Thoughts: Protecting Yourself from Deepfakes

When cyber criminals can pretend to be someone else, they can trick people with a massive advantage - trust. You think you're dealing with someone you know, and you're more likely to be tricked. Maybe they want your confidential information, or perhaps they want you to send them some money because something has gone horribly wrong.

Criminals historically would forge email addresses and phone numbers to trick people, but now technology has given them the ability to also copy your voice, and even your face. Perhaps they call you on the phone, record your voice, and now they can use a computer to change their voice to yours. And if they can get your photo, they can now create a live video of you and your voice. This will be used to trick people you know, and they will mimic people you know to trick you.

How hard is it to get someone's voice, and photo? It's not. A phone call and a simple internet search will usually suffice. So let's just assume that at some stage a criminal is going to try and trick you by pretending to be someone you know. What are some example scenarios for how this can be used against us?

  • A cyber criminal rings someone in your family. They record their voice and can now mimic it. They have the phone number too. Now they call you and say something like "I'm stuck in the supermarket checkout, I've lost the credit card, can you give me the details? Please hurry, I'm holding up the queue!" The criminals gets your credit card details and will quickly make purchases with those details.
  • A cyber criminal rings the CEO. Again they can now fake the voice. They ring finance (forging the phone number). "Urgently send money to this account". That money is going to the criminal's bank account.

So what can we do?

  1. If someone is asking for confidential information, ensure that they prove who they say they are before you give that information out. If you're not sure, ring them back on a number you look up. For families, it's a good idea to have a password that you all know. If someone is asking for confidential information, ask them for the password. If they don't know it, you're possibly dealing with a deep fake.
  2. If someone is giving you information that could be damaging (e.g. payment information), call them back to confirm it's correct. If that information changes, call them back to confirm it's correct. So if the CEO is calling and instructing you to pay money to a new bank account, this necessitates a phone call back to the CEO on a number you look up, to ask if that was legitimate. If a staff member rings Human Resources saying they want their salary paid into a different account, this necessitates a phone call back to that employee to ask if they requested this.
  3. Be suspicious. Always be questioning things, because you're far more likely to stop and think before acting. Criminals want you to act first, and they use things like fear, reward and urgency to achieve this.

Technology has provided cyber criminals with a multitude of tools to scam people. Deep fakes is just another tool in their kit, but it's a powerful one with a very high chance of success. They key is to be constantly suspicious, and enact the above rules consistently, at work and in your personal life.