Deepfake Phishing: The New Wave of Cyber Crime

What is deepfake AI?

Deepfake AI is like Photoshop on steroids. Using deep learning, a form of artificial intelligence, an artificial neural network (ANN) can create realistic but entirely fictional videos and digital content from scratch.

To create deepfake videos existing footage and images from a real person are fed into a training library. From this, the ANN can learn to extract patterns in the data to create a convincing digital output that looks just like the real person.

For example, a number of deepfake videos of "Tom Cruise" recently popped up on TikTok. Although they appear to be the mega superstar, the videos were created by a visual and AI effects artist with the help of a Tom Cruise look-a-like (and sound-a-like) actor.

There are other deepfake examples, such as “Barack Obama” calling Donald Trump a “complete dipshit”, or “Mark Zuckerberg” bragging about having “total control of billions of people's stolen data”.

It's not just video that's been given the deepfake treatment.

Deepfake AI technology can be used to create voice skins or clones. The ANN can learn the expressions a person uses, their speech patterns, intonation, and accent. Once the ANN has enough data, it can be used to create the audio in the “style” of the learned subject.

Deepfake AI phishing explained

First of all, let's understand that phishing is a form of social engineering, a practice of manipulation to trick people into disclosing private information, giving access to private systems, or handing over money. Deepfake phishing does that using synthetic video or audio.

Let's explore both forms with examples to really get to grips with what deepfake phishing looks and sounds like.

Deepfake AI phishing- videos

It doesn't take a professional hacker to produce a deepfake video. They don't need to be as elaborate as the Tom Cruise TikTok videos! A hacker can easily create a convincing deepfake video using any of the popular face-swapping programs, or deepfake apps, that are available for free online.

So, how are hackers using this technology to go phishing?

In June 2022, the FBI issued a warning over the rise of deepfake AI being used in job interviews for remote positions mainly with IT companies. Fake interviewees use stolen photos and personally identifiable information (PII) to impersonate someone else through deepfake videos and pass background checks.

In doing so, they hope to trick recruiters into hiring them for the position which can not only give them a fraudulent paycheck but access to customer personal information, passwords, financial data, databases, and/or proprietary information.

In May 2022, a deepfake video of Elon Musk also appeared. The video showed a convincing Musk offering 30% returns on crypto deposits. The Tesla CEO's reply was “Yikes. Def not me.”

Image Source: Twitter

Binance chief communications officer, Patrick Hillmann, has also claimed that hackers used a deepfake video of him to hold meetings via Zoom with cryptocurrency executives. It wasn't until Hillmann started to receive messages thanking him for meetings that he didn't attend that it came to light.

Deepfake AI phishing- audio

Just as with video, a hacker doesn't have to have extensive AI technological knowledge to create deepfake audio content. With open-source voice cloning software, a person's voice can be duplicated with as little as five seconds of recorded audio of the real person.

Hackers can then use the audio-enabled deepfake apps to imitate a high-level decision-maker within a company and dupe an employee into following their orders.

For example, in 2019 The Wall Street Journal reported on the first known deepfake phishing scam using AI-generated audio. A managing director of a British energy company received a call from whom they believed to be the company's CEO.

The director was then tricked into transferring $243,000 into the hacker's account.

The fake CEO demanded the director wire money immediately to save on “late-payment fines” and sent financial details over email while on the phone.

It wasn't until the hackers called a second and third time, demanding another payment that suspicions were raised.

According to the reports, the fake voice didn't just imitate the CEO's voice but managed to get the tonality, the punctuation, and the boss' slight German accent down to a T.

Another example of deepfake phishing saw a $35 million bank heist in Hong Kong. In this case, a bank manager received a voice call from the director of a company, a person they had spoken to many times.

The imposter-director was calling to “ask for a favor”— to authorize transfers worth $35 million to enable a company acquisition.

This fake director claimed he had hired a lawyer to coordinate the acquisition and the bank manager duly received emails from both the fake director and the false lawyer. Believing to be speaking to the real deal and with written confirmation before him, the bank manager acted accordingly.

Within minutes, $35 million had vanished.

How to recognize a deepfake phishing video?

With advancements in AI and deepfake technology, it's getting harder and harder to spot deepfakes. If you're sent a pre-recorded video, such as the one of Musk, you, at least, have the ability to study it more closely.

Here are a few tell-tale signs that a video is a deepfake:

• Blurring with movement
• Odd blinking patterns or no blinking at all
• Audio that is not in sync with lip movement
• Sneezing or coughing that is not represented in the image
• Inconsistent shadows or skin tone
• Skin appears too smooth or too wrinkly

Of course, in a live video call, it can be harder to study these things in detail. In that case, you can conduct a simple test by asking the person on the live video call to turn to a profile view.

It might be a weird ask, but these are weird times!

And if it saves your company from losing millions to a hacker, then what's one awkward question between colleagues?

But, why does a profile view work?

Well, deepfakes are created by detecting landmarks on a person's face, and when they turn side on, the software has fewer algorithms to work with. This means you'll see a glimpse of the hacker “beneath” the deepfake.

How to recognize deepfake phishing audio?

Unfortunately, deepfake phishing using audio is often harder to recognize. While employees are often trained to spot email phishing attacks, people aren't generally trained to second-guess their own ears.

It's a natural response that when we hear a familiar voice, especially on the phone (without visuals), we assume that the person talking is the person we associate with that voice.

Even if the voice isn't perfect, we don't generally suspect anything out of the ordinary but put vocal differences down to environmental factors, or emotional influences, such as stress.

With rapid advancements in technology playing on natural human responses, deepfake apps will continue to be used for phishing scams. In fact, a recent survey by VMware found that deepfake phishing has increased by 13% since 2021.

Beware the sense of urgency

Video or audio, deepfake phishing attacks tend to come with a huge side order of urgency. It's a tactic that preys upon our fear response. The cybercriminals hope to panic their victims into taking immediate action without taking the time to verify the legitimacy or follow proper procedures.

How can you protect yourself from deepfake phishing?

With deepfake apps on the rise, you might not be able to stop a deepfake phishing attack from happening, there's no firewall or antivirus software to block them, but there are things you can do to avoid falling victim to them.

Employ detection services

Companies providing deepfake detection services, such as DuckDuckGoose offer a cloud-based service or on-premise offline tools that can detect deepfake pictures and videos with real-time speed. This detection software can even be used during conference calls and will warn users if the person on the other end is not who they appear to be.

Unfortunately, there is no such technology to detect deepfake audio, at least not in real-time.

Common sense

For most people, protection from deepfake phishing comes down to good old-fashioned common sense and a high degree of skepticism. It's no longer a case of “not everything you read on the internet is true”, it now extends to “not everything you see or hear”.

Get quizzical

With deepfake audio, you can ask the caller to switch to a video call. (It's highly unlikely they will be able to switch to using a deepfake video immediately!) Or ask them a question that only the real person would know.

However, it's certainly not the best approach to leave security against deepfake AI phishing attacks up to the individual.

Have a procedure and follow it

An organization should have authentication mechanisms and verification processes in place such as pre-shared codes or multi-person approval for payments, to counteract any non-legitimate requests. And even in cases of real urgency, proper procedures should always be followed.

Although deepfake apps used in phishing attacks aren't widespread yet, they are just the tip of the ever-evolving phishing iceberg. Are You Aware of the Most Common Phishing Attacks? Click the link to read more and protect yourself from the most used phishing techniques.