While deepfakes can be used for sanctioned business content, organizations must acknowledge their inherent risks. In 2021, the FBI issued a warning to businesses about deepfake fraud, saying that malicious actors “almost certainly will leverage synthetic content for cyber crime and foreign influence operations in the next 12-18 months.”3 In fact, two out of three cyber security professionals saw malicious deepfakes used as part of a strike against businesses in 2022, a 13% increase from the previous year, with email as the top delivery method.4
Because well-crafted deepfakes require high-end computing resources, time and technical skill, cyber criminals typically use them for operations against large enterprises and demand steep payments — but as technologies evolve to make deepfakes easier and cheaper to create, criminals will be able to target companies (or third-party vendors) of all sizes.
Business identity compromise risks
In 2020, threat actors used an audio deepfake to steal $35 million from a Hong Kong bank, the largest publicly disclosed amount lost to inauthentic content yet.5 They pulled off the sophisticated heist using a newly defined threat vector called business identity compromise (BIC).
BIC uses deepfake technology to create synthetic corporate personas or imitate existing employees, often posing as a well-known, high-ranking professional in the organization. Put simply, BIC builds trust where there shouldn’t be. Once it’s established, criminals can seize trade secrets and patents, impact company culture with political commentary, undermine relationships with customers and partners, tank stock values, create turmoil in the supply chain and otherwise sow chaos.
Both audio and video deepfakes have already been used to impersonate executives at Fortune 500 companies, including CEOs, CFOs, treasurers and other senior leadership. In some cases, deepfakes have been deployed to humiliate or harass the executive, making it seem like they said or did something that they did not, in order to damage the reputation of the company and executive.
Deepfake phishing risks
Deepfake phishing is another emerging threat for businesses, combining disinformation (in the form of deepfakes/BIC) and phishing to fool employees into making unauthorized payments or volunteering sensitive proprietary or customer information. Often, deepfake phishing begins with an audio deepfake of a trusted figure in the organization. The criminal, disguised as the figurehead, will reach out via web conferencing or voicemail, then follow up with other forms of social engineering, such as business email compromise (BEC) or dynamic voice manipulation, using a sense of urgency to pressure employees into releasing funds or data.