By Brian HIll
A new study by the Ponemon Institute points to a concerning use of AI: deepfake attacks are on the rise and are taking a financial and reputational toll on companies and their executives.
Related: Tools to fight deepfakes
Deepfake Deception: How AI Harms the Fortunes and Reputations of Executives and Corporations details the results of a recent independent Ponemon survey of 586 U.S. security professionals, highlighting a few worrisome findings:
•Deepfake risks increasingly target vulnerable board members and executives.
•Organizations suffer from a lack of visibility and preparedness to combat these attacks.
•The most common deepfakes are impersonation of executives’ trusted contacts, urgent demands for payments, and false information about a detected security breach.
•Deepfake is one of the most worrying uses of AI.
The unpleasant truth is that the use of AI-generated deepfake content to target executives in their personal lives is quickly escalating, creating a growing area of vulnerability for corporations. As AI technology advances, attackers are shifting their focus from technical exploits to human emotions using deeply personal and well-orchestrated social engineering tactics.
Uprotected targets
Companies admit they are largely unprepared for this dangerous evolution. Fortunately, there are steps they can take to combat this growing threat and stop cybercriminals’ deceptive uses of AI.
As described in the Ponemon report, a deepfake is an artificial image or video generated by a form of AI called deep learning. Typically, the attacker collects authentic media samples of their target, including still images, videos, and audio clips, to train the deep learning model. The more training data used, the more authentic the deepfake appears.
Hill
With highly visible public profiles, prolific social media activity, high-net-worth business executives and their family members become easy targets. In fact, the survey reports that 42% of respondents said their organizations’ executives and board members have been targeted an average of three times by a fake image, while 66% of respondents said it is highly likely their executives will be targeted by a deepfake in the future.
Common fakery
The most common deepfakes experienced are impersonation of executives’ trusted entities and urgent demands for payments or information about a detected security breach. Of those targeted, 28% said it was by impersonating a trusted entity such as a colleague, executive, family member, or known organization; 21% said executives and board members received urgent messages such as the requirement of immediate payment or information about a security breach detected.
The exact financial harm committed by deepfakes is not known or measured. However, most respondents point to the cost of staff time to respond to attacks and the cost to detect, identify, and remediate the breach as the most serious financial consequences stemming from such attacks.
Need for a zero-trust mindset
Traditional corporate security measures typically focus on corporate assets and infrastructure within the company’s “four walls,” leaving executives vulnerable in their personal lives. Additionally, business leaders often lack cybersecurity expertise to take appropriate action in the face of a deepfake threat. Case in point: 59% of respondents said it is very difficult to detect deepfake attacks, and the majority have low confidence in their executives’ ability to recognize a deepfake risk.
To combat the deepfake threat, a zero-trust mindset is essential. Slightly more than half (56%) of respondents said it is essential to distinguish between authentic and fake content in messages, while nearly three-quarters (72%) of respondents said they are likely to evaluate technologies that enable executives to verify the identity and authentication of messages they receive. The good news is that there are already tools available that make this type of identity verification not only possible but easy.
There are other steps that companies can take to protect the digital lives of their executives, board members, and their families to safeguard corporate assets and the bottom line:
•Reduce their digital footprint: Minimize personal information exposed online.
•Monitor their personal devices and home networks: Proactively identify and mitigate potential cyber risks.
•Educate and train: Empower executives and their families to make informed decisions about online activities.
•Perform incident response: Rapidly address threats before they escalate into an enterprise breach.
The rise of deepfake phishing, as highlighted by the Ponemon Institute, presents a clear and present danger to executives and their companies, exploiting personal vulnerabilities for financial and reputational gain. The widespread lack of preparedness demands an immediate shift towards a zero-trust approach, leveraging identity verification tools and comprehensive Digital Executive Protection strategies to safeguard both individuals and the enterprise.
About the essayist: Brian Hill is Head of Security Services at BlackCloak, a leader in Digital Executive Protection. He holds a 2015 – 2016 Master’s Degree in Security Technologies (MSST) @ Technological Leadership Institute, University of Minnesota.