Published on the 10/10/2024 | Written by Heather Wright
A/NZ businesses targeted by deepfake scams…
Deepfakes are hitting local organisations and marching up the priority list for IT and cybersecurity professionals.
Deepfakes – the 21st century answer to Photoshopping where images, videos or audio mimicking real (or non-existent) people are edited or generated using AI – have hit the news regularly in recent years, largely when used in political campaigns, when deepfakes of celebrities emerge, or in the context of being used against people in deepfake pornography.
“This is potentially only the tip of the iceberg.”
Most recently there were reports of deepfakes flooding social media in the wake of Hurricane Helene in the United States and creating false narratives.
New reports, however, show their potential impact for businesses – and not just in the future, but here and now.
Research commissioned by Mastercard shows at least 18 percent of New Zealand businesses, and 29 percent on consumers, have been targeted by deepfake scams in the last 12 months, with losses believed to be in the tens of millions of dollars.
In Australia, at least 20 percent of businesses and 36 percent of Aussies have been targeted, with losses again reported to be in the tens of millions of dollars.
Mastercard says the figure is based on ‘a very conservative view of the average financial loss per scam’.
Mallika Sathi, Mastercard Australasia vice president of security solutions, says many victims are not aware they have been targeted, meaning the figures are ‘potentially only the tip of the iceberg’.
The research shows 47 percent of Kiwi businesses who have been targeted have fallen for the manipulated content. Australian companies, however, appear to be more ahead of the game, with just 12 percent reporting falling for the manipulated content.
To trick businesses out of money, the deepfake scams reported in the research commonly posed as customer service (38 percent in NZ, 44 percent in Australia), clients (29 percent/38 percent) and suppliers/vendors (26 percent/34 percent). Employees, CEOs, board members and law enforcement were also impersonated in the scams.
While the research doesn’t go into specifics of how the deepfakes were used, a Hong Kong company lost US$25 million when a finance employee was tricked by deepfake versions of his company’s CFO and other colleagues in a videoconference call. Everyone on the call, bar the victim, was fake.
He had initially received a message purportedly from the CFO about a secret transaction which was needed, which he suspected was a phishing attempt, but his early concerns were allayed by the video call and he went on to remit $25.6 million.
Deepfake technology can also enhance social engineering tactics to deceive people into providing sensitive information or taking other actions, and for cyber extortion.
The Mastercard research comes hard on the heels of a report from email security provider Ironscales showing that deepfakes have moved from an online curiosity to a significant security concern among IT and cybersecurity professionals.
Of the more than 200 IT and cybersecurity professionals surveyed, 75 percent said they had experienced at last one deepfake related incident in the last year. Static images, or altered photos (40 percent), and personalised phishing emails (39 percent) led the way, followed by recorded videos, live videos and recorded and live audio/voice manipulations.
Sixty-four percent of those surveyed expect deepfake-enabled attacks to increase over the next 12-18 months, surpassing other forms of attacks such as ransomware and account takeover.
“Once considered a fringe technology, deepfakes have quickly emerged as a threat to corporate security with their ability to seamlessly mimic voices, faces and identities,” Deepfakes: Assessing Organisational Readiness in the Face of This Emerging Cyber Treat says.
The survey found 94 percent of IT professionals had some level of concern about the threat deepfakes currently pose to their organisation, with 48 percent saying they’re ‘very concerned’. Asked about the threat they believe deepfakes will pose in the near future, 74 percent said they were ‘very concerned’.
“While concerns about the risks deepfakes pose to organisational security are already near-universal, it’s clear that IT professionals see them primarily as an emerging threat – one whose true potential for harm has not yet been realised,” the report notes.
Those surveyed identified email as the biggest threat as a channel for deepfake-driven attacks, with 53 percent classing it as an ‘extreme’ threat and 39 percent rating it a ‘moderate’ threat. Of those whose organisation had experienced a deepfake incident in the past 12 months, 39 percent said one or more of the incidents came in via personalised phishing emails.
It says the findings underscore the urgency for organisations to adapt their defences against deepfakes, with the threats evolving and expected to grow in frequency.
Those surveyed say deepfake defence is quickly climbing the priority list, with 43 percent saying it will rank as their organisations’ top security priority in the next 12-18 months, and an additional 48 percent saying it will be an important part of their security operations.
More than half (68 percent) of organisations surveyed have already begun providing specialised cybersecurity training around deepfake identification, but more than 15 percent said they had no plans to invest in deepfake protection.
Mastercard’s New Zealand research shows 26 percent of Kiwi organisations and 16 percent of Aussie organisations, haven’t taken any measure to protect against deepfake scams. However, 43 percent of both Aussie and Kiwi organisations have implemented identification verification to access sensitive information and 38 percent of Kiwi and 45 percent of Australian organisations are providing their teams with cybersecurity training. Conducting financial transaction training and implementing identification protocols for payment requests were being used across both countries to prevent deepfake scams.
Despite that, Mastercard says 22 percent of Kiwi and 19 percent of Aussie business decision makers lack confidence that staff can detect deepfake scams.
The Ironscales report recommends organisations identify the most worrying channels, such as email and messaging platforms, and – unsurprisingly for an email security company – invest in defensive technologies. Training and simulations to increase awareness among the workforce of deepfakes is also recommended.
Ironscales says with tight budgets and a whole lot of unknowns still on the horizon, organisations will undoubtedly look to be selective in their approach to defending against deepfake-driven threats.
“By identifying the most worrying channels, such as email and messaging platforms, organisations will be able to prioritise effectively in the short term. However, as is true of nearly all emerging threats, it likely won’t be long before threat actors begin to pivot, developing and diversifying their tactics in response to defensive efforts from the industry.”