Deepfakes Threaten To Become The New BEC Scam

The business email compromise (BEC) scam continues to rear its ugly head at the enterprise, with the global pandemic creating even more avenues through which cyber attackers can steal company money.

At the heart of BEC and other scams is impersonation. Hackers will either use C-suite executives’, finance team members’, or suppliers’ email addresses, or create ones that look very similar, to send their messages and trick professionals into thinking someone legitimate is making a request to alter payment procedures. One seemingly real enquiry to change bank account details can — and often does — mean millions of dollars lost.

To protect businesses, security experts urge anyone who receives such a request to double- and triple-check with whomever made the initial request. This multifactor authentication strategy can be as easy as walking down the hall to meet face-to-face with the chief financial officer, yet with teams still working remote, the process has migrated to the phone or video chat.

Tessian Co-founder and CEO Tim Sadler warns that this has created an ideal environment for cyberattackers wielding a quickly emerging technology: deepfakes.

“With major company announcements more prominent than ever these days, from news related to corporate changes or work-from-home, employees are relying on senior leadership to guide them through these times,” Sadler told PYMNTS. “Unfortunately, this opens the door for cybercriminals to impersonate [executives], and they’re becoming more creative and sophisticated in their techniques.”

The Pandemic’s Security Impact

Analysts continue to warn businesses that hackers are taking advantage of the current business environment, a product of the global pandemic, to commit their crimes.

“In general, the pandemic has created the perfect storm for bad actors to take advantage of the uncertainty and chaos caused by unprecedented national events,” noted Sadler.

Without the ability to meet team members in-person, it’s far easier for questionable emails to fall through the cracks, and for those payment and banking details to be altered without an additional layer of authentication. With more employees relying on the phone, as well as video conferencing platforms, to communicate with their teams, it presents an ideal environment for deepfake technology to take hold.

According to Sadler, “Deepfakes are the next iteration” of BEC, enabling cyberattackers to steal video conferencing credentials or hop on the telephone. Deepfake technology enables anyone to look and sound like another person, a sophisticated strategy that continues to become even more difficult to identify.

“While some of the less sophisticated technologies are easier to spot, the technology will only improve, making it easier for bad actors to quickly and cheaply target organizations,” he warned.

How To Retain Security

While deepfake technology hasn’t yet become the norm in terms of how malicious actors commit their scams against the enterprise, it will inevitably grow, making employees’ awareness and education key strategies to combatting the threat, said Sadler.

And while multifactor authentication via phone or video conferencing can be thwarted by deepfake technology, there are strategies professionals can use to retain the security of their companies’ systems — and money.

“Make sure that you’re always verifying requests with the person directly,” Sadler advised. “You can do this by asking them something only they would know [in order] to verify their identity — or [by] calling them on the phone directly.”

IT teams are already growing more concerned about this risk. According to Tessian’s own research, more than 60 percent of IT leaders surveyed said they are already working to educate their teams on the matter. Even for businesses that have yet to be targeted in a deepfake attack, Sadler emphasized the importance of proactive efforts.

“For anyone working in the finance team, where impersonation fraud is rife, they should adopt a natural habit of verifying payment requests through multiple routes of authentication,” he said. “This is a great habit for all organizations to adopt, even if they’re not yet seeing a threat from deepfakes.”