Deepfakes And AI Scams: How To Spot Them And Protect Your Business
The global digital transformation has not only helped organizations grow their business, but it’s also helped cybercriminals find new ways of scamming businesses and individuals.
With the increasing prevalence of deepfakes and artificial intelligence (AI) fraud, the old adage, “Don’t believe your lying eyes,” has never been truer.
Being able to say, “I saw it with my own two eyes,” is also quickly becoming a thing of the past. In today’s world, you can no longer simply accept videos and photos at face value.
Automatically assuming that images and videos are genuine could open the door for hackers to gain access to your organization’s financial accounts, personally identifiable information (PII), and IT systems.
In this article, we’ll explore the ways in which deepfakes and AI are creating new security threats for organizations and provide solutions to how you can shield your business from the latest cyber threat.
What Are AI-Generated Deepfakes?
Deepfakes use advanced AI technology to attack businesses across various industries, individuals, and even government officials. The goal is often to impersonate a trusted contact or company official to trick employees into transferring money or revealing sensitive information.
This digital trickery typically uses a form of AI called machine learning, according to the U.S. Government Accountability Office, which is used to manipulate and mimic learned information and behavior, including facial recognition and voice inflections.
It can then use this deep learning to artificially create new and highly believable fake videos, images, and audio recordings that can fool even the most well-trained professionals.
Deepfake technology has become so accurate that it can closely mirror a person’s facial features, movements, and voice to give the false impression that an individual is saying or doing something that never happened.
In one high-profile example in early 2024, a finance employee at Arup, a UK-based multinational firm, fell for a deepfake and ended up wiring scammers $25 million.
The worker, based out of the company’s Hong Kong office, thought he was in a video conference call with several other employees, including the company’s chief financial officer in London, according to a CNN report.
As it turns out, they were all deepfakes.
Notably, the employee initially suspected it was a phishing attempt after getting an earlier, suspicious email, but dismissed the red flags after the deepfake video conference appeared to show and sound like co-workers he knew.
In another widely-reported case in 2019, fraudsters used voice cloning to spoof the voice of the CEO of a UK-based energy firm, convincing an employee to send $243,000 to a fake account under the pretense of paying a supplier, according to Forbes.
Bad actors using these virtual disguises will continue to create business challenges in 2025 and beyond.
According to a Deloitte report, deepfakes could cost U.S. businesses upwards of $40 billion by 2027 because of rapid technological advances and easy access to generative AI technology.
How Can I Protect My Business From A Deepfake Scam?
While there are deepfake detectors available, they are not foolproof because of the increasingly convincing deepfakes.
This means that businesses will need to implement strong security measures to avoid being tricked by deepfake fraudsters.
Here are 5 ways businesses can safeguard their financial accounts and sensitive data from a deepfake attempt:
1. Provide employee security awareness training
Since traditional security technology won’t prevent these types of cyber scams, educating your employees about deepfakes and how to spot them can be your first line of defense against such threats.
Related Article: Why Employee Security Awareness Training Helps Prevent Cyber Incidents
Fully managed employee security awareness training costs about $5 a month per user—depending on your business size and frequency of training.
That’s a relatively small investment that could potentially save you from experiencing significant damage, such as lost revenue, reputational damage, litigation costs, customer loss, and other possible harm to your business resulting from a deepfake scam.
2. Establish strict verification policies for financial transactions
Ensure that employees know which team members are authorized to request money transfers, along with the procedures for making and verifying such requests within your organization, such as multi-factor authentication and in-person approvals when possible.
By having a system of checks and balances in place that is properly communicated to stakeholders, deepfake scams can become largely avoidable.
3. Use deepfake detection and authentication tools
- Digital watermarks: A digital watermark is a kind of secret digital tatoo that embeds invisible markers—such as pictures, video, audio, 3D images, or other unique identifiers— into digital content. These markers act as content identifiers to spot deepfakes by verifying the information and its source.
- Metadata: Metadata is information that provides details about other data, such as its source, author, time and place it was created, file size, and any changes made to the file. Metadata can be used to identify inconsistencies to tell if a photo or video is real or an AI fake.
- Blockchain: Blockchain is a digital database or ledger that is used to create and store encrypted records of original digital files to make secure transactions. Often associated with cryptocurrency, blockchain can be used to spot fake content by tracing it back to its original source and verifying its authenticity.
4. Adopt a zero trust or principle of least privilege policy
A zero trust security framework follows the “never trust” philosophy. This means that employees and others within or outside an organization need to continually verify their identity to access files, applications, and other parts of your IT network.
Related Article: Zero Trust Security Framework Explained: What Is It And Do I Need It?
A principle of least privilege (PoLP) limits data and network access to authorized users and applications to the minimum level needed to complete a task.
5. Develop and implement an incident response plan
An incident response plan (IRP) is a formal document that lays out the steps your business will take in the event of a security incident, such as a cyber attack or data breach. It spells out the protocols for containing and mitigating the threat, the communication chain, and recovery and review.
Having a comprehensive IRP is also often a requirement of certain security and privacy regulations, including HIPAA, CMMC, NIST 800-171, and others.
Related Article: Why You Need An Incident Response Plan Before A Cyber Incident Happens
What's The Bottom Line With Protecting Your Business From Deepfake Traps?
After reading this article, you have a more thorough understanding of how advanced technology including machine learning and AI are fueling the surging use of deepfakes by bad actors to steal from organizations and individuals in plain sight.
With these technological advances being used for nefarious reasons, it erodes the bond of implicit trust that businesses rely on to foster and maintain relationships both internally and with customers, partners, vendors, and others.
Have you written a detailed incident response plan? Do you have the necessary IT security tools and resources in place to thwart such an attack? Are you providing comprehensive, ongoing employee security awareness training?
With cybercriminals constantly on the prowl, businesses must be vigilant in protecting their data and systems through ongoing awareness, education, and implementation of best practices.
At Kelser, we have years of experience helping businesses implement robust cybersecurity measures to safeguard their IT infrastructure.
We recognize that not every business needs external managed IT support.
You may already have sufficient internal IT staff to implement the necessary security measures to protect your IT network and mitigate business risk. If not, you may be considering working with a managed IT service provider (MSP) for help.
If you are thinking about partnering with an MSP, we strongly encourage you to review several providers to find one best suited for your business. Check out the top 5 MSPs in Connecticut here.
Or, if you’d like to learn more about how managed IT can help ensure that your business continues to run smoothly and securely and would prefer to speak to a human, click the button. One of our IT professionals will quickly respond to learn more about your IT concerns and see how we can help you meet your needs.