Deepfakes Are Making Business Email Compromise Worse

Business Email Compromise (BEC) exploits have long been a favourite for bad actors looking to gain access to enterprise networks via their people. The idea is simple: use fake emails to get employees to send money or information by impersonating an individual in a position of power. This is a longstanding attack vector that has targeted companies for more than a decade.  

As employees have become savvier to this kind of attack, bad actors have upped their game with a new weapon in the arsenal: artificial intelligence (AI)-based deep fake phishing. 

A deepfake is a simulation of a real, known person’s voice and/or image.  Deepfakes can be effective where other social engineering attacks would fail. Even those well-coached to be suspicious of inbound emails may not consider the same risks when the communication appears to come from a trustworthy source. After all, they may not be aware that what appears to be a sound bite from a trusted colleague, or even a video snippet, may not be genuine. 

As deepfake technology becomes more widespread, these types of attacks will become increasingly frequent in 2023—and the cybersecurity implications are serious. For example, a top issue for identity experts is the AI chatbot ChatGPT, and its potential – on combination with AI-driven with voice synthesis – to accurately create and mimic legitimate voices to produce ever more believable fake identities. Generative AI is still in its infancy, but even at this stage, it has brought upheaval on businesses and organisations, from academia to government. There can be no doubt that technology will advance, and bad actors will take advantage of it

How Do Deepfakes Impersonate Legitimate Identities?

To understand why deepfakes are so effective, it’s crucial to treat identity as the new security perimeter. This perimeter, no longer built by office walls and protected by on-premise hardware, is now composed of all humans and machines allowed access to the enterprise network, wherever they may be. In the new remote-working reality, this could be anywhere. This paradigm allows for much more flexibility, but with flexibility comes potential weaknesses: when people are not together and communicating in the physical space, bad actors exploit this distributed model with sophisticated impersonations to be granted undue access. 

Let’s take the most ubiquitous forms of remote corporate communication. Virtually every single business relies upon email and video conferencing as fundamental forms of communication, and reliance on these has only grown in the era of hybrid work.

Cybercriminals are aware of this reliance and have learned to deploy several tactics to overcome the established trust from a traditionally trusted channel where identity was not in doubt. They can infiltrate historically trusted modes of communication, using their ingrained status in the enterprise for malicious purposes.

The term "deepfake” comes from the underlying technology, "deep learning," which is a form of AI. Deepfake technology allows users to create startling accurate impersonations of others. In the news, we see examples of deep fakes pertaining to celebrities or politicians, but anyone can be a target. For example, a Binance PR executive claimed that cybercriminals created a ‘fake’ AI hologram of his image to scam cryptocurrency projects via Zoom video calls.
 
How do these attacks work? Bad actors make autoencoders - a kind of advanced neural network - which scan videos and voice files, collecting images and recordings of individuals to learn their distinguishing characteristics and attributes. They then collate these ingredients into images, voice recordings, and videos which appear extremely faithful to reality. These ‘deepfakes’ are then deployed as part of social engineering scams, where the author uses them to impersonate an individual. 

The Origins: How Phishing Made Us Distrust Identities

While deepfake attacks are reliant on new technology and relatively recent, such impersonations are far from new. Phishing, of course, is one of the original and longest-standing scams of the internet age, and the U.S. Federal Bureau of Investigation coined the term “Business Email Compromise” (BEC) to describe a specific form of spear-phishing attack. In a BEC attack, the author would impersonate a legitimate person inside the organisation or its network to dupe the recipient into delivering funds to an unauthorized account or individual. This is what BEC attacks have in common with their modern cousin, deepfakes: the important part of BEC is faking the identity of a trusted party to con an unsuspecting employee. The rest of this is just adapting the basic social engineering strategy to the latest platforms in use. Deepfakes simply build on this initial idea, but there have been, and will be, many other vectors.

When the FBI coined the term, email was the main avenue for this attack. Subsequently, there have been similar campaigns where the bad actor uses phone texting, voice messages, chat in platforms like Slack, and now video conferencing platforms like Skype and Zoom. Since these attacks are not email-based, arguably they are not technically BEC.  But they are the next generation of the same, basic strategy.

Unbreakable Cryptographic Identities

BEC is an extremely successful attack vector: the FBI estimates these attacks have cost a combined $43 million in recent years. Deepfakes only add to the trust problem, further dissolving the boundaries of reliable identity, and tricking recipients into trusting communications they shouldn’t. The only solution is to apply a sure-fire way to authenticate, confirm, and secure identities - one which does not rely on human intuition. 

Fortunately, digital certificates are a well-proven strategy for authenticating identity in modern business environments.  These certificates are foundational for modern defense-in-depth strategies such as Zero Trust Network Access and Software-defined Perimeter.

By employing Certificate Lifecycle Management platforms to automate the deployment, monitoring, and renewal of these certificates, enterprises will be in good stead to restore trust, despite bad actors’ best efforts and their increasingly advanced attack tools. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Building An Identity-First Security Strategy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Why Cutting Cybersecurity Jobs Is Shortsighted
Staying Secure In A Changing World »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Maureen Data Systems

Maureen Data Systems

Maureen Data Systems (MDS) services cover Data Centres, Cloud Computing, Cyber Security, Mobility, Virtualisation, Managed Services.

Portnox

Portnox

The Portnox Network Access Control (NAC) Platform traverses across all network layers, and locations to deliver the highest accuracy and control of all connected devices and users.

Alarum Technologies

Alarum Technologies

Alarum Technologies (formerly Safe-T) is a global provider of cyber security and privacy solutions to consumers and enterprises.

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

Allure Security Technology

Allure Security Technology

Allure provide Behavioral Analytics software that combines machine learning and decoy technology to protect enterprise devices from data loss and intrusion both inside and outside the enterprise.

TrustInSoft

TrustInSoft

TrustInSoft develops solutions that validate mission-critical software and eliminate attack vectors.

Protectimus

Protectimus

Affordable two factor authentication (2FA) provider. Protect your data from theft with multi factor authentication service from Protectimus.

VigiTrust

VigiTrust

VigiTrust is a security firm specializing in cloud based eLearning programs, security compliance portals and providing security assessments.

Japan Cybersecurity Innovation Committee (JCIC)

Japan Cybersecurity Innovation Committee (JCIC)

JCIC is an independent and not-for-profit thinktank to establish a secure and safe digital society.

AXELOS

AXELOS

AXELOS develops best practice frameworks and methodologies used globally by professionals working primarily in IT management and cyber resilience.

Quantum Cybersecurity

Quantum Cybersecurity

Quantum's objectives are to assist and help our clients with RMF Controls, Accreditation packages, FISCAM controls, ISSM Duties and Responsibilities, ISSO Duties and Responsibilities and more.

KanREN

KanREN

KanREN is a member based consortium offering custom, world-class network services and support for researchers, educators, and public service institutions in the state of Kansas.

Earlybird Venture Capital

Earlybird Venture Capital

Earlybird is a venture capital investor focused on European technology innovators.

Blackrock Cyber

Blackrock Cyber

Blackrock Cyber consults on critical security decisions, oversees compliance for your payment initiatives, and details cyber security training for your entire organization and board reporting.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

Creative ITC

Creative ITC

Creative ITC is a leading infrastructure and cloud enablement company. We design and deliver exceptional managed services and cloud solutions.