How deepfakes enhance social engineering and authentication threats, and what to do about it

Cybercriminals are investing in deepfake technology to make social engineering and authentication bypass campaigns more effective. Here are strategies for defending against the most notable deepfake cyberthreats.

Deepfake technology is an escalating cybersecurity threat to organizations. Cybercriminals are investing in AI and machine learning to create synthetic or manipulated digital content (including images, video, audio and text) for use in cyberattacks and fraud. This content can realistically replicate or alter appearance, voice, mannerisms or vocabulary with the aim of tricking targets both human and autonomous into believing that what they see, hear or read is authentic and trustworthy.

In March 2021, the FBI warned of a growing trend of malicious actors leveraging synthetic or manipulated digital content for cyber and foreign influence in extensions of existing spear phishing and social engineering campaigns. These can have more severe and widespread impact due to the sophistication level of the synthetic media used, it added. Organizations therefore must be aware of growing deepfake cyberthreats and take steps to defend against deepfake enhanced cyberattacks and scams.

Cybercriminals adopting deepfake technology

“It’s often been said that pornography drives technology adoption and that was certainly true of deepfakes when they first appeared. Now the technology is catching on in other less salacious circles—notably with organized cybercrime groups,” Mark Ward, senior research analyst at the Information Security Forum, tells CSO.

Deepfake-derived attacks are currently few and far between, executed by specialist gangs or those that have the weight of a state behind them with only a handful of documented successful uses, Ward says. “However, it will spread as all such technologies do when the tools, techniques, and potential rewards become well known.”

To continue reading this article register now

Microsoft's very bad year for security: A timeline