Why a 'Swiss cheese' approach is needed to combat deepfakes [Q&A]

Deepfakes are becoming more and more sophisticated, earlier this year a finance worker in Hong Kong was tricked out of millions following a deepfake call.

With the deepfake fast becoming a weapon of choice for cybercriminals, we spoke to Bridget Pruzin, senior manager -- compliance and risk investigations and analysis at Convera, to learn why she believes a 'Swiss cheese' approach, layering controls like unique on-call verification steps and involving in-person verification, is crucial to effectively defend against these scams.

BN: Why are deepfakes posing a unique threat to the fintech industry, compared to other business functions?

BP: Financial transactions are the lifeblood of the global economy, and a successful deepfake attack in fintech can lead to huge losses. Unlike other sectors, fintech deals with highly sensitive financial data and facilitates the direct transfer of funds, making it a prime target for fraudsters utilising deepfake technology and posing a threat to the fintech industry.
This vulnerability is further highlighted by a recent Sumsub report, which found a 700 percent increase in deepfake incidents within the fintech sector in 2023 compared to the previous year.

Cybercriminals can use deepfakes to impersonate a trusted person within an organization, like a company CEO, a customer, or even a third-party. They can then trick employees into authorizing transactions or surrendering sensitive information. The real danger lies in how convincing deepfakes can be and how it will only get better as AI technology improves. This is why staying ahead of deepfake threats is absolutely critical for the fintech industry.

BN: Why are traditional payment verification methods no longer enough to protect against increasingly sophisticated deepfake scams?

BP: Traditional payment verification methods, such as phone calls or video conferences, alone are no longer sufficient to protect against sophisticated deepfake scams. These methods rely heavily on voice and visual recognition, which can be manipulated by deepfake technology.

Deepfakes can create highly realistic audio and video content, making it increasingly difficult to distinguish between a genuine person and a digitally manipulated representation. Fraudsters can exploit this vulnerability by impersonating authorized individuals or entities, circumventing traditional verification processes. The success of such attacks is shown by the pure amount of deepfake fraud attempts which have increased by 31 times in 2023 -- a 3,000 percent increase year-on-year.

As deepfake technology advances, it becomes increasingly accessible and affordable, enabling even less technically savvy cybercriminals to execute convincing scams.

BN: What are some of the specific deepfake tactics and red flags that B2B payment teams need to be on the lookout for?

BP: B2B payment teams should be vigilant for several deepfake tactics and red flags, including:

• Impersonation of executives or authorized personnel: Fraudsters may use deepfake audio or video to impersonate company leaders or trusted third parties, requesting unauthorized payments or sensitive information.
• Unusual behaviour or inconsistencies: Deepfakes may exhibit subtle inconsistencies in speech patterns, facial expressions, or background elements that could raise suspicion. With anomaly detection, behavioral analysis, biometrics and real-time monitoring, there’s still an opportunity to prevent fraud before it starts.
• Requests for urgent or high-value transactions: Deepfake scams often involve requests for immediate, high-value payments to create a sense of urgency and pressure. 4. Unfamiliar or newly introduced payment details: Fraudsters may provide new bank account information or payment instructions, deviating from established procedures.

By being aware of these tactics and red flags, B2B payment teams can enhance their vigilance and implement additional verification measures to mitigate the risk of falling victim to deepfake scams.

BN: What are the key layers of Convera's 'Swiss cheese' approach to verifying B2B payment requests and safeguarding transactions?

BP: There are huge limitations to relying on a single fraud prevention measure. This is why the adoption of a 'Swiss cheese' approach, layering multiple controls to create a robust defense against deepfake scams and other fraudulent activities, is most effective.

The key layers of our approach include:

• Multifactor authentication (MFA): Advanced MFA methods can be deployed, such as biometrics, one-time passwords, and secure tokens, to verify the identities of parties involved in transactions.
• Secure Communication Channels: Ensuring that all communication, especially those involving payment and sensitive personal information, is done only through official and secure channels is key to preventing interception by illicit actors. The more sensitive the information, such as higher-principal transactions, the increased need to verify the information through a secondary secure channel.
• Continuous monitoring and adaptation: Teams must monitor and stay on top of emerging deepfake techniques and adapt controls accordingly, ensuring defenses remain effective against evolving threats. Consistent training on trends and best practices for both employees and customers is crucial in preventing fraudulent payment attempts from ever entering the financial system.

By combining these layers, fraud teams can create a robust defense system that minimizes the potential for deepfake-powered payment fraud while maintaining efficient and secure transaction processing.

BN: What are the most impactful steps B2B payment providers and finance teams can take to strengthen their defenses against deepfake-powered payment fraud?

BP: B2B payment providers and finance teams can take several impactful steps to bolster their defenses against deepfake-powered payment fraud:

• Implement multi-layered verification processes: Adopt a 'Swiss cheese' approach by implementing multiple layers of verification, including biometrics, one-time passwords, and unique verification steps tailored to each transaction.
• Invest in deepfake detection technology: Utilize advanced software and tools capable of detecting deepfake audio, video, and imagery, enabling real-time identification of potential fraud attempts.
• Human interaction and in-person verification: Involve the real world for on-the-spot verification when needed. Call trusted personnel on a different type of communication than the original conversation. Organizations can also introduce steps such as requesting specific information or actions that a deepfake would be unable to provide or perform during critical interactions that are higher risk for fraud.
• Enhance employee training and awareness: Regularly train employees to recognize the signs of deepfake scams, including unusual behavior, inconsistencies, and requests for urgent or high-value transactions.
• Industry collaboration and information sharing: Collaborate with industry peers, law enforcement agencies, and regulatory bodies to share information on emerging deepfake threats and best practices for mitigation.
• Continuously update and adapt defenses: Stay vigilant and regularly update fraud detection and prevention measures to keep pace with the rapidly evolving deepfake landscape.

By taking these proactive steps, B2B payment providers and finance teams can significantly enhance their ability to detect and prevent deepfake-powered payment fraud, safeguarding their operations and protecting their customers' financial assets.

Image credit: Westlight/depositphotos.com