Deepfakes and how to deal with them [Q&A]

With deepfakes getting more sophisticated and harder to detect both organizations and individuals are at risk of falling victim to fraud and phishing attempts.

We spoke to SURF Security CTO, Ziv Yankovitz, to learn more about the increasing threat of deepfakes and best practices that can be used to for combat attacks.

BN: What are deepfakes, and how have they evolved in recent years?

ZY: Deepfakes are synthetic media, including images, video and audio generated by artificial intelligence (AI) to depict real or non-existent people. Whilst deepfake technology has been around for over a decade, it has advanced significantly in recent years due to the rapid advancements in AI algorithms and computational power. As a result, this has led to the accelerated emergence of deepfake creation tools accessible online, enabling anyone to produce realistic and convincing deepfakes at their own leisure.

However, this has consequently given malicious threat actors the opportunity to weaponize deepfake technology to craft and launch sophisticated cyberattacks. There are a multitude of ways threat actors can use this technology to their advantage. For instance, this year we have witnessed many cases of threat actors creating deepfake scenarios to compromise individuals and companies. Consequently, this has resulted in an array of successful cyberattacks including ransomware, business email compromise (BEC), phishing scams, and the dissemination of disinformation.

BN: Can you give examples of real-world incidents where deepfakes have been used maliciously?

ZY: Deepfake attacks on individuals and organizations are on the rise, and according to a recent study are now occurring every five minutes. In 2024, there have been numerous deepfake incidents witnessed by the world, with one of the most prominent incidents being when a finance employee at a multinational firm was conned into transferring $25 million after fraudsters used deepfake technology to impersonate the CFO in a video call. This demonstrates the high level of sophistication deepfake attacks have, and the consequential financial loss organizations have had to contend with as result of their employees falling victim to such attacks.

Threat actors are also using deepfakes to spread disinformation, as seen when during the presidential election earlier this year, a deepfake robocall of former president Joe Biden encouraged democrats not to vote in the New Hampshire primary. Additionally, celebrities are being leveraged to launch deepfake attacks, with the most recent being the surprisingly realistic attempt of voice cloning the world-famous naturalist, David Attenborough with deepfake technology. Similarly, a threat actor created a deepfake of Elon Musk offering an investment opportunity, resulting in a retired pensioner losing $690,000 to the scam, among other victims.

BN: Why are deepfakes considered a significant threat to organizations?

ZY: Deepfakes present organizations with a multitude of substantial risks including significant financial losses in the event of a successful attack. Recent findings revealed that on average organizations across industries have lost nearly $450,000 to deepfake attacks. Further to this, the true cost of a deepfake attack can escalate when considering the potential civil and criminal liabilities stemming from security breaches. Businesses may face regulatory fines, litigation costs, and irreversible damage to their reputation, which can far exceed initial losses.

Beyond the financial loss of these attacks, organizations must also contend with the reputational damage that could occur in the aftermath of a deepfake incident, as customers and key stakeholders may lose trust in the company, leading to a loss of credibility and reliability of the brand.

BN: What challenges do businesses face in detecting and mitigating deepfake threats?

ZY: I'm acutely aware of the growing challenges we face in detecting and mitigating deepfake threats. Worryingly, most businesses have reported lacking confidence in their ability to detect deepfakes, which is understandable given the complexity of most detection solutions. These tools often require specialized knowledge, making them inaccessible for many organizations.

The issue is compounded by how far deepfake technology has advanced. They've become increasingly realistic and easier to produce, creating significant challenges for both users and organizations to identify and stop them effectively. Until recently, the tools available for detecting deepfake audio and video were slow, cumbersome, and incapable of operating in real-time. This technical lag gave attackers a clear upper hand, leaving businesses vulnerable.

However, there's hope. Advances in detection technology are leveling the playing field. Today, with just a single click, employees can determine whether they’re interacting with a real person or a deepfake in mere seconds. This is a game-changer, giving users the ability to proactively defend against these sophisticated threats. While the battle against deepfakes remains daunting, these innovations are giving us the tools and confidence we need to fight back effectively.

BN: How can organizations train employees to recognize and respond to deepfake threats?

ZY: The key to helping employees recognise and respond to deepfake threats lies in effective training and awareness. While advanced technology plays an important role in detection, human vigilance remains the first line of defense. It's crucial to strike a balance between technology and training as layering security measures can sometimes create complexity and friction for users. One of the most effective approaches is to start by raising awareness.

Employees need to understand what deepfakes are, how they're created, and the potential risks of falling victim to them. Deepfakes often exhibit subtle imperfections, such as unnatural movements, inconsistencies in lighting, or irregularities in audio synchronization. Training employees to spot these flaws can help them identify potential threats more quickly and confidently.

Pairing this awareness with the right tools is also critical. Tools designed to identify deepfakes are becoming more sophisticated and user-friendly, but they're most effective when employees know how and when to use them. A combination of advanced detection technology and heightened employee vigilance can significantly reduce the risk of deepfake threats.

Ultimately, organizations that focus on both awareness and technology will be better equipped to protect themselves and respond effectively to this evolving threat landscape.

Image credit: Wrightstudio/Dreamstime.com