Artificial Intelligence & Machine Learning
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development
How AI and Deepfakes Make Impersonation Attacks Stronger – and How to Stop Them
In February, we saw the dramatic return of an age-old favorite attack, impersonation, and another type of attack, social engineering. In Hong Kong, industrious attackers used cutting-edge deepfake and AI technologies to blend these attacks and as a result, the target company allegedly lost $25.5 million.
The impersonation attack has been around since communities and economies were formed, and it has kept pace with changes in technology, the globalization of economies and the ever-increasing easy access to people and companies across the globe.
The basics of the attack remain the same. You need to get information on the person or company you intend to impersonate, get an idea of their internal ways of working and find the ideal high-pressure time to execute your attack. In the Hong Kong attack, we can theorize that the attacker had intimate knowledge of the company’s financial position since they knew they could ask for $25.5. million and the company could pay it immediately. We can also assume the attacker knew who in the company would be in a position to issue such an instruction without being questioned and who in the company could execute the fake instruction. The attacker also theoretically knew the processes – or the lack thereof – being used inside the company.
The impersonation side of the attack is most likely the easier of the two components needed for this blended attack, as most people have a rather robust social media presence. If someone has done interviews or participated in podcasts, you even have samples of their voice to use to construct your deepfake. This is not child’s play, but it is also not that difficult to do anymore.
Risk and security teams are paying more attention to impersonation attacks, and so are the people who could be targets of impersonation. Somewhere, I am sure, a CEO is asking the security team to find tools and tech to manage this problem. I am also sure someone already has a product on the ground. But is this a pure technology problem?
I think it is completely a problem with business and awareness.
In good business and financial practice, you exercise a certain level of control in the execution of payments. A payment has a paper trail associated with it, and checks and balances are present to ensure that due process has been followed prior to the execution of the payment – even if it is urgent. Legislation such as the Corrupt Foreign Practices Act and the Foreign Account Tax Compliance Act spring to mind, not to mention KYC guidelines.
This is all good and well for payments, but this attack can be used for many purposes, such as convincing someone to release a digital or physical asset or to give entry to a person or package.
The solution to this problem is twofold.
First, you need robust processes that include checks and balances to ensure that the action is properly completed and authorized.
Then you need awareness. You need to inform all staff of:
- The risks to the business from these attacks;
- The importance of being careful about what information they post on social media;
- The correct actions to take if an attack occurs.
And you need to inform your customers about the ways in which you will communicate sensitive information and instructions, such as financial or IP information.
Our world revolves around risks and countermeasures, and nine times out of 10 we only find out if our countermeasures work when we are attacked. Consider testing your business countermeasures the way you would an application. Hire a reputable firm to see if they can compromise your business. Trust – but verify.
CyberEdBoard is ISMG’s premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community – CyberEdBoard.io.
Ian Keller has over three decades of experience in information security. Currently, he leverages his extensive knowledge and expertise to bridge the gap between corporate telecommunications intelligence and business communication, providing data-driven solutions for informed decision-making and enhancing product quality in line with ISO and best practices. Keller is a chief information security officer whose career has encompassed sectors including telecommunications, network security, financial services, consulting and healthcare. His expertise in customer security, identity and access management, information security, and security awareness has made him a sought-after speaker at international events.