps a policy requiring an extra level of verification over a certain size is called for, and specific approval requested from senior staff (using a different channel, as above).
  • And every employee should feel confident—and supported in that confidence by company culture—that they are acting for the good of the company when they ask for extra verification. They should never be made to feel that they are getting in the way or making a nuisance of themselves.

For advice and help in putting policies and technical measures in place to help protect your organisation, please call us on 0113 733 6230, or use our contact form.