Deepfakes and the Use of AI in Cyberattacks

The headlines about a $25 million wire transfer fraud employing deepfake technology have rightfully given chief financial officers and finance departments considerable pause. The attack began with a phishing email delivered to the victim’s finance employees in mid-January, luring them with information about a “secret transaction.” One of the members of the finance team clicked on the link—and so began the elaborate deception.

The attacker invited the employee to a video conference, presenting a convincing deepfake simulation of the CFO and other colleagues. The employee believed the request to carry out a secret transaction was legitimate, and because of the quality of the deepfake video, the employee was moved to act. The employee ultimately transferred the equivalent of $25.6 million to five different bank accounts through 15 transactions, following the fake colleagues’ instructions.

The term “deepfake” refers to a multimedia that either has been synthetically created or manipulated using some form of machine or deep learning from the engine of artificial intelligence.

The deepfake media is highly realistic and therefore highly convincing and effective in a social engineering attack. In the incident discussed above, the cybercriminals used deepfake technology to impersonate an influential person within the organization, gain access and communication within the network—and served as a mode of deception to facilitate the theft of millions of dollars.

The tactics used by cybercriminals to defraud an organization remain the same; social-engineering attacks like this are nothing new. What has changed in the advent of AI-enabled deepfakes is the ease and scale in which a cybercriminal can manipulate multimedia and launch a convincing attack. These technological advances will allow cybercriminals to increase the frequency and the rate of success of social engineering attacks. However, organizations can implement a variety of strategies to build resilience to wire transfer fraud loss.

Build a Layered Cyber Defense

The tools criminals use to trick and defraud will evolve over time. However, a layered defense based on basic cyber hygiene principles may have prevented or mitigated this attack. The cybercriminal initially gained access to the organization through a phishing email. Here are some basics that can be implemented to protect against a phishing attack:

1) Train employees to spot phishing emails and regularly test employees on the training.

2) Provide a phishing reporting button on the organization’s email platform. The button serves as an easy and obvious way to report suspected phishing attempts and furthers the corporate culture of cyber awareness and action.

3) Invest in an email scanning solution. Several tools on the market protect against phishing attempts. They typically include features that detect malicious links and attachments and remove them or render them safe using advanced methods like sandboxing.

4) Abide by industry standards like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC). Each is intended to fight the prevalence of spam by allowing receiving email servers to authenticate the servers they receive mail from. These standards ensure that mail servers claiming to send on behalf of the organization’s domain are authorized to do so.

Building a layered cyber defense means creating secondary safeguards that work together to bolster network security and mitigate a single point of failure throughout the network. While a cybercriminal may be able to trick an employee into clicking on a link in a phishing email, a second layer of defense is building a payment fraud detection strategy.

Build a Payment Fraud Detection Strategy

Building controls around payments and fund transfers is essential to corporate risk management. Despite the criminals’ use of AI technology in this case, thoughtful controls can prevent the most compelling attempts to defraud.

Educate those with access to funds on the risks:

• Apply the highest-level scrutiny to unexpected wire transfer requests. It is the most common pattern in fraudulent funds transfers. Create an iron-clad set of controls around unexpected wire transfers. Also, educate finance teams on common schemes to help build resilience to phishing schemes.
• Beware of bogus “problems” or account issues. Enforce rules regarding wire funds to fix a supposed account problem. Legitimate financial institutions will never request a wire to resolve an account issue. Account teams should be educated so they can spot abnormal business practices and apply appropriate scrutiny to the transaction.
• Caution against overpayment schemes. If accounting receives a check followed by a demand to wire back excess funds, the check is likely bogus, and the request is an attempt to defraud.

Criminal tactics will continue to evolve. Build a practice of multi-point verification for wire transfers:

• Require out-of-band verification for each wire transfer.
• Set a rule prohibiting sending wire instructions via email.
• Require two points of approval (and verification) for large transfers or multiple transfers to one entity.
• Invest in wire transfer fraud prevention software.

Aligning an organization’s operational, financial, and security objectives is essential to building resilience to wire transfer fraud.

Build a Response Plan

If an organization detects and reports a fraudulent wire transfer to law enforcement within 72 hours, the Financial Fraud Kill Chain (FFKC) may be used to stop the transfer.

The FBI created the Financial Fraud Kill Chain in 2016 to assist law enforcement in quickly identifying and stopping suspicious wire transfers from going to offshore accounts, which are almost impossible to recover. To use this tool, victims must be prepared to act:

• Create a response plan with designated roles and responsibilities in the event of a cyber event that results in misdirected funds.
• Create a contact list that includes internal contacts, the organization’s financial institution, the local FBI office and/or a contact at the Secret Service, and the website for filing an IC3 report.
• Clearly identify who needs to take each specific step.
• Be ready to execute the response plan and authorize those with responsibilities to carry it out.
• Review the plan regularly and update it as needed.

Preventing wire transfer fraud requires thoughtful planning and a combination of fraud risk management and cyber risk management. But what happens if all the planning and prevention fails, and we have a novel attack using innovative technology like AI-enabled deepfakes? In this case, insurance is the risk transfer solution you need.

Ensure Appropriate Cyber Liability Insurance Coverage for the Risk

No uniformity exists when it comes to coverage for wire transfer fraud in the cyber liability insurance market. Many cyber insurance carriers do not provide a coverage grant for the loss of funds or sublimit the coverage offered. Additionally, many carriers may require, as a condition of coverage, that the policyholder has and follows internal controls on payments. Failure to follow internal controls in making a payment or wire transfer could result in restrictions on limits and scope or a denial of coverage.

Some grants of coverage may be too narrow and may not include the evolving types of trickery used by criminals, like the AI-generated deepfake. Work with your cyber broker team to identify the appropriate cyber insurance policy and limits. You can also work with a fraud and cyber risk consultant to build your controls, so you are prepared to thwart, contain, and respond to this evolving risk.