No longer a fringe or novel technology, deepfakes have now emerged as a major threat for Australian businesses, and will soon become their biggest cyber concern, according to a new report.
AI email security firm Ironscales conducted a survey of more than 200 IT and cyber security professionals and found that deepfakes are already a significant threat to organisations of all shapes and sizes, and this is only set to increase.
Deepfakes – images, videos or audio generated using artificial intelligence to mimic real people - have emerged in recent years as a major concern in terms of privacy, and have been weaponised primarily against women in the form of non-consensual deepfake pornography.
There have also been numerous recent examples of deepfakes being used in the context of politics and election campaigns.
But there has been little discussion around the threat that deepfakes pose to businesses, despite many organisations already seeing the consequences.
Deepfake risk spreads
The survey found that three-quarters of respondents had already experienced at least one deepfake-related incident in their organisation in the past year.
A further 75 per cent of cyber professionals said they are “very worried” about what the future will hold for their business in terms of deepfakes.
The central threat that deepfakes pose to businesses is the ability for them to mimic other employees and managers, with this tactic commonly employed by malicious actors to trick unsuspecting employees into transferring money to their account.
“Deepfakes have quickly emerged as a threat to corporate security, with their ability to seamlessly mimic voices, faces and identities,” the report said.
“These statistics underscore the urgency for organisations to adapt their defences against deepfakes, especially as these threats are evolving and expected to grow in frequency.”
Nine in 10 of the respondents said that deepfakes are evolving either “very quickly” or “moderately”, and more than two-thirds said they expect deepfake attacks to continue to grow over the next 12 to 18 months, eventually surpassing other forms of cyberattacks.
“The overwhelming consensus that deepfakes present a serious and rapidly worsening security threat is impossible to ignore,” the report said.
The main threat
Most respondents to the survey said that emailed deepfakes currently pose the biggest risk to organisations, with 53 per cent saying this presented an “extreme threat”.
“Deepfake phishing emails make it nearly impossible to tell reality from manipulation,” it said.
Of the types of deepfake content employed by cyberattacks, more than 40 per cent said they had seen altered photos, 30 per cent had experienced live videos, and just under 40 per cent had encountered personalised phishing emails.
“While email remains a critical tool for business operations, it’s also the primary channel for the next wave of cyberattacks, combining the old threat of phishing with the new weapon of deepfakes,” the report said.
Of those who responded to the survey, only 41 per cent were very confident in their organisation’s ability to defend against deepfakes.
The report recommended that business prioritise combating email-based deepfake threats, and focus on uplifting awareness across the organisation of the growing threat, invest in defensive technologies, and conduct simulation testing.
Already rife
There have already been numerous examples of deepfake-based cyberattacks having a devastating impact on organisations.
Earlier this year it was revealed that a large multinational had lost $40 million to a deepfake video call scam that involved a video meeting filled with AI-generated versions of real employees.
The victim was targeted with an email purporting to be from the company’s chief financial officer requesting they transfer large sums of money.
They later attended a video meeting that appeared to feature the CFO and other co-workers, but these were actually deepfake videos of the individuals.
The cyber criminals were able to convince the employee to make 15 transactions to local bank accounts across a week, totally $40 million.
