How is Deepfake Technology Changing the Social Engineering Attack Strategy?
Cybercrime has long since evolved from the traditional cyber attack methods with the integration of modern technology. As warned by the FBI in March 2021, the recent emergence of social engineering attacks exploiting deepfake technology is one example of the growing exploitation of technological developments. Since these modern cyber attacks are much more sophisticated, they are significantly harder to mitigate and alarmingly have a better success rate.
Threat actors use deepfake technology to replace the image or voice of a specific person's speech to exploit the information and manipulate the targeted audience. The primary purpose behind the deepfake videos/pictures is to damage the reputation of famous personalities or dismantle misinformation. Its use is evident in several malicious purposes, such as spreading wrong information, financial fraud, identity theft, and even social-engineering attacks.
How do Cyber Criminals use Deepfake technology in Launching Social Engineering Attacks?
The deepfake social engineering attack has now become a reality. Its use has surfaced specifically within phishing, vishing, and spear-phishing attacks.
Apart from that, research shows that deepfake audio use increases the business email compromise (BEC) attacks. The demonstration elaborates how a cloned voice could develop with source audio in only a few seconds. During this time, all the personal voice traits like tempo, pronunciation, pitch, and intonation necessary to create a real-time deepfake audio are fed into the algorithm.
Besides this, deepfake audio also needs material from feeding training data and the sample audio using appropriate algorithms. This is easy because a threat actor can use various online materials collected from phone calls, TED talks, corporate videos, interviews, speeches, and presentations.
Using various advanced products, the threat agents can also select the age and gender of the targeted victim. The deepfake vishing attack has excellent potential for real-time conversations with the target and makes it challenging to detect any unusual activity.
Apart from that, the deepfake email phishing attack is another frightening reality. The attack features emails containing attachments or links for the target to open. Like a typical email phishing attack, the attacker exploits the victim's naivety by creating a sense of urgency to take immediate action.
The reason why these attacks are successful is because they are designed explicitly with carefully gathered intel. The victim is entrapped into a sense of urgency as the threat actor dupes him into believing that the email is from a source of authority, for example, a CEO or head of a department. To make these emails look believable, threat actors carefully insert specific information, such as the amount of money requested, the company's name, address, and logo.
Do Deepfake Social Engineering Attacks Emerge As a Serious Risk?
So far, the deepfake social engineering attacks are not widespread, so it is hard to calculate the risk they pose fully. However, these attacks are not to be taken lightly, primarily because social engineering within itself is one of the most dangerous and prevailing cyber attacks. With deepfake technology enhancing it, there are speculations that these attacks can cause significant financial and reputational damages to an organization.
Like any typical social engineering attacks, these attacks are also designed to penetrate a system and cause damage, often in the form of injecting malware or filtering data. These social engineering attacks are necessarily to continue malicious practices since getting past an organization's firewall or network security applications is a hectic task. The deepfake social engineering attack roughly features three stages:
- The reconnaissance phase involved the threat actor gaining information regarding the target to launch a successful tailored attack.
- Utilizing social engineering tactics to penetrate the target organization's system
- The threat actor can cause malicious damage by injecting malware to steal sensitive information such as financial data.
Any organization that becomes a target of a deepfake social engineering attack might face significant reputational and financial damages.
The impact of the deepfake phishing attack is evident in an incident that occurred in 2020 in Hong Kong. A bank manager received a call similar to the company's director, who requested to transfer a $35 million bank transfer. However, the bank manager acted wisely and first verified the call and found that it was a phishing call that used deep voice technology, saving the bank from substantial financial loss.
These attacks also put high-profile employees, or those with the decision-making power, at the highest risk. The attacker can send phishing emails or blackmail high-profile employees about some mistake that can hurt their reputation and make them lose their job. The fraudsters might continue blackmailing until the organization meets their demand for ransom payment or gives access to sensitive corporate information.
How to Control the Deepfake Technology Risks?
The deepfake social engineering attacks are difficult to detect, but the incident in Hong Kong shows that not all hope is lost. Various ways can be put into practice to reduce the risks of these attacks significantly:
- Enable multi-factor authentication or single sign-on methods on every endpoint, preventing hackers from accessing the crucial data despite having password protection.
- The organization needs to create and implement a firm password policy for your organization which includes implementing solid passwords, frequently changing passwords, or going passwordless.
- Conduct cybersecurity awareness training and set policies to face such events.
- Organizations should design cybersecurity incidents and response plans that include how to respond and recover from such attacks. The plan should also highlight the plan for external and intern communications and with whom to share sensitive information that can further protect from reputational damage.
Besides training, employees should also play a crucial role here. Like, they should be able to detect the deepfake using the zero-trust policy. They should be trained to spot such attacks and what measures they need to take.
Since the attacker fails to create mistake-free content, determining these weak points can help detect these attacks. If they receive any suspicious email, they can do an image search or check the watermark or other details. In other words, they always need to double-check the emails, phone calls, and any request that demands urgency.
Deepfake technology has always been a curse to people rather than a blessing. Since now it's easy to access, it will continue to evolve. But unfortunately, it poses a significant threat to the organizations.
Attackers have been using this technology to launch email phishing and spear-phishing attacks. These attacks bring significant consequences to the organization, including financial loss and reputational damage.
Organizations must act vigilant and revise or make new security policies to remain secure and protected.