Phishing has been the bane of cybersecurity professionals for as long as anyone can probably remember. Lately, however, flashier technologies such as AI-powered DeepFakes have started to catch the interest of scammers. Now we're beginning to see the possibility of DeepFake phishing, and there's no doubt this new take on an old scam formula could be the most dangerous yet.
Before this new type of attack comes into full swing, let's look at DeepFake phishing more closely.
In case you're a little rusty on the meaning of phishing, here's what you need to know. The word "phishing" is a hacker corruption of the word "fishing." In the sense that the cybercriminal is fishing for your personal information. The most common form of phishing attack is through email. It usually takes the form of an email pretending to be from your bank, service provider, or some other common institution. Usually, the email wants you to click a link, which leads to a fake website where you enter your username and password, giving the hackers access to your account.
There are variations on this basic attack, but this is the main idea. There's a more potent form of phishing, known as "spear" phishing. In this case, the scammers don't just aim the attack at millions of people hoping for a lucky break. Instead, the attackers do some research on the target. These fake messages may impersonate someone you know and ask for other less obvious information, which they could later use in further attacks on different victims. Alternatively, receivers can be fooled into taking actions such as sending payments after thinking the request came from a legitimate source.
Deepfakes are a fairly new application of machine learning technology. They allow realistic generated faces, which makes it possible to create videos where someone appears to do and say things that they never did. At first, the technology was limited to only copying faces. Even then, they usually could only impersonate famous persons. Now, however, things are changing, making the concept of DeepFake phishing a practical possibility.
The idea behind DeepFake phishing is that you can impersonate someone in a video call or a voice call. So, for example, you could receive a Skype call or a Whatsapp voice note from your "boss" telling you to pay someone an amount of money. Only that later it turns out your boss never sent the message.
While DeepFakes worked only on faces and needed to be pre-rendered, they weren't very practical. Now, we're seeing the emergence of DeepFake technology that works in real-time, alongside the faking of voices. It's also no longer necessary to have thousands of source images for the machine learning software to generate the DeepFake. These technology enhancements all come together to make possible a sort of digital impersonation, and it's rather scary once you think about it.
These DeepFakes don't even have to be as convincing as the pre-rendered type. With those, the trick was often discovered after analyzing the recording multiple times. With a real-time DeepFake, it's already too late by the time you have a chance to do this. On top of this, webcams and video conferencing applications already don't have the best sound and video quality, potentially masking the fakery. If this form of phishing takes off, we could be in for a rough time when it comes to cybersecurity.
Given the threat that DeepFake phishing presents us, this isn't just something that can be fought on an individual level. Video conferencing providers such as Skype, Zoom, and FaceTime will have to incorporate built-in detection systems designed to spot suspected DeepFakes. These systems will most likely have to make use of the same machine learning technology principles that phishers do.
There is no telling how well these countermeasures will work, but in the meantime, there are some protocols that companies and individuals can adopt to ward off the threat:
While we have yet to see this sort of phishing hit the mainstream, once the methodology is mastered, you can be sure someone will try it. If people are fooled, the floodgates will open.