CEO caught on video admitting fraud - but it's a deepfake

Artificial intelligence has now made it possible to wake up to a video of your CEO seemingly admitting to fraud or receiving an urgent audio message from your CFO authorising a large, unexpected transaction, without any of it being real. Deepfakes aren’t limited to criminal use cases targeting individuals or governments – they represent a sophisticated and escalating threat to corporations globally, including South Africa.

Disinformation using deepfake technology

The use of deepfake technology has become one of the most powerful tools fueling disinformation. The rise in AI and machine learning embedded in commercially available tools such as generative adversarial networks (GANs) has levelled the playing field and increased the sophistication of deepfake content.

Cybercriminals, disgruntled insiders, competitors, and even state-sponsored groups can leverage deepfakes for devastating attacks, ranging from financial fraud and network compromise to severe reputational damage.

The South African reality: A threat amplified

The threat itself, however, is not fake; it's manifesting tangibly within South Africa. The South African Banking Risk Information Centre (SABRIC) has issued stark warnings about the rise in AI-driven fraud scams, explicitly including deepfakes and voice cloning used to impersonate bank officials or lure victims into fake investment schemes, sometimes even using fabricated endorsements from prominent local figures.

With South Africa already identified by Interpol as a global cybercrime hotspot, estimating annual losses in the billions of Rands, the potential financial impact of sophisticated deepfake fraud targeting businesses is immense.

There are also implications for democracy as a whole. Accenture Africa recently highlighted how easily deepfakes could amplify misinformation and political unrest in a nation where false narratives can already spread rapidly online – a critical concern when it comes to elections.

Furthermore, the 'human firewall' – our employees – represents a significant area of vulnerability. Fortinet’s 2024 Security Awareness and Training Global Research Report highlights that 46% of organisations now expect their employees to fall for more attacks in the future because bad actors are using AI.

Phishing emails used to be easier to identify because they were poorly worded and contained multiple spelling errors, but they led to successful breaches for decades. Now, they’re drastically more difficult to identify as AI-generated emails and deep-fake media have reached levels of realism that leave almost no one immune.

Who targets companies using deepfakes?

Numerous types of malicious actors are most likely to target companies using deepfake technology.

Cybercriminals who have stolen samples of a victim's email, along with their address book, for example, may use GenAI to generate tailored content that matches the language, tone and topics in the victim's previous interactions to aid in spear phishing – convincing them to take action such as clicking on a malicious attachment.

Other cybercriminals use deepfakes to impersonate customers, business partners, or company executives to initiate and authorise fraudulent transactions. According to Deloitte's Center for Financial Services, GenAI-enabled fraud losses are growing at 32% year-over-year in the United States and could reach $40 billion by 2027.

Disgruntled current or former employees may also generate deepfakes to seek revenge or damage a company's reputation. By leveraging their inside knowledge, they can make the deepfakes appear especially credible.

Another potential deepfake danger may be from business partners, competitors or unscrupulous market speculators looking to gain leverage in negotiations or to try to affect a company's stock price through bad publicity.

Building resilience: A multi-layered defence strategy

Combating the deepfake threat requires more than just technological solutions; it demands a comprehensive, multi-layered strategy encompassing technology, processes, and people.

• Advanced threat detection: Organisations must invest in security solutions capable of detecting AI-manipulated media. AI itself plays a crucial role, powering tools that can analyse content for the subtle giveaways often present in deepfakes. 
• Robust authentication and processes: Implementing strong multi-factor authentication (MFA) remains paramount. Businesses should also review and strengthen processes around sensitive actions like financial transactions or data access requests, incorporating verification steps that cannot be easily spoofed by a deepfake voice or video call. A Zero Trust approach, verifying everything and assuming breaches when in doubt, is essential.
• Empowering the human firewall: Continuous education and awareness training are vital. Employees need to be equipped with the knowledge to recognise potential deepfake indicators and understand the procedures for verifying communications, especially those involving sensitive instructions or financial implications.
• Reputation management: Proactive reputation management and clear communication channels become even more critical. Being able to swiftly debunk a deepfake attack targeting the company or its leadership can mitigate significant damage.
• Staying informed and advocating: Cybersecurity teams must stay abreast of evolving deepfake tactics. Collaboration and information sharing within industries and engagement with bodies working on updating South Africa’s cyber laws (such as aspects of POPIA) to specifically address deepfake crimes are important.

Preparing for the inevitable

Deepfakes are not a future problem; they are a clear and present danger to South African businesses. They target the very accuracy of the information we rely on as consumers, employees and investors.

The question is no longer if a South African organisation will be targeted by a deepfake attack, but how prepared it will be when it happens. Proactive investment in robust security measures, stringent processes, and comprehensive employee education is not just advisable – it's essential for survival in this new era of digital deception. 

William Petherbridge, Systems Engineering Manager at Fortinet