Understanding Deepfake Risks

Leveraging this new OpenAI real time translator to phish via phone calls in the target’s preferred language in 3…2… So far, AI has been used for believable translations in phishing emails — E.g. my Icelandic customers are seeing a massive increase in phishing in their language in 2024. Before only 350,000 or so people comfortably spoke Icelandic correctly, now AI can do it for the attacker. We’re going to see this real time translation tool increasingly used to speak in the target’s preferred language during phone call based attacks. These tools are easily integrated into the technology we use to spoof caller ID, place calls, and voice clone. Now, in any language. Educate your team & family + friends. Make sure folks know: - AI can voice clone - AI can real time translate to speak in any language - Caller ID is easily spoofed with or without AI tools - AI tools will increase in believability Example AI voice clone/spoof example here: https://lnkd.in/gPMVDBYC Will this AI be used for good? Sure! Real time translations are quite useful for people, businesses, & travel. We still need to educate folks on how AI is currently use to phish people & how real time AI translations will increase scams across (previous) language barriers. *What can we do to protect folks from attackers using AI to trick?* - Educate first: make sure folks around you know it’s possible for attackers to use AI to voice clone, deepfake video and audio (in real time during calls) - Be politely paranoid: encourage your team and community to use 2 methods of communication to verify someone is who they say they are for sensitive actions like sending money, data, access, etc. For example, if you get a phone call from your nephew saying he needs bail money now, contact him a different way before sending money to confirm it’s an authentic request - Passphrase: consider using a passphrase with your loved ones to verify identity in emergencies (e.g. your sister calls you crying saying she needs $1,500 urgently ask her to say the passphrase you agreed upon together or contact with another communication method before sending money)

There’s a pretty good chance that the shocking rate at which AI is advancing is out-pacing your cyber security training, policies and maybe even technologies. Have you addressed the use of AI and deep fakes in your cyber security policies? In a recent and alarming development that seems to have leapt straight from the pages of a science fiction novel, a Hong Kong based finance worker at a multinational firm was defrauded of $25 million, falling victim to an elaborate scam that employed deepfake technology to impersonate the company's CFO. This incident, which unfolded during a video conference call, marks a disturbing milestone in the intersection of cybercrime and AI, underscoring the urgent imperative for companies to bolster their cybersecurity frameworks, particularly against the backdrop of deepfake technology. The mechanics of the scam were deceptively simple yet devastatingly effective. The finance employee was lured into a video call with several participants, believed to be colleagues and the CFO, only to discover later that each participant was a digital fabrication. The deepfake avatars, mirroring the appearance and voice of real company personnel, instructed the employee to initiate a "secret transaction", leading to the unauthorised transfer of $25.6 million. This incident is not an isolated event but rather a harbinger of the potential threats posed by AI-driven disinformation and fraud. The use of deepfake technology to bypass facial recognition software, impersonate individuals for fraudulent purposes, and undermine the integrity of personal and corporate identities presents a clear and present danger. The case in Hong Kong, where fraudsters successfully manipulated digital identities to orchestrate financial theft, exemplifies the sophistication of contemporary cybercrime. The implications of this event extend far beyond the immediate financial loss. It serves as a stark reminder of the vulnerabilities inherent in digital communication platforms and the necessity for robust verification processes. The reliance on video conferencing and digital communication, accelerated by the global pandemic, has exposed systemic weaknesses ripe for exploitation. In response to this escalating threat, it is incumbent upon companies to adopt comprehensive cybersecurity strategies that address the unique challenges posed by deepfake technology. This includes implementing advanced authentication protocols, raising awareness and training employees on the potential risks of deepfakes, and deploying AI-driven security measures capable of detecting and neutralising synthetic media. As AI output become increasingly indistinguishable from reality, the line between authentic and artificial communication will blur, challenging individuals and organisations to navigate a new frontier of digital authenticity. It compels a reevaluation of the assumptions underpinning digital trust and identity verification, urging a proactive approach to cyber defence.

The New Corporate Threat: Deepfakes That Even Experts Can't Detect Welcome to the new reality where AI doesn’t just generate content, it manufactures convincing lies. You’ve probably seen it: - A CEO announces a fake acquisition. - A politician "says" something they never did. - A voice note "from your boss" requests a fund transfer. It all looks real. But it’s not. It’s a deepfake AI-generated audio, video, or images designed to deceive. Why it matters: Deepfakes are no longer just internet tricks or entertainment. They’re now: - Financial fraud enablers (voice clones used to scam employees) - Corporate risk vectors (fake news impacting stock prices) - Political weapons (manipulated clips used to sway public opinion) - Personal threats (identity misuse, blackmail, defamation) How to spot a deepfake  Look for: - Unnatural blinking or awkward lip sync - Plastic skin or weird lighting - Robotic tone or emotionless speech - Out-of-character statements - No credible source backing the video If it feels off, it probably is. What you can do: - Pause before sharing - Use tools like Deep ware, Microsoft Video Authenticator, or Adobe Verify - Train your teams especially PR, legal, and finance - Push for content provenance in your organization In the GenAI era, trust is currency. Don’t spend it on content you didn’t verify. #artificialintelligence

There’s more to the $25 million deepfake story than what you see in the headlines. I pulled the original story to get the full scoop. Here are the steps the scammer took: 1. The scammers sent a phishing email to up to three finance employees in mid-January, saying a “secret transaction” had to be done. 2. One of the finance employees fell for the phishing email. This led to the scammers inviting the finance employee to a video conference. The video conference included what appeared to be the company CFO, other staff, and some unknown outsiders. This was the deep fake technology at work, mimicking employees' faces and voices. 3. On the group video conference, the scammers asked the finance employee to do a self-introduction but never interacted with them. This limited the likelihood of getting caught. Instead, the scammers just gave orders from a script and moved on to the next phase of the attack. 4. The scammers followed up with the victim via instant messaging, emails, and one-on-one video calls using deep fakes. 5. The finance employee then made 15 transfers totaling $25.6 million USD. As you can see, deep fakes were a key tool for the attacker, but persistence was critical here too. The scammers did not let up and did all that they could to apply pressure on the individual to transfer the funds. So, what do businesses do about mitigating this type of attack in the age of deep fakes? - Always report suspicious phishing emails to your security team. In this context, the other phished employees could have been an early warning that something weird was happening. - Trust your gut. The finance employee reported a “moment of doubt” but ultimately went forward with the transfer after the video call and persistence. If something doesn’t feel right, slow down and verify. - Lean into out-of-band authentication for verification. Use a known good method of contact with the individual to verify the legitimacy of a transaction. - Explore technology driven identify verification platforms for high dollar wire transfers. This can help reduce the chance of human error. And one of the best pieces of advice I saw was from Nate Lee yesterday, who called out building a culture where your employees are empowered to verify transaction requests. Nate said the following “The CEO/CFO and everyone with power to transfer money needs to be aligned on and communicate the above. You want to ensure the person doing the transfer doesn't feel that by asking for additional validation that they're pushing back against or acting in a way that signals they don't trust the leader.” Stay safe (and real) out there. ------------------------------ 📝 Interested in leveling up your security knowledge? Sign up for my weekly newsletter using the blog link at the top of this post.

From presidential robocalls to explicit images of Taylor Swift, deepfakes - hyperrealistic AI-generated video, photo, and audio forgeries - have surged online reaching a staggering 95,820 documented deepfake videos in 2023 alone. This blurring of reality requires teaching a new approach to vetting if online content is real or fake. So we've created our newest downloadable guide designed to build student awareness of the presence and impact of deepfakes, while providing key discussion topics on the ethics of AI-generated content. The Guide features: - Information on what Deepfakes are and their impact on society - Strategies for critical consumption of online content and the identification of deepfakes - Key examples of audio, photo, and video deepfakes for the classroom - Guiding questions for classroom discussion on the ethics of deepfakes You can view the guide or download a PDF version here: https://lnkd.in/eNep3Jjy. AI for Education #aiforeducation #aieducation #responsibleAI #GenAI #Deepfakes

M&S, Harrods and Co-op have all been hit by serious cyberattacks this year, with M&S losing hundreds of millions in value when payments went down. One emerging threat? Fake remote workers. Some firms have hired North Korean operatives with AI-polished faces, stolen identities and spotless (because fraudulent) background checks. The suggested fix? Keep your cameras on. The reality? Deepfake video feeds are already good enough to fool entire conference rooms, Arup learned this the hard way when a synthetic CFO ordered a $25m transfer. This isn’t a visibility problem. It’s a verifiable identity problem. Banks use strong biometrics, cryptographic proofs and verifiable credentials for KYC every day. Employers need the same for KYE. Digital signatures can’t be deepfaked; video calls can. So here’s the question: Are we finally ready to move from “seeing is believing” to “cryptographically proving is believing”? #digitalidentity #verifiablecredentials #authentication #authorisation #verification

What happens when deepfake technology becomes a service anyone can buy? I've been tracking the Deepfakes-as-a-Service market, and the numbers are alarming. Deepfake fraud attempts jumped 1,300% in 2024. From one attack per month to seven per day. Here's what keeps me up at night: The February 2024 Arup case. A finance employee joined a video call with the CFO and several colleagues. Everyone looked real. Everyone sounded real. The employee authorized $25.6 million in wire transfers. Every single person on that call was AI-generated. This wasn't some nation-state operation. Underground marketplaces now offer deepfake creation as a point-and-click service. No technical skills required. Just cryptocurrency and malicious intent. The psychology is what makes it work. We're wired to trust what we see and hear, especially when it matches our expectations. A realistic video of your CFO making a familiar request triggers immediate credibility. By the time you think to question it, the money's gone. Traditional defenses aren't enough anymore: → Voice verification systems can be defeated → Video calls don't guarantee authenticity → Even following verification procedures can fail Organizations need multi-channel verification protocols. If someone requests a wire transfer on video, verify through a completely separate channel. Code words. Challenge-response systems. Procedural friction on high-risk transactions. But here's the problem: 99% of security leaders say they're confident in their deepfake defenses. Only 8.4% actually scored above 80% in detection tests. We think we're protected when we're actually vulnerable. Have you updated your verification procedures for the deepfake era? #Cybersecurity #AISecurity #DeepfakeFraud #DigitalRisk #FraudPrevention

I just submitted my comments to FINRA about deepfakes in financial services. They asked for input on modernizing rules for the digital workplace. Naturally, I had thoughts. FINRA's 55-page regulatory notice covers everything from remote work to AI chatbots. Buried on page 44? A single paragraph about deepfakes. One paragraph. For a threat that could cost financial services $25 billion by 2027. Here's what's happening right now: Deepfakes are bypassing biometric verification during customer onboarding. AI voices are authorizing wire transfers. Synthetic executives are joining Zoom calls. And the current rules? They assume the person on your screen is actually a person. Wild assumption in 2025. The fascinating part isn't that regulators are behind the curve. That's expected. It's that they're asking the right questions. "How have technological advances helped or hindered members' ability to fight fraud?" Great question. Here's the answer no one wants to hear: The same AI making compliance more efficient is making fraud more effective. It's an arms race. And right now, the bad guys have better weapons. At Reality Defender, we see the casualties daily. Banks discovering their "CFO" never joined that call. Investment firms realizing they onboarded synthetic identities. The good news? FINRA's listening. The better news? We don't need to wait for new rules to protect ourselves. Because while regulators debate modernization, someone's using your earnings call to train their voice model. Read more about why we did this and see our comments in full below 👇 https://lnkd.in/en7nVb9a

Fraud no longer hides in the shadows. It might show up disguised as someone you know. Like when the CEO calls and her voice on the phone sounds exactly right. Her urgency feels real, and the wire transfer request to a new bank account seems legitimate, so accounting releases the funds. And just like that, the company loses $20k to a fraudster who weaponized AI. This isn't science fiction. It's happening right now to individuals and organizations alike. Fraudsters are creating disturbingly real AI deepfakes that can fool even the most cautious people. And companies need strategies to combat them. Because those audio and visual cues we've relied on for decades are no longer reliable indicators of authenticity when it comes to AI deepfakes. Organizations can fight back with these defense strategies: ✔ Stay cautious and be wary of anyone requesting money or personal information, even if they look or sound like someone you trust. ✔ Don’t send money or share sensitive data in response to a single phone or video call. Phone numbers can be spoofed, so always verify a person’s identity by contacting them separately at a number you trust. ✔ Use small action requests, like asking a person to turn their head, blink repeatedly, or hum a song while on a video or phone call. If they decline, freeze up, or go silent, it could be a fraudster. ✔ Establish a safe word that only your inner circle knows to confirm the identity of someone claiming to be a colleague, family member, or friend.   ✔ Use strong passwords. Enable multifactor authentication (MFA) on all company devices and accounts whenever possible. And don’t forget to report AI deepfakes to law enforcement and any relevant social media channels, websites, and other platforms where the encounter took place. All of these tips ALSO work for individuals too because hackers like causing havoc with anyone they can. The question isn't whether AI deepfakes will target your organization. It's whether your organization will be ready when it does.   Food for thought as we kick off Cybersecurity Awareness Month.   ♻ Share our infographic to help companies combat AI deepfakes. 

AI PR Nightmares Part  3- Deep Fakes Will  Strike Deeper (start planning now): Cyber tools that clone voices and faces arent social media scroll novelties, they’re now mainstream weapons causing millions or billions in financial and reputational harm. If you haven’t scenario‑planned for them yet, you have some work to do right Video, audio, and documents so convincing they could collapse reputations and finances overnight. This isn’t distant Sci‑Fi or fear mongering: Over 40% of financial firms reported deep‑fake threat incidents in 2024 and it escalated 2,137% in just three years. 😱 ⚠️ Real-world fraud: The CFO deep‑fake heist: In early 2024, a British engineering firm (Arup) fell victim to a video‑call deepfake featuring their CFO. Scammers walked an employee through 15 urgent transactions, ultimately siphoning off over $25 million. This wasn’t social media fakery, it was a brazen boardroom attack, executed in real time, with Cold War KGB‑level human believability. 🎭 What synthetic mischief will look like tomorrow: 😱 Imagine a deep‑fake video appearing of a Fortune 500 CEO allegedly accepting a bribe, or footage showing them in inappropriate behavior. 😱 And then within minutes it’s gone viral on social and in the mainstream press, before the real person or company one can even issue a statement. The 2025 version of Twain’s “a lie can travel halfway around the world before the truth puts on its shoes”, except a 1000X faster. At that point, the reputational damage is done even if the clip is later revealed as AI‑generated. 🛡️ What companies must be doing now: Audience Action: Internal (Staff): - Run mandatory deepfake awareness training. - Tell teams: “Yes, you might get a video call from your boss, but if it’s not scheduled, don’t act, and verify via text, email or call. Investors & Regulators: - Include a standard disclaimer in all earnings and executive communications: - “Any video/audio statements are verified via [secure portal/email confirmation]. If you didn’t receive a confirmation, assume it’s fake.” Customers & Partners: - Publish your deep‑fake response plan publicly; kind of like a vulnerability disclosure for your reputation. - Say: “We will never announce layoffs or major program changes via a single email/video.” Media & Public: - Pre‑train spokespeople to respond rapidly: - “That video is fraudulent. We’re initiating forensic authentication and investigating now.” Digital Defense: - Invest in deep‑fake detection tools. Sign monitoring agreements with platforms and regulators. Track your senior execs’ likenesses online. 👇 Has your company run deep‑fake drills? Or do you have a near‑miss story to share? Let’s all collaborate on AI crisis readiness.