Banking and Payment Industries are on high alert due to a new threat in the cybersecurity landscape. Like many things originally intended for good, artificial intelligence and deep learning has morphed into the proliferation of deep fake technology – an insidious problem for these industries.
According to the Wall Street Journal, a scam involving an audio call to a CEO of a U.K. based energy company succeeded in extracting approximately $243,000 from the firm. The voice was enabled by artificial intelligence to sound real to the victim, who he believed he was speaking with his superior at the parent company.
The man was directed to make an urgent transfer of funds to a supplier of the firm. Follow up calls made the victim suspicious, so he declined to send more funds, but by that time it was too late to recover the initial transfer. According to the story, the CEO reported that he, “…recognized his boss’ slight German accent and the melody of his voice on the phone.” Although this type of sophisticated cyberattack was predictable, it stood as highly unusual at the time for its novelty and success.
“Then I’ll get down on my knees and pray…we don’t get fooled again!”
The Who
Deepfakes are intentionally distorted videos, images, or audio recordings that portray something that is fictitious or false, enabling malicious entities with a novel and sophisticated social engineering tool. Technology innovations enable deepfakes to look and sound authentic and convincing, leading to abuse and misuse.
Social engineering is the idea of leveraging human tendencies to produce the desired result; in this case, commit a cybercrime. Cybercriminals manipulate their victims, often by enticing them to click on a malicious file or hyperlink or divulge information they would otherwise protect. It is widely understood that social engineering is a favorite of cybercriminals because humans are often too trusting and easily manipulated under the right circumstances.
The average consumer of social media is probably familiar with deep fakes from an entertainment and social sharing perspective. Online searches are replete with interesting and useful good use cases for artificial intelligence. For example, in May 2019 three Machine Learning Engineers at Dessa showcased a realistic artificial intelligence voice simulation of popular podcast host Joe Rogan. The demonstration is an outstanding example of how easily the lines between synthetic and real are blurred. A cursory online search returns practical use case examples such as text to speech and video editing.
A recent study reports that personal banking and payment transfers are considered, “…most at risk of deepfake fraud, above social media, online dating, and online shopping.” Financial institutions in general are obvious targets for cybercriminals due to their large amount of assets and customer data. The report outlines deepfake impact on the financial services industry. Areas of concern are onboarding processes, payment/transfer authorization, account hijacking, synthetic identities and impersonation among others.
Banking and Payment Services organizations need to prepare their workforce to meet this credible threat by updating their security programs with the following objectives:
- Awareness of the good use cases of artificial intelligence, deep learning, and deepfakes as well as their weaponization by malicious actors
- Process and procedure training to address critical functions such as onboarding, payment/transfer authorization, account monitoring, identification procedures, etc.
- Training on technology deployed to detect and eradicate deepfakes
- Cybersecurity awareness training to promote awareness and vigilance
Workers should be trained to deal with ad-hoc urgent requests with a pre-defined protocol to authorize such requests, perhaps requiring an approval chain to ensure authorization has the appropriate checks and balances.
Particular attention needs to be paid to brand reputation and the customer experience. When a breach occurs, the long-term effects of losing customer confidence and brand reputation can dwarf the short-term financial and systems damages. Banks and payment companies understand the trust consumers put in their products and the care taken to protect personal assets. Once that trust is gone it can rarely, if ever, be reclaimed.
Institutions that deploy effective training to deepfake provide the heightened awareness, procedural discipline and hypervigilance that reduces the risk of getting “fooled again.”
