Don’t let a few tricky pixels fool you.
The use of deepfake tactics and tools against a bank is a more sophisticated version of the same ol’ fraud scams financial institutions have faced for decades, according to Mike Silverman, chief strategy and innovation officer at FS-ISAC, a member-driven non-profit supporting cybersecurity for the global financial sector.
“Attacks like CEO impersonation, insider threat, and customer impersonation and sector manipulation are just some of the topics that the sector has been fighting for many years. Deepfakes makes those sometimes more actionable, more realistic, but at the same time, it’s not necessarily revolutionary new things for the sector,” Silverman told IT Brew.
And about that fraud financial institutions have been fighting for many years:
- The FBI’s IC3 fraud report revealed 880,418 complaints of fraud, totaling $12.5 billion in losses—up from 467,361 complaints and $3.5 billion in losses in 2019.
- Deloitte’s Center for Financial Services predicts that GenAI could enable fraud losses to reach $40 billion in the United States by 2027.
- Identity-verification company Subsum saw a 700% increase in deepfakes incidents, when comparing 2023 with the previous year.
FS-ISAC released a deepfake mitigation guidance paper on Oct. 24. In a short interview with IT Brew, Silverman explains why some authentication recommendations meant for deepfakes are classics that never get old.
Responses below have been edited for length and clarity.
How can you characterize the group’s concerns about emerging deepfake threats?
If someone says, “Oh, I’m at vendor X, I’m changing my bank account number, use this,” we already have established processes on how that should be verified and approached. So, when we’re using those established processes, by and large, the industry wants to rely on those, because those are true and tested processes.
Sometimes we can get into trouble, though, on the customer side, where there’s a second-level effect, where a customer gets deepfaked: Say, their loved one is being held for ransom, or something of that nature. They then call a financial institution to make a legitimate transfer. It is hard sometimes for the financial institutions to try to combat that, even though we do ask the questions—like, is this being done under duress?
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What authentication method is most effective for these kinds of second-level deepfake attacks?
Really asking the customer not just surface-level information: more information about their recent account activity, rather than just knowing their email or Social Security Number…When it comes to video, you can ask other questions of people like: “Look this way.” Or, if you have glasses, “Take off your glasses.” Or do something out of the norm that deepfake tools are not appropriate for doing. When we’re putting out content, to protect it, we recommend the use of watermarking, whether it be video or audio content.
Are you basically enforcing the same kinds of existing controls used for fraud to defend against deepfakes?
By and large, I’d say, yes. I will admit deepfakes, and the access to modern AI technologies is perhaps lowering the barriers of entry for bad actors to take malicious actions. A lot of the established processes do hold and can mitigate a lot of what we’re seeing, given the nuances and some of the very good deepfakes. Yes, we do need some new enhancements and new revised procedures, such as “take off your glasses.”...But in cybersecurity, especially, whenever we have a defense, an attacker is always going to be trying new ways to get in. So, yes, AI is a new tool, per se, but it’s not as if we haven’t ever seen new things happen in the ecosystem.