How do we spot deep fakes? Don’t bother!

?

If you haven’t heard of deep fakes, it’s the use of technology to pretend to be someone. You can recreate someone’s voice and their face with computers, and this can be done in real time to create a realistic video chat impersonating someone you know. Artificial Intelligence (AI) will continue to make this process faster, cheaper, and better.

I highly expect cyber criminals will increasingly embrace deep fake and AI technology to trick people out of their information and money because it uses an incredibly powerful weapon against us – trust. Unfortunately, we’re well past the days of criminals just forging email addresses and phone numbers. Here’s a few scenarios for how it can be used against us in real life:

1. ?You get a phone call from a family member, they’re panicked, asking for your credit card details because they’ve lost their card. It’s their phone number, it’s their voice, and they need help now so you quickly provide the details to help them.Here’s the potential reality though – a criminal rang that family member, recorded their voice, forged their phone number and voice and called you to trick you. They already have trust via impersonation, and they throw in a bit of fear and urgency to bypass logical thought processes and get you to act quickly.
2. The CEO calls the Finance department, asking for an urgent transfer of money to an account to close a business deal. Again, it’s their phone number, their voice, and again we have trust via impersonation, urgency, and maybe a bit of fear because it’s the CEO.And as with the previous example, the potential reality is that a criminal is pretending to be the CEO, and someone in Finance has just made a hefty transfer of money to a very happy cyber-criminal.

?This is happening now, and it’s going to be happening more and more soon. As you can see with the above examples, it doesn’t matter who you are or what you do - if you have money or valuable information you will be a target.

?So, we have to spot deep fakes to stay safe, right? Wrong!

Maybe you’re talking to artificial intelligence and there are tell tale signs like pauses in the voice that don’t seem natural. Maybe the computer-generated voice doesn’t sound quite right. But as the technology gets better and better, tell tale signs of fakery will disappear until we can no longer tell. Maybe technology / AI will be able to spot deep fakes for us? But again, how accurate will it be? Technology could look for cues like absent pulses in veins of the neck with video, and yet AI will just create pulses in the veins of the neck! It’s likely a losing battle.

But there is hope, and it’s actually a very simple set of rules that you should always use, at home and at work. Note that these rules come into play when you are dealing with someone “not” in person. i.e., You can’t touch them, because this is when we are worried that deep fake technology might be used. Here are the rules in very simple terms (and of course these can be built on as required):

The Rules

1. If someone is asking for confidential information (like the phone call asking for credit card information), they must prove they are who they say they are. Maybe they can tell you something only they would know. Maybe you have a secret password. In either case, if you’re not sure they are the real person, ring them back on a number you have, or that you look up. Now you know who you are speaking to and can get to the truth.
2. If someone is giving you information that could cause harm (like the CEO asking you to transfer money to an account, so in this case that potentially harmful information is the bank account details), call them back to confirm it’s correct. Note that this would apply the first time someone gives you information (as per this example), or when it is changed (like a phone call from a staff member to change the bank account their salary is paid into).

And that is the core of the solution! If you’re in a company, ensure that these processes are formalised and communicated to staff. At home, ensure family members understand how it can be used against them, and how to respond (e.g., Have a password for the family and ask for that password if in doubt).

Really at the core if it all, it’s a healthy dose of suspicion, simple procedures, and a phone call to confirm everything is ok. Do this consistently and potentially save yourself / your company a lot of money, time, and reputation!