Imagine for a minute, you are receiving a phone call from a well-known business associate of yours. You recognize the phone number on the screen and the voice on the other end matches the sound, tone and mannerisms of the person of whom you have spoken with before. The banter between you both feels normal and soon you are talking business. Your associate reveals that she is about to close the deal on an important acquisition and requires you to authorize the bank to begin transferring the funds. Email threads in your inbox between your associate and the legal team confirms what she is saying and that the transaction should indeed take place. You wish your associate well and hang up the call. Soon, you are calling the bank to initiate the transaction.
Deepfake – what is it?
The above scenario demonstrates what some may consider to be “business as usual,” including corporate executives, law partners or business directors. What few people may realize, however, is that this type of interaction is really part of an elaborate business scheme, where cybercriminals are using artificial intelligence-based software to recreate a person’s voice – known as “deepfake” technologies. Similar content using deepfake technologies have already been making their rounds on the Internet –you may already be familiar with “deepfake Tom Cruise,” whose videos began appearing on Tik Tok in summer 2021, or an earlier video from 2019 that uses deepfake technology to make U.S. House Speaker Nancy Pelosi appear to be impaired. While doctored videos usually appear for entertainment purposes only, they can have real world implications, and sometimes tremendous consequences, for public figures, business executives and even large corporations.
“Cybercriminals are increasingly sharing, developing and deploying deepfake technologies to bypass biometric security protections, and in crimes including blackmail, identity theft, social engineering-based attacks and more,” says Gareth Cottam, Crawford’s Head of Cyber for Asia Pacific. “We are seeing an increase in cyber incidents, particularly ransomware matters, where the Threat Actors are making calls to key stakeholders to apply additional psychological pressure, while remaining anonymous through use of deepfake voice software.
“As identified in a recent report from Experian, our vendor partner, synthetic identity fraud is growing and is identified as the fastest growing type of financial cybercrime, with the use of deepfake technology to create fake faces for biometric verification when forming a new identity.”
How to spot it
So far there are only two known cases of deepfake technology being used in corporate swindles, as reported in Forbes
and the Wall Street Journal, but the threat to corporations is likely only going to increase. It’s important, then, to familiarize yourself with what deepfake technology is, how it can be used, and learn how to protect yourself and your business from potential deepfake scams.
Neal Jardine, Crawford’s Cyber Practice Leader for North America, agrees that being able to identify deepfake content can be incredibly difficult, as the overall purpose of the technology is to be foolproof:
“We’ve tended to rely on technology even more during the pandemic as businesses have shifted to remote work. While we’ve always trusted our colleagues’ email addresses or their signatures on PDF documents, this is becoming more and more risky given the ever-changing cyber threat landscape and deepfake technology. We therefore need to learn to start looking for those tiny imperfections in email syntax, or the overall quality of those voice or video calls, because now there’s always a slight chance that the person on the other end may not be who they say they are. Greater vigilance and security will be key for the future of online work.”
It’s critical to assess the quality of audio or video conversations. In a video, for example, the speech may not be lined up with the movement of the person’s mouth, or one may notice unnatural speech patterns, a “robotic” sounding voice, or general distortions on the other end such as blurriness or fuzziness.
How to prevent falling victim to cybercrime
Crawford’s Cyber Incident Response team responds to social engineering attacks globally. As global leaders in cyber incident response and planning, we advocate that clients adopt the best practice principle of having at least two employees sign off on payments over an agreed threshold. Sign-off by two employees should also involve a call to the client via a previously known number that isn’t the number originally called from or on the email payment request.
We also strongly recommend that no payments be issued under pressure or in a rushed manner as this is often where social engineering and instances of deepfake are most prevalent.
Individuals or corporations who believe that they may be at risk of being a target of scams using deepfake technology may want to set up a secret code word with those in their inner circle to properly identify themselves. Good password hygiene is always recommended, which means using a diverse array of letters, numbers and symbols in up to 12 characters. Finally, learn how to spot phishing emails and never, ever, provide your user login and password after opening a suspicious-looking attachment or embedded hyperlink, as this will send your login information directly to the cybercriminals.
While the technology arms-race continues, security teams must look to use the same AI tools that create those attacks in the first place. Until then, evolving cybersecurity hygiene trends will likely transition to a “zero trust’ environment where every user and every device will need to verify and validate with increasingly strict limits to access and privilege on systems.
What to do if you’ve been targeted
If you believe that you or your business has been targeted or has fallen victim to a cybercrime, including via deepfake, it’s important for you to bring it to the attention of all the parties that may be involved, including the bank or credit card provider. In the case of identity theft you may also want to file a police report with your local police department or through your country’s cybersecurity agency, such as the Canadian Centre for Cyber Security or the Cybersecurity and Infrastructure Security Agency in the United States.
How Crawford can help
At Crawford & Company, we rely on the expertise and experience of industry professionals to support the insured person(s) every step of the way, from the moment a security breach is reported through to resolution and recovery. Clients who are adversely affected by a cyber-attack will work with members of our cyber incident response team(s), who will help determine how and why the breach occurred while also assisting in the recovery of lost data and files. All of Crawford’s claims management services are strategically managed by a Crawford Loss Adjuster, who ensures consistent communication and quality assurance between all parties and stakeholders involved.
To request more information on cybercrime and what to do if you’ve been attacked, please contact:
Jason Ponton, FCIP, CRM
Cyber Practice Leader, Canada