Deepfakes: A Double-Edged Sword

I’ve worked in and out of security for decades. We did the same kinds of things people do with deepfakes with far older technology when I was working on the switchboard at my friend’s motel when I was a kid. Back then, all we had were hard-wired phones, but we’d often mess with people late at night by pretending to be people we weren’t.

Later, collaborating with headhunters, a common way to find people in companies was to call in and use an executive’s name who was out of town to convince someone illicitly that our external unauthorized request was legitimate. Genuinely good headhunters were extremely good at this. Deepfakes improve the ability to deceive people, but if you are paying attention, there is no reason to be fooled by them.

Let’s talk about deepfakes this week, and we’ll close with a news service social media product called Otherweb that does a better job than most at weeding out the fake news that has been a massive source of mistakes, fraud, and embarrassment.

The $25M Deepfake Fraud

What got me thinking about this was a quarterly briefing from HP Wolf Security on security threat trends from the prior quarter and its answer to my question on creative new threats.

HP shared a successful fraud scheme where an employee received calls from two deepfake executives they knew and were convinced to wire $25 million from a financial institution in Hong Kong to an illicit organization. It took two weeks before the fraud was discovered.

I’m an ex-IBM internal auditor, and all kinds of red flags immediately popped up in my head when I read the story. First, financial institutions typically have massive controls over their monetary systems because no one wants to invest money in a financial institution that isn’t safe.

There are a lot of industry rules and practices that have been developed over centuries to protect these institutions. One is called “separation of duties,” where no one person can authorize a significant payment without a physical executive sign-off. When you’re talking about millions of dollars, the expenditure might require the CFO, the CEO, and an independent board member to sign off on it.

Fraudulent Scheme Details

Right off the bat, you can see that that process wasn’t in place at this company, and the entity committing the fraud not only knew that but also knew who had the ability to authorize an expenditure like that. This situation strongly suggests an inside job requiring intimate knowledge of the targeted employees’ privileges.

There was no room for failure because if the criminals had tried and failed at this, an alert would have typically gone out inside the company, making other employees aware of the fraud and better able to avoid it.

I have little doubt that the employee who was fooled will become a suspect — since that would be the easiest path — and that other employees who informed the attacking entity of the policy shortfall and identified the tricked or compromised target employee are involved.

Separation of Duties and Red Flags

Reinstituting and enforcing the “separation of duties” rule to assure that no single employee can authorize an expense like this would significantly reduce the potential for this kind of fraud to be successful and raise the degree of difficulty to a point where a different approach like simply bribing the employee(s) might be more successful.

Inside Job Suspicion

This situation strongly suggests an inside job requiring intimate knowledge of the targeted employees' privileges. The fact that the fraudsters knew who had the authority to authorize such a large expenditure points to an insider's involvement.

Reinforcing Separation of Duties

To prevent future incidents like this, organizations should rigorously enforce separation of duties. No single person should have the power to authorize large financial transactions without multiple layers of oversight.

Kidnapped Loved One Fraud

One of the anticipated frauds is using deepfakes to convince you that a loved one is in danger and that you need to send money immediately to get them out of danger. This tactic has also been used for years over phones with great success. Video might make it a little more believable if done well, but doing these things well is still an unusual skill set, at least for now.

It works by making you panic so that you don’t think to call your loved one or law enforcement as you rush to a store to buy a gift card to send to the individual defrauding you. Realize that in an actual kidnapping, the perpetrator’s safest move to avoid being caught is to kill the kidnapped victim regardless of whether you paid the ransom because if you don’t get your loved one back, what exactly is your recourse?

Exploiting Panic and Fear

Therefore, you should always call law enforcement first when dealing with a kidnapping. They have people trained to deal with this, and if engaged, it is far more likely that the perps will be identified and incarcerated. Depending on the size of your local police department, you might want to consider calling the FBI since it may have more substantial resources than your local PD to deal with this kind of fraud.

Calling Law Enforcement

When faced with a potential kidnapping situation, the first step should always be to contact law enforcement. Their expertise and resources are crucial in handling such incidents.

Safe Word for Verification

Develop a safe word that you don’t share outside the family that will establish a kidnapped loved one is who they say they are, so you don’t spin up law enforcement needlessly. You can also call their cell phone to see if they answer. If this is a fake, this is one of the quickest ways to break the fraud.

Giving Voices to Victims

One interesting use of deepfake technology is the voice of a dead child who was killed as a result of gun violence. The technology is called Shotline. It uses the voices very powerfully, I might add, to allow those killed by gun violence to speak out against it. Giving voice to the voiceless is a powerful message to politicians and their supporters who haven’t acted aggressively to stop gun violence.

Granted, this would need to be done with the permission of the deceased child’s parents. I expect that hearing the voice of your dead child speak out against the violence that killed them might be somewhat cathartic for the parents. It also sends a strong message to those who put these kids at risk and should increase empathy for the victims and, particularly, the victims’ parents by politicians who also have kids.

It is one of the most powerful and potentially effective ways to drive needed change. Unlike pushing back on those who promote gun reform, pushing back against the voices of dead children is problematic and possibly a career-ender if constituents identify with the kids or their parents.

Shotline Technology and its Purpose

Shotline uses deepfake technology to recreate the voices of children killed by gun violence, allowing them to speak out against the issue and advocate for change.

Empowering Parents and Victims

By giving a voice to the voiceless, Shotline provides a powerful platform for parents and victims of gun violence to share their stories and demand action.

Potential Impact on Gun Violence Debate

This technology has the potential to influence the gun violence debate by bringing a more personal and emotional element to the conversation. It might lead to increased empathy and a more compelling argument for stricter gun control measures.

This is all to say that deepfakes can also be used to do good.

Summary

• Deepfakes can be used for both malicious and beneficial purposes.
• A $25 million fraud case highlights the risks of deepfakes in financial transactions, emphasizing the need for strong security measures.
• Kidnapping scams using deepfakes can exploit fear and panic, but calling law enforcement immediately is crucial.
• The Shotline technology uses deepfakes to give a voice to victims of gun violence, raising awareness and potentially influencing policy changes.