Complete transcript below:

Deepfake Demo:

Hello! I’m Cathy Coloff from IT Radix.  Thanks for joining us for today’s webinar: AI Disguise: Deepfakes.  Today we’ll share more about Deep Fake technology, its potential threats to your business, and what you can do to protect yourself.

Actually, I’m Cathy Coloff, and you just experienced an example of a Deepfake.  That video was an AI generated Deepfake of myself that was created using a 30-second clip.  So, today, we’re gonna dive into this a little bit more and talk about Deepfakes.  I tend to talk fast.  If you have any questions, feel free to raise your hands as I go along.  And, of course, we will always take questions at the end, but welcome to the world of Deepfakes.

What is a Deepfake?

Many of you are wondering what the heck is a Deepfake.  Basically, it is either an audio or a video that is created using artificial intelligence algorithms that manipulate the sound, the images, the audio, the video, and sometimes what they’re doing is they’re superimposing someone else’s face on top of another person’s body or sometimes they’re just manipulating an existing video or audio recording.  The net result of that is that’s something they call synthetic media.  They are using deep learning AI techniques to do this and basically it can learn.  So, once you have one, they can learn and create more using the learn patterns that they see from the first one.  So, what are they using these things for?  Obviously, there’s a lot of good things that are being done with some of these, but today we’re kind of focused on the negative side of Deepfakes, and unfortunately they’re being used to perpetrate fraud (financial scams), they’re being used in phishing attacks where they’re impersonating identities and then gaining information into sensitive financial information or proprietary confidential information, they’re doing impersonation scams where they’re pretending to be a high executive or a high-profile individual and then tricking somebody into transferring funds or signing a fraudulent agreement, or things of that nature.  They are being used in the corporate espionage world to steal sensitive information and then the organization loses some intellectual property.  And then, finally, they’re doing data theft.  So, they’re stealing sensitive data by creating these videos and then they could be using it to trick or blackmail people into divulging confidential information and obviously that’s theft, but it also can result in some breaches of privacy.

How Deepfakes Affect Your Business

So, how does this affect your business or your organization?  There are multiple ways, but the main three that I put here are:  your reputation or brand impact.  Deepfakes can damage the reputation of a business really quickly by spreading false information, eroding people’s trust in the organization, and it ends up having a negative impact on the client’s perception or the customer’s perception of your organization.  Trust is key in this case, and basically the Deepfakes are undermining that.  They’re not authentic, they’re leading, and then once you’ve got one out there they could lead to skepticism around your other marketing and communication efforts that you have.  The problem with social media is things can go viral like that and depending on what it is, it could be spreading damaging content at an accelerated rate and even if you try to debunk it, the damage is really hard to reverse.  So, one of these things that ends up happening is it’s creating a PR crisis for organizations and many organizations aren’t really prepared to deal with that.  It can create a snowball effect, negative hashtags and campaigns have happened.  They start trending out there in the social media world and the next thing you know you’re investing in damage control.  And then, of course, there’s financial loss.  It’s everything from you had a tarnished reputation and now you lost a customer, maybe you lost a partnership or a joint venture that you’re doing, and people are rethinking that, it can even result in some lawsuits.  So, rebuilding your reputation and your brand after some kind of a Deepfake event can be super expensive and time consuming and you really could end up experiencing actual loss of revenue and legal costs associated with all of it as well.

Real-Life Deepfake Scam Example

So, I did want to share with you a particular high-profile Deepfake scam that we are aware of that actually occurred.  It was an audio-based Deepfake and somebody scammed or they perpetrated fraud by pretending to be the CEO of an organization.  The CEO called and reached out to one of the employees and instructed them to transfer funds to a fraudulent account and, in this case, because the person thought it sounded like the CEO, they followed the instructions and real money was lost.

How to Protect Your Business

So, what are you supposed to do about all of this?  The first thing for businesses is to start implementing some detection technologies.  Believe it or not, you can use AI to help you detect AI Deepfakes, so that is one thing that’s out there.  I’m happy to talk to you about specific technologies in the future, but today I’m just going to focus at a high level what we’re doing here.  The other thing you want to do is have Two-Factor Authentication.  So, in the case of that CEO fraud case, just like you do Two-Factor Authentication when you log into a computer system or into your email, come up with some kind of a code word or some sort of an internal Two-Factor Authentication control around things like that to help control and validate that the Deepfake is a real person or not.  Some of the things that the Deepfake the other thing that they will do is it depends on who they target, depends on how much access they have to things inside of your organization so we cannot encourage you enough to constantly re-evaluate who really needs access to this?  Can I tighten this up?  Can I pull down the limit, the access to these files to these data?  Things of that nature.  And then, don’t just set it and forget it.  Come back and do a regular security audit on a regular basis.

The next thing you want to do is train your employees.  Frankly, the number one way they’re getting in is somehow there’s usually a human factor involved.  I’ve seen statistics from 85 to 95% of any kind of cyber event at some point there was a human who was involved—who was either inadvertently or intentionally—created the problem, started the ball rolling.  So, training is key! Train them on how to look for inconsistencies in the audio and the video, looking for signs of manipulation.  Some things that they could look for, I don’t know if you noticed it in the Deepfake that we had of me but…  unnatural eye movement, maybe their hands aren’t moving around and there’s a person who talks a lot with their hands and suddenly they’re stiff and unnatural.  The other thing that we see sometimes is that that if you turn your head side to side, it can’t do a good 3D representation of that person.  AI Deepakes are getting better and better though, so all of these things will slowly but surely become even harder and harder to detect.  The training is key!

The last thing is…  make sure you’re prepared.  God forbid something happened, you want to have a crisis management plan.  This is much like a DR plan.  Usually with DR we’re focused on the actual IT systems.  This is more at the business level making sure that you can identify the Deepfake, how to take it down, how to communicate with people, and how to mitigate any damage that might occur around your business’s reputation.  Sadly, the laws and regulations aren’t really keeping up.  There are very few laws around Deepfakes.  What is there, you do need to comply with but sadly, the bad guys don’t, so they are still using the Deepfakes to perpetrate fraud, violate data privacy, and create basically cybersecurity events.

Ethical Implications of Deepfakes

The last thing that I’m going to talk about is ethical implications of Deepfakes.  Obviously, they can be abused.  There have been a lot of high-profile ones in the news.  There’s one with Taylor Swift.  If you’re a Swifty, you know all about it.  Erosion of trust.  Basically, it’s going to make it difficult to know who to trust in the media and always what to do in terms of taking things with a grain of salt.  It’s super hard to distinguish what’s real versus fake and so you want to always be on your guard and looking for that.  And then, finally, just making sure that you’re protecting your privacy.  Deepfakes can be done to create fake images or videos of people without their consent and that has a lot of impacts on a privacy and reputation standpoint.

So, with that…  that’s what I had for you today.  I obviously emphasize the Cybersecurity Awareness Training.  The training programs that we have do include modules on Deepfake and how to recognize them.  If you’re not already on board with the Cybersecurity Awareness Training program, we invite you to join us in educating your people.  If you sign up before November 15th, we’ll set that up for free.  It is an ongoing process that happens throughout the year, because you don’t just set it and forget it.  You want to make sure you’re constantly reinforcing what to do.  If you want to sign up, you can go to that URL or you can reach out to us through email.  We thank you for joining us today.  I don’t see any questions in the chat, but if you happen to have one I would be happy to answer those now.  If not, I’m going to wrap it up.

Thank you so much for joining us.  I’m Cathy from IT Radix, and we will talk to you again soon!