Andrew Bud, Founder & CEO, iProov, examines the current threat landscape, what businesses can learn from recent threat examples and why organisations should ready themselves before deepfakes become a real-time threat.
In early 2024, a shocking revelation sent ripples through the cybersecurity world: Arup, a global engineering powerhouse, fell victim to a staggering £20 million deepfake scam. An employee transferred unauthorised funds after being deceived by AI-generated deepfakes impersonating senior company officials in a video call. This incident, publicly acknowledged by Arup’s Global Chief Information Officer, Rob Greig, underscored the escalating threat of increasingly sophisticated identity-centric cyberattacks and in particular deepfakes.
The ticking clock: The inescapable reality of deepfake threats
A few months on, a crucial question lingers: Why aren’t more enterprises urgently addressing the deepfake threat? Arup’s transparency acts as a blunt reminder that no organisation is immune, not even the most security conscious. The challenge, however, lies in the prevailing disbelief that deepfakes pose a tangible risk. This was backed up in a recent study of global technology decision-makers by iProov which found that almost half of organizations had encountered a deepfake yet two-thirds (62%) worry their organization isn’t taking the threat of deepfakes seriously enough. The stark reality is that deepfakes pose a threat to any situation where an individual needs to verify their identity remotely. They can be used in many harmful ways and have quickly become a powerful way of launching cyber attacks. One of the most quantifiable is financial fraud. Here they can be used to commit large-scale identity fraud by creating synthetic identities or impersonating individuals to gain unauthorized access to systems or data, initiate financial transactions, or deceive others into sending money as was the case with Arup
What’s clear with the risk related to deepfakes is that time is not on our side. It’s a matter of when, not if, organizations will be compromised by a deepfake. While these threats continue to evolve in complexity, there are existing technologies that offer a lifeline.
Learning from Arup’s experience: The power of transparency
Arup’s willingness to share the details of their ordeal is invaluable. It offers insights into the evolving attack methodologies of cybercriminals and emphasises the importance of fostering a culture of transparency within organisations. By openly discussing vulnerabilities, businesses can collectively learn and strengthen their defences.
Biometrics with liveness leads the charge against deepfakes
Biometric face verification with liveness provides the most reliable method for remote identity verification. That’s because the ability to establish ‘liveness’ – confirming the presence of a real, live person during authentication – sets facial biometrics apart, significantly mitigating the risk of scalable, low-cost spoofing attacks like deepfakes. We no longer need to believe our own eyes; liveness technology works to underpin that trust.
The dynamic nature of liveness checks adds a layer of security that is essential to defend against the fast-moving nature of AI. Other biometric methods such as the iris or voice can undoubtedly authenticate a user, but they lack the crucial verification step that facial biometrics with liveness offers.
It’s far harder to assure that such biometrics are genuine, and only our faces are ubiquitously documented on official identity documents, providing a reliable ‘source of truth’ for comparison.
This unique advantage of facial biometrics with liveness is emphasised still further when compared with the limitations of traditional authentication methods like passwords and OTPs, which can be easily socially engineered, shared or stolen. In an increasingly digital world where identity fraud is rampant, the ability to confirm that someone is the right person, a real person and present right now has become essential.
Preparing for the inevitable: A multi-layered approach
So, how can enterprises, governments, and other organisations equip themselves to combat the deepfake menace? A proactive, multi-layered strategy is essential.
- Advanced authentication: Traditional authentication methods are no longer sufficient. Biometrics and liveness detection technologies offer a robust defence by verifying the physical presence and identity of individuals in real-time.
- AI-powered detection tools: The battle against deepfakes is increasingly being fought on the technological front. While organisations recognise the increased efficiencies that AI can bring, these benefits are also enjoyed by threat technology developers and bad actors. Approximately 73% of organisations are actively implementing solutions to mitigate the threat of deepfakes. However, the aforementioned study reveals a significant concern among these organisations with a lack of confidence in the measures being taken to effectively combat deepfake threats. AI-driven solutions that can analyse and detect subtle inconsistencies in video and audio are becoming indispensable.
- Continuous monitoring: Identity Verification systems should incorporate continuous monitoring and anomaly detection capabilities to identify atypical patterns or behaviours that could indicate a deepfake attack. Organisations should adopt advanced techniques that can adapt to the quickly evolving cyberthreat landscape. Static defences are insufficient; instead, organisations should utilise solutions that continuously evolve rather than rely on software alone. In the iProov study, organisations acknowledged biometrics as a specialised field of expertise. It was emphasised that the chosen solutions provider should possess the ability to adapt and keep up with the constantly evolving threat landscape. This adaptability is crucial to ensure adequate protection of biometric solutions against deepfakes.
- Incident response plans: Despite all precautions, breaches may still occur. Having well-defined incident response plans that outline clear procedures for containing and mitigating damage is crucial.
The biometric imperative: The critical deepfake defence
As deepfake threats escalate, biometrics and liveness detection are increasingly important and poised to become standard safeguards. The survey found that three-quarters (75%) of solutions being implemented to address the deepfake threat are biometric solutions. It also pinpointed facial verification as the most suitable extra authentication method to safeguard against deepfakes when accessing accounts or logging in, making modifications to personal information accounts and conducting typical transactions.
Leadership’s role: Navigating the next era of cybersecurity
Leaders play a pivotal role in preparing their organisations for the challenges ahead. By prioritising cybersecurity investments, fostering a culture of awareness and embracing emerging technologies, they can position their businesses for success in the evolving threat landscape.
The Arup incident is a wake-up call. The era of deepfakes is well and truly upon us, and the consequences of inaction can be devastating. By proactively adopting a comprehensive defence strategy, organisations can safeguard their assets, protect their reputations and navigate the next era of cybersecurity with confidence.
In the face of incessant cyberthreats, vigilance and preparedness are your greatest allies and it’s imperative to face up to the real and present threat of deepfakes and to act without delay.