Deepfake fraud is rocking business settings, and leaders are working quickly to try and establish deepfake fraud protection strategies, but are they moving fast enough? The data says no.
Let’s take a look at two important deepfake statistics side-by-side:
- 1 in 10 business executives say that their companies have faced a deepfake threat.
- 50% of leaders say their teams have not received any training to identify deepfakes.
Next to one another, these two data points showcase just how stark the gap is – the problem is understood, but leaders aren’t taking enough action when it comes to deepfake fraud protection.
Today is the day to close the gap, bolster defences, and establish a robust strategy addressing the question “How can organisations protect themselves from deepfake attacks?”
When thinking about how to prevent deepfakes in business settings, the solution requires a multi-pronged report. Deepfake scammers exploit people, find vulnerabilities in systems, and attack weak processes, and it’s up to businesses to build an action plan that considers the intersection of people, processes, and technology.
Keeping up with the evolution of deepfake fraud
The growing availability of generative AI tools is giving deepfake fraudsters a launching point. They’re able to exploit these tools to create life-like videos, audio recordings, and official documents. A few years ago, deepfake images and videos were more easily discernible:
- Backgrounds were imperfectly blended.
- Hands and eyes often looked “off.”
- Capturing the likeness of specific people was very challenging.
Now, the technology makes deepfakes almost indiscernible to untrained eyes. To make matters worse, Fraud-as-a-Service (FaaS) is its own industry – and it’s exploding rapidly. Someone with no technical background can hop on the dark web, purchase deepfake content, and deploy deepfake fraud with very little effort.
Because businesses are trapped in “reaction mode,” they’re having a hard time combatting these attacks. With the right deployment of training, AI-centric cybersecurity tools, and foolproof processes, finance leaders can propel a shift in the current narrative.
It’s time to let scammers know, loud and clear, that businesses are no longer taking a passive approach to deepfake fraud prevention – they’re prioritizing it.
Let finance lead: here's why
Until now, the broad assumption was that IT experts were meant to prevent cybersecurity risks, including deepfake fraud. Although in-house IT teams will always play a critical role in deepfake fraud protection, they cannot succeed alone.
The finance function might not be the first function to come to mind when thinking about how to prevent deepfakes, but it’s becoming clear that they are often on the front lines of deepfake fraud attempts. Consider this:
- Finance professionals manage vendor relationships. Vendor dynamics are often taken advantage of to carry out deepfake scams.
- Scammers are after money. Finance teams handle monetary transactions and company funds.
- According to one survey, 53% of finance professionals have already been targeted in attempted deepfake attacks.
As the finance function continues to lead strategic decision-making conversations, preventing deepfake fraud should be seen as just as important as capital investment decisions. Because finance already understands how people, processes, and technology come together, it is poised to address deepfake fraud protection better than most other functions in a company.
How to prevent deepfakes: people, processes, and technology
Once a business understands the threat of deepfakes, it’s time to take protective actions. So, how can organisations protect themselves from deepfake attacks? It takes a comprehensive plan that brings together people, processes, and technology. At a high level, that looks like:
- People: Education, training, and support for employees who may be targeted by deepfakes. Remember, every person involved in an organisation can be targeted by deepfake scammers.
- Processes: Efficient, repeatable processes drive alignment across the organisation and prevent “out of the ordinary” steps from being taken by bad actors.
- Technology: Think of this like “fighting fire with fire.” If bad actors use generative AI to attack businesses, businesses should think about how that same technology can be used to prevent those attacks.
Nothing about deepfake fraud prevention is simple. For many CFOs and business leaders, this space is uncharted territory. If you relate to the feeling of not being sure where to start, we’ll break it down for you.
The people side of it all
Much of the conversation around deepfake fraud prevention revolves around finance employees, and more specifically, the accounts team. The accounts payable team deals with outgoing payments to vendors, a process commonly targeted by scammers.
However, just because finance teams have to be on guard while conducting daily tasks, it doesn’t mean that they’re the only ones at risk. No matter the industry your organisation is in or the overall headcount internally, all people in the organisation should be equipped with the knowledge needed to stop deepfake attacks. Below are some best practices:
Role-specific training
By regularly conducting cybersecurity awareness training, your teams will be aware of the risks and better able to identify suspicious activity. However, don’t stop at broad training videos that are sent out in company-wide emails. Instead, develop role-specific cyber fraud training.
- The accounts team will have different considerations and risks to watch out for than someone working on the manufacturing floor, but both settings come with cyber risks that need to be discussed openly.
- A big part of training is developing a sense of empowered decision-making at all levels of the organisation. Regardless of seniority level or department, all employees should feel confident when raising concerns to upper management.
Cultivate a “pause and verify” culture
In many organisations, a culture of “work hard, get things done quickly, and stay in your own lane” develops over time. With sales teams aiming to hit sales goals and finance teams rushing through month-end close, the door is left open for scammers to cause chaos while everyone has tunnel vision on their business targets.
While this is an important mentality for staying competitive, try to implement a “pause and verify” culture that gives employees the chance to stop, take a closer look at something that seems out of place, and alert management of the potential issue.
- Keep in mind: scammers prey on individual employees by creating a false sense of urgency. The last thing you want your employees to do is skip steps and ignore their gut feeling when something seems off.
Deepfake fraud protection requires new technology
Without the right tools, organizations fail to keep up with the market. In the same way that CRMs and ERPs support the competitive edge of your business, the right cybersecurity tools will help mitigate deepfake-related risks. Some of these tools are:
- Multi-Factor Authentication: If a fraudster is successful in collecting login credentials or convincing an employee to share their details, multi-factor authentication prevents them from actually getting into the account and sending unauthorized transactions or doing damage.
- Anomaly Detection Tools: By analyzing transaction patterns and typical system behaviours, anomaly detection tools can alert leadership teams if anything out of the ordinary is happening in the network systems.
- Email Monitoring Platforms: Many deepfake schemes begin with phishing or spoofed emails, but email monitoring tools can help flag spoofed accounts and suspicious messages.
- AI Identification Tools: Since humans aren’t the greatest at identifying AI-generated content, consider using technology to fill the gap. More options are hitting the market, allowing enterprises to give their teams access to tools that can help decode deepfake images, videos, audio recordings, and more.
Even with all the best tools in the world, deepfake fraud is still a massive risk for businesses. This reality underscores just how important it is to build prevention plans with people, processes, and technology in mind.
The proactive adjustment of finance processes
The importance of specific processes is nothing new in the finance world. SOX reporting, monthly procedures, and annual budgeting all rely on strict, repeatable processes that can be conducted the same way from year to year.
Why are processes so important for finance teams specifically? Because well-built processes help reduce errors, protect from fraud, and drive alignment throughout the organisation. For the same reasoning, strong processes are needed in order to prevent deepfake fraud.
All CFOs and finance leaders should prioritize:
Call-back procedures
Before sending payments or changing vendor details in internal systems, the task owner should follow call-back procedures. In call-back procedures, the vendor or client would be contacted by an outbound phone call, and on that phone call, account details and banking information can be verified directly.
It’s important to independently source the contact details for a vendor because contact details sent in emails or submitted over online portals can be manipulated by hackers. Although this cybersecurity practice can be time-consuming and exhaust resources from strapped Accounts Payable (AP) teams, it is one of the best ways to prevent deepfakes.
Segregation of duties
For payments over a certain dollar amount, implementing a multi-step approval process is crucial. By segregating the duties – separating the person in charge of requesting the payment from the person responsible for approving the payment – CFOs can mitigate the risk of fraud.
The segregation of duties concept applies to vendor information changes as well, and it can be used for other vulnerable processes. When multiple sets of eyes are on important tasks, the chances of fraud taking root are much lower. A deepfake video might be able to trick one person, but it’s less likely to deceive multiple individuals – especially if they are trained in deepfake fraud.
Regular process audits
Why do internal and external audits exist for accounting processes? To reduce the risk of fraud and address any issues that exist in the process. Whether it’s a clerical error or a malicious scheme, audits have been preventing finance-related issues for decades.
Now, CFOs have a new challenge: to develop audit practices that can assess how vulnerable certain processes are to deepfake fraud. By partnering with the IT team, or even creating an IT audit team like many companies already do, finance leaders can get ahead of technology-based process risks.
Fraud example: how people, processes, and technology could have changed the outcome
Just last year, in a notorious case of deepfake fraud, an employee working at the multinational firm, Arup, was targeted by a scammer. The employee received a video call from the CFO and other members of the leadership team.
On the conference call, the leadership team instructed the employee to send multiple wire transfers, totaling $25 million USD, to specific bank accounts. Because the leaders on the video call looked and sounded exactly like the real individuals, the employee completed the transfers.
Later, the worker figured out that the conference call was fake, and all the people on his screen were deepfakes. Unfortunately, the fund transfers had already been completed once the truth came to light.
How could people, processes, and technology have played a role in preventing this disaster?
- People: If the employee had been trained in deepfake scams, he may have been more skeptical about the conference call from the get-go. He could have talked to other members of the leadership team or reached out to the CFO directly to verify that the request was legitimate.
- Process: For transfers that large, multiple approval signoffs add multiple layers of security. If the targeted employee had to get one or two colleagues to approve the transaction, it’s possible the fraud would have been uncovered.
- Technology: AI tools that monitor emails or identify deepfake videos could have alerted the employee of the deepfake videos on his screen.
As with any situation of fraud, hindsight is 20/20. It’s clear that the employee was simply trying to do his job, but if the firm had implemented a few deepfake protections, the outcome may have been different.
Deepfake fraud protection requires a comprehensive plan
As the Arup example highlights, even the most well-intentioned employees can be deceived when people, processes, and technology aren’t aligned to protect against deepfake fraud. No single safeguard is certain to stop an attack, but when finance leaders think about this emerging risk holistically, they can help protect their businesses.
Employees should be trained to flag unusual requests, processes should be designed to prioritize verification and security, and technology should be implemented to help expose anomalies. Together, these elements create a layered defence that makes it hard for scammers to succeed.
Gone are the days when cybersecurity responses can be reactive. Now, it takes proactive, thoughtful, and holistic planning to ensure that deepfake fraud doesn’t cause damage. If your organization is ready to build a custom plan, start by reviewing Eftsure’s guide to deepfake-enabled cyber fraud — or use our Deepfake Readiness Assessment to evaluate how exposed your business might be.
