Deepfakes Make Social Engineering Attacks Even More Dangerous

In January 2024, an employee of a multinational company was duped into paying $25 million to cybercriminals who used deepfake technology. The worker was suspicious of an email purportedly from the company’s CFO about the need for a secret transaction. But he cast aside his doubts when he joined a video call that appeared to be with the CFO and other staff. In reality, everyone on the call was fake.

Deepfakes are images, audio and videos that are generated using deep learning. They are being used by fraudsters in social engineering attacks that confuse and manipulate victims. Deepfakes make phishing and business email compromise (BEC) attacks more dangerous because they seem so legitimate. The deepfake might include a fabricated LinkedIn profile, a legitimate-sounding voicemail message or even a video call.  

There are also so-called “cheapfakes” that simply swap out one face for another. They are typically used to bypass facial verification systems, access sensitive information or conduct fraudulent transactions. Although relatively crude, they are easy to execute in large volumes — a recent Onfido study found that cheapfakes accounted for more than 80 percent of attacks in 2023.

Deepfake social engineering is typically targeted at specific individuals, particularly those in finance who regularly deal in monetary payments. However, deep fakes are also used to obtain sensitive information such as login credentials, financial account numbers or organizational reporting hierarchies.

 To guard against this threat, employees need to:

  • Be aware of the growing risk of deepfake attacks.

  • Scrutinize online personas and identities, even if they have photos or videos.

  • Do not automatically comply with requests just because they seem to come from a company executive.

  • Be suspicious of any request that creates a sense of urgency and deviates from company policies and practices around financial transactions.

  • Never provide sensitive information in response to an unsolicited call or email.

  • Verify requests by calling the person directly using a recognized number.

According to Onfido, deepfake social engineering attacks saw a 3,000 percent year-over-year increase in 2023. Educate yourself and be prepared to help protect your organization against this dangerous type of fraud.

BlogJack CohlmiaDeepfakes, Business Security, Cybersecurity