216.696.8700

Safeguarding Against the Rise of Deepfake Scams: What Employers and Employees Need to Know

Joe Beck
February 17, 2024
NCAA

A recent deepfake scam has rocked the financial landscape of Hong Kong, demonstrating the extreme lengths to which cybercriminals are willing to go to defraud unsuspecting victims. This sophisticated scheme, which saw attackers coerce an employee into transferring a staggering HK$200 million (about $25 million) via a fake video conference populated by deepfakes of company executives, highlights the urgent need for heightened vigilance and preparedness in the face of evolving cyber threats.

What Is a Deepfake?

A deepfake is a type of synthetic media created using artificial intelligence (AI) techniques, typically involving the manipulation of images or videos to depict events or scenarios that never actually occurred. In a deepfake, an AI program is “trained” by analyzing and processing numerous pictures and videos of a reference target. Through this training process, the AI learns to mimic the facial expressions, gestures, and speech patterns of the target individual. As the technology continues to evolve, it is crucial for individuals and organizations to remain vigilant and employ strategies to detect and reduce the spread of deceptive content.

Protecting Yourself and Your Organization

For both employers and employees, understanding the mechanics of deepfake scams and implementing proactive measures are essential in mitigating the risks associated with these malicious activities. Here’s what you need to know to protect yourself and your organization:

  1. Recognize the Threat: Deepfake technology has advanced to the point where realistic simulations of individuals can be convincingly generated, making it increasingly difficult to distinguish between genuine and fake content. Awareness of this threat is the first step in defending against it.
  2. Stay Vigilant Against Phishing: The deepfake scam in Hong Kong began with a phishing email impersonating a company executive. Employees should exercise caution when receiving unsolicited emails, especially those requesting sensitive information or financial transactions. Verify the authenticity of requests through alternate channels before taking any action.
  3. Verify Identity Through Multiple Channels: In cases involving significant financial transactions or sensitive information, organization should employ multiple verification methods to confirm the identity of individuals involved. This could include phone calls, in-person meetings, or secondary authentication measures beyond email or video conferencing.
  4. Enhance Cybersecurity Training: Educate employees about the dangers of deepfakes and other types of scams. Provide consistent training on how to identify suspicious communications and emphasize the importance of verifying requests, particularly when they depart from established procedures.
  5. Implement Least Privilege Access: Restrict access to sensitive systems and accounts based on the principle of least privilege. Ensure that employees only have access to the resources necessary for their roles, reducing the potential impact of compromised accounts.
  6. Merge Physical and Cybersecurity Protocols: Recognize that combating deepfake scams requires a multifaceted approach that combines both physical and cybersecurity measures. Implement strict approval processes for financial transactions and encourage employees to report any suspicious activities promptly.

Adaptability Is Key

As the threat landscape continues to evolve, organizations must adapt their cybersecurity strategies to effectively counter emerging risks. By fostering a culture of alertness and providing employees with the knowledge to identify and respond to threats, businesses can strengthen their defenses against the growing threat of deepfake scams.

In the age of digital deception, proactive prevention and robust security measures are paramount in safeguarding against financial loss and reputational damage. For additional information, please visit KJK’s Cyber Security & Data Breach practice page.