Think you can spot a fake? It’s trickier than you may suspect, writes Mike Kiser, Director of Strategy & Standards, at the identity security product company SailPoint.
Earlier this month, a finance worker at a multinational firm in Hong Kong was tricked into paying out $25m to fraudsters, who posed as his company’s CFO using deepfake technology in a video call. Research suggests the number of deepfake fraud attempts have increased 3000 per cent year-on-year. With deepfake content becoming commonplace in our digital landscape, it’s safe to say you can’t trust everything you see and hear online.
Are these threats new? The concept of deepfake technology has been used in Hollywood filmmaking for decades. Terminator 2 was the first blockbuster movie to create an entirely computer-generated character with realistic human movements – becoming one of the most iconic villains of its time. Now, the technology required to create photorealistic depictions of people has developed so much that it has become far more accessible. Being less time-consuming and costly, it’s moving into the hands of everyday users and towards the mainstream.
Often, this is for nefarious purposes – the latest high-profile victim being Taylor Swift. But we’re also facing the threat of this technology being increasingly used to influence decision-making, with Home Secretary James Cleverly recently warning UK enemies could use AI deepfakes to try to rig the UK general election.
With so many important world events lined up in the year ahead, like elections and the Paris Olympics, these deepfakes may enter the mainstream for both consumers and businesses. So, how can we protect ourselves against their negative effects?
Keeping track of growing threats
Today, nine in ten (90pc) of cybersecurity breaches are identity-related. Yet more than four in ten companies (44pc) are still in the early stages of their identity security journey. The business value and importance of identity, particularly in the realms of security, must be prioritised.
Identity is a core element of cybersecurity. And in business terms, identity is all about ‘who’ has access to ‘what’ information. In the past, the ‘who’ was generally a person or group of people, and the ‘what’ a database or application. Today, the ‘whos’ have proliferated beyond internal employees to contractors, supply chain members, and perhaps even artificial intelligence. The ‘whats’ have expanded too, as more data moves through more systems—from emails to apps to the cloud and much more. The more users and entry points there are, the tougher it is to screen all identities and keep all data secure against growing threats. Even security measures that were previously thought to be advanced and watertight, such as voice recognition, are no longer a match for today’s AI-fuelled risks.
At SailPoint, we explored the threats of identity theft in a recent experiment. We used an AI tool to listen to recordings of our CEO Mark McClain’s voice and then create its own version. Then, both the tool and Mark read a script in a blind test in front of SailPoint employees. Even though they knew it was an experiment, a third of employees got it wrong—the fake AI voice was so good that one in three thought it was Mark.
It’s no wonder, then, that these types of impersonation scams are gaining traction across the UK. Just last summer, trusted consumer finance expert Martin Lewis fell victim to a deepfake video scam in which his computer-generated twin encouraged viewers to back a bogus investment project. Lewis described it as “frightening”, and you’d be hard-pressed not to agree. As the technology advances, cybercriminals are increasingly going to be able to breach people’s trust and jump existing security hurdles with ease.
Shaping views, shifting votes
Many experts are also concerned about deepfake’s impact on public political opinions. Over the past fifteen years or so, we’ve seen how the internet and social media can sway real-world events—from the Obama team’s pioneering use of Facebook ahead of the 2008 US presidential election to the 2018 Cambridge Analytica personal data scandal. Plus, there are the everyday algorithms that control our exposure to ideas and information and therefore unconsciously shape our views. But as AI technology advances, the internet may have an increasingly overt effect on politics simply through the distribution of deepfake videos of politicians that are becoming tougher and tougher to distinguish from reality.
A 2023 Guardian article lists some notable examples of deepfake imagery and videos of political figures making striking, shocking, or bizarre statements, some of which may have tricked viewers into believing they were real. It argues that the technology risks dangerously disrupting how the public, and particularly those unsuspecting or unaware of its capabilities, views and trusts our world leaders. With both the US and UK elections set to take place in 2024, plus world events that have a huge economic and civic impact like the Paris Olympics also on the horizon, we must remain increasingly wary of the impact of these deepfakes into the new year and beyond.
What strategy needs to be implemented?
Last year, we saw cyber criminals ramp up their use of AI deepfake technology across a range of attack vectors. So, in 2024, the onus on potential victims to identify the real content in a sea of fakes will become even heavier. To combat this escalation, businesses will need to step up employee training on how to spot deepfakes, and they should also review and reinforce digital access rights, so employees, partners, contractors, and so on, only receive as much access to important data as their roles and responsibilities require. Data minimisation—collecting only what is necessary and sufficient—will be essential as well.
Moving forward, it’s key that businesses use stronger forms of digital identity security. For instance, verifiable credentials, a form of identity that is a cryptographically signed proof that someone is who they say they are, could be used to “prove” someone’s identity rather than relying on sight and sound. In the event of a deepfake scam, proof could then be provided to ensure that the CEO or colleague is actually who they claim to be. Some emerging security tools now even leverage AI to defend against deepfakes, with the technology able to learn, spot, and proactively highlight the signs of fake video and audio to successfully thwart potential breaches. Overall, we’ve seen that businesses using AI and machine learning tools, along with SaaS and automation, scale as much as 30pc faster and get more value for their security investment through increased capabilities.
The stakes are high: AI versus AI
$1.1 billion was paid out by organisations giving in to cybercriminal demands in 2023. As cyber criminals grow more sophisticated, the potential for huge financial loss from breaches will only grow, not to mention reputational damage which can have an even longer-term impact.
Currently, nine in ten IT professionals (91pc) say that budgetary constraints are standing in the way of implementing identity security. But with deepfakes forming a large part of today’s threat landscape, it’s not the time to try and save a few pounds. Teams need to be provided with the right resources to defend against these attacks.
Here there is hope, as while AI technology grows in accessibility, so too do security tools. In a unified approach to identity security through platforms that leverage automation and AI, companies can scale identity-related capabilities up to 37pc faster than companies without.
Deepfakes aren’t just a thing of Hollywood fantasy – they are here and now, and the only matter we should take at face value is investing in tools that can help to ward off these threats.
