This article by Nadia Smaili, Université du Québec à Montréal (UQAM) and Audrey de Rancourt-Raymond, Université du Québec à Montréal (UQAM) originally appeared on the Conversation and is published here with permission.
Deepfakes are video, audio and image content generated by artificial intelligence. This technology can produce false images, videos or sounds of a person, place or event that appear authentic.
In 2018, there were approximately 14,698 deepfake videos circulating online. Since then, the number has soared through the popularity of deepfake apps like DeepFaceLab, Zao, FaceApp and Wombo.
Deepfakes are used in several industries, including filmmaking, video games, fashion and e-commerce.
However, the malicious and unethical use of deepfakes can harm people. According to research by cybersecurity firm Trend Micro, the “rise of deepfakes raises concern: It inevitably moves from creating fake celebrity pornographic videos to manipulating company employees and procedures.”
Our research found that organizations are increasingly vulnerable to this technology and the costs of this type of fraud can be high. We focused on two public case studies using deepfakes that targeted CEOs and, to date, have estimated losses amounting to US$243,000 and US$35 million respectively.
The first case of fraud occurred at a British energy firm in March 2019. The chief executive officer received an urgent call from his boss, the chief executive of the firm’s German parent company, asking him to transfer funds to a Hungarian supplier within an hour. The fraud was presumably carried out using a commercial voice-generating software.
The second case was identified in Hong Kong. In January 2020, a branch manager received a call from someone whose voice sounded like that of the director of the company. In addition to the call, the branch manager received several emails that he believed were from the director. The phone call and the emails concerned the acquisition of another company. The fraudster used deep voice technology to simulate the director’s voice.
In both cases, the firms were targeted for payment fraud using deepfake technology to mimic individuals’ voices. The earlier case was less convincing than the second, as it only used voice phishing.
Opportunities and threats
Forensic accounting involves “the application of specialized knowledge and investigative skills possessed by [certified public accountants] to collect, analyze and evaluate evidential matter and to interpret and communicate findings in the courtroom, boardroom, or other legal or administrative venue.”
Forensic accountants and fraud examiners — who investigate allegations of fraud — continue to see a rise in deepfake fraud schemes.
One type of deepfake fraud schemes is known as synthetic identity fraud, where a fraudster can create a new identity and target financial institutions. For instance, deepfakes enable fraudsters to open bank accounts under false identities. They use these fabricated identities to develop a trust relationship with the financial institution in order to defraud them afterwards. These fraudulent identities can also be used in money laundering.
Websites and applications that provide access to deepfake technologies have made identity fraud easier; This Person Does Not Exist, for example, uses AI to generate random faces. Neil Dubord, chief of the police department in Delta, B.C., wrote that “synthetic identity fraud is reportedly the fastest-growing type of financial crime, costing online lenders more than $6 billion annually.”
Deepfakes can enhance traditional fraud schemes, like payment fraud, email hacking or money laundering. Cybercriminals can use deepfakes to access valuable assets and data. More specifically, they can use deepfakes to gain unauthorized access to large databases of personal information.
Combined with social media platforms like Facebook, deepfakes could damage the reputation of an employee, trigger decreases in share values and undermine confidence in a company.
Forensic accountants and fraud investigator need to recognize red flags related to deepfakes and develop anti-fraud mechanisms to prevent these schemes and reduce the associated loss. They should also be able to evaluate and quantify the loss due to a deepfake attack.
In our case studies, deepfakes used the voices of senior management to instruct employees to transfer money. The success of these schemes relied on employees being unaware of the associated red flags. These may include secrecy (the employee is requested to not disclose the request to others) or urgency (the employee is needed to take immediate action).
Some simple strategies can be deployed to combat the malicious use of deepfakes:
Encourage open communication: speaking and consulting with colleagues and others about anything that appears suspicious are effective tools to prevent fraud schemes.
Learn how to assess authenticity: for example, ending a suspicious call and calling back the number to assess the person’s authenticity.
Pause without reacting quickly to unusual requests.
Keep up-to-date with new technologies that helps detect deepfakes.
Enhance certain controls and assessment to verify client identity in financial institutions, such as Know Your Customer.
Provide employee training and education on deepfake frauds.
Cybercriminals may use deepfakes to make their schemes appear more realistic and trustworthy. These increasingly sophisticated schemes have harmful financial and other consequences for people and organizations.
Fraud examiners, cybersecurity experts, authorities and forensic accountants may need to fight fire with fire, and employ AI-based techniques to counter and detect fictitious media.