There is a great deal of public concern about deepfakes, most of it centered on the ramifications of being able to quickly and easily face-swap videos. That concern is certainly well-founded, but it may be obscuring an even more immediate threat – deepfake audio. Voice-swapping has already been put to use in at least a handful of artificial intelligence (AI) cyber attacks on businesses, enabling attackers to gain access to corporate networks and convince employees to authorize a money transfer. The primary use of deepfake audio is to enhance a very common type of attack – business email compromise (BEC). A business email compromise attack usually begins with some sort of phishing to gain access to the company network and reconnoiter the payment systems.
Companies and organizations are investing more and more money into cyber security defenses to protect against targeted attacks and widespread malware outbreaks alike. The good news is the spending spree on defenses seems to be working. A recent report found retailers were spending more on cyber defenses and seeing fewer breaches. The bad news is there is one vulnerability that can never fully be fixed: humans. Read: Data Breaches Down For U.S. Retailers As Concern Of Attacks Increase While system vulnerabilities can be patched and security suites can be upgraded, people will always carry a certain level of risk, in part due to unavoidable human error and in part because they haven't been taught proper security protocols to avoid common pitfalls.
In a world where cyber threats seem to be escalating exponentially and high-profile data breaches happen every day, it may be surprising to know that one of the most effective methods of attack isn't a super sophisticated virus or incredibly elaborate hack but rather a simple email. Phishing attacks remain one of the biggest threats to organizations of all sizes across just about every industry because there is no patch or update that can solve the problem; the issue stems from people and their behaviors. That's why some companies have taken to a novel approach to make sure their employees don't fall for a phishing attack. Instead of waiting for one to hit, they preemptively phish their workforce to see how people respond. Roberto Valdez, the manager of risk advisory services at accounting firm Kaufman Rossin, helps companies carry out these simulated attacks through a service called PhishNet he started several years ago.
Getting senior managers to take computer security seriously is a struggle within many organisations, despite the frequency of high-profile data breaches and hacking incidents. Now the UK government's computer security agency, the National Cyber Security Centre (NCSC), has put together a list of five questions aimed at starting'constructive' discussions between executives and their computer security teams. According to the NCSC, two-thirds of boards have received no training to help them deal with a cyber incident, and 10 percent have no plan in place to respond to one. These conversation-starters aim to bridge the gap between executives who don't know about security issues and the IT department that may struggle to make its voice heard. Boards need to understand cyber risk in the same way they understand financial risk, or health-and-safety risk, said the NCSC.
Earlier this year, John Podesta, the campaign chair for Hillary Clinton, the Democratic candidate for President of the United States, had his personal Gmail account compromised. U.S. intelligence has since attributed the hack, which resulted in the leak of 50,000 emails that reveal the internal communications of the Democratic Party and the campaign, to elements of the Russian government. Despite being a state sponsored attack, this hack wasn't overly sophisticated nor was it the result of some zero-day technique. In fact, according to Business Insider, Podesta fell for the "oldest trick in the book" -- a phishing attack. On March 19, 2016, Podesta received an email appearing to be sent from Google, which stated that his password had been compromised.