The term deepfake stems from combining “deep learning,” a subset of machine learning, and “fake,” reflecting the technology's ability to produce deceptive media. They are used for various purposes but can be especially useful in social engineering attacks geared against healthcare organizations that possess a wealth of information.
What is deepfake technology?
Deepfake technology uses training algorithms on large datasets of images or voices to generate synthetic content that can convincingly mimic real people. According to a study from the Chittagong University of Engineering and Technology, deepfake technology can be used to “transfer celebrity faces into adult content” and “create fake news, fraud, and even spread hoaxes.” Through AI and machine learning manipulated media is created, ranging from videos to audio recordings that appear to be authentic.
How deepfake technology is integrated with social engineering attacks
A study published in the Journal of Law and Sustainable Development states, “Deepfake technology has turned to target organizations by spreading misinformation and disinformation.” For instance, a deepfake could be used in an attempt to ruin an individual’s reputation or for blackmail.
Deepfake technology can be used in the following ways:
Impersonation of a trusted individual:
- Attackers create deepfake videos or audio clips of a trusted person.
- The deepfake media files are embedded or linked in emails to deceive the recipients into believing the communication is legitimate.
Voice mimicry in voicemail or calls:
- Attackers use deepfake to clone the voices of trusted individuals.
- They then leave voicemails or make phone calls to convince the recipient to take action, such as transferring funds or sharing sensitive information.
Fake video conferencing:
- Attackers use deepfake to appear as a known person during video calls or virtual meetings,
- They might request sensitive information or make fraudulent instructions.
Phishing emails with deepfake attachments:
- Attackers send emails that appear to come from legitimate sources.
- These emails often include links to fake websites or ask for sensitive information directly, exploiting the deepfakes authority.
Blackmail and extortion:
- Attackers use deepfake media to fabricate compromising or incriminating content.
- They send emails threatening to release this content unless the recipient complies with demands.
Business email compromise:
- Attackers use deepfake technology to impersonate executives.
- They send emails requesting transactions or access to sensitive information.
Related: What are Business Email Compromise attacks?
Best practices to navigate social engineering attacks using deepfake technology
- Always double-check the identity of anyone requesting sensitive information or financial transactions.
- Use multiple channels to confirm requests from HIPAA compliant email to HIPAA compliant text messaging and calls.
- Regularly train staff on the dangers of deepfake technology.
- Use simulations of deepfake scenarios to help employees recognize when they may be interacting with manipulated video, audio, or message.
- Use deepfake detection technology that can analyze audio and videos for signs of manipulation.
- Invest in AI-driven tools to detect anomalies in communication patterns.
- Stay alert for out-of-character requests from colleagues or superiors such as requests for money.
Related: Top 12 HIPAA compliant email services
FAQs
What are BEC attacks?
Attacks involving scammers impersonating executives or trusted persons.
What is social engineering?
A tactic used to manipulate people into revealing confidential information.
What are the types of social engineering attacks?
Phishing, spear phishing, pretexting, baiting and tailgating.
Kirsten Peremore
