The scariest deepfakes could be in your inbox

Zix’s Paul Balkwell on why the scariest deepfakes could be in your inbox

Over the past couple of years, deepfakes — a form of synthetic media in which a person in an existing image or video is replaced with someone else’s likeness — have catapulted their way into the public imagination. While fake photo and video footage has existed for decades, artificial intelligence and machine learning have made them more powerful, convincing, and easier to produce than ever.

Thanks to a series of high profile deepfakes featuring politicians and celebrities (most notably Tom Cruise), some analysts have expressed fears that they could wreak havoc on society, dialling up the damage caused by fake news.

As scary as deepfakes might be, however, they remain a nascent threat for the moment. A far more dangerous form of deepfake has nothing to do with videos and images of powerful people — and an example of it could be lurking in your inbox right now.

Phishing out fakes

I am, of course, referring to phishing emails. Growing in sophistication every year, they are capable of mimicking emails from your building society, insurer, and various other service providers with unerring accuracy.

That’s a major contributing factor in its continuing prevalence, despite having existed for around 25 years. In fact, phishing has only grown as a threat. In 2020, nearly a quarter of all breaches involved a phishing attack, and more than 75% of all organisations experienced some form of phishing attack. According to the FBI, phishing incidents nearly doubled in frequency between 2019 and 2020.

While part of that can be put down to the chaos caused by the early days of the pandemic, when people were adjusting to remote working amidst a deluge of COVID-19 communication (we may never again see a spike as large as the 667% increase in attacks that came in March 2020), it’s unlikely to go anywhere.

As such, organisations need to do everything in their power to address the phishing threat. The best way to do so is by finding a balance between having a responsive third-party security team and educating their employees.

Paul Balkwell

The right team

The importance of the former has become particularly abundant this year, as it’s increasingly clear that a multi-layered security approach is needed to provide adequate safety. In March for example, more than 30,000 organisations were hacked via holes in Microsoft’s email software.

When it comes to finding a security provider, it’s important to look for a couple of things. The team an organisation uses should not, for instance, just react to threats, but proactively monitor and assess them and be able to secure all aspects of the business, including email, cloud, and productivity suites.

It’s also critical that these teams regularly communicate with the organisation so that employees understand the threats facing them.

The importance of education

That speaks to the other important weapon organisations have when it comes to combating cybercrime: education. With cybercriminals increasingly capable of spoofing both internal and external communications, it’s imperative that organisations remind employees and customers of what they’ll never ask them to do via email or any other form of communication. Additionally, organisations should emphasise that employees be doubly cautious of any email that asks them to click a link, open an attachment, or verify their details.

It’s also important that businesses make it clear how and where to report suspicious emails. The faster an organisation’s security team is alerted, the more quickly it can respond and intervene to warn employees and shut down spoofed websites.

Response plans are critical

Even with those measures in place, however, organisations can’t guarantee that they won’t fall victim to a breach as a result of phishing. It’s therefore imperative that they have a breach response plan in place.

Ultimately, an organisation’s data breach response plan should allow it to go into ‘safe’ mode in the event of a breach. This, in turn, should allow it to run system checks to identify the breach, alert a task team and communicate to affected parties, service teams, the information regulator, and media accordingly.

Backing up regularly and securely is also critical to breach recovery. Your backup provider should be able to address the unique needs of laws such as GDPR and any others that impact the jurisdiction you operate in. This includes, but is not limited to, its choice of data centre, data encryption, at-rest and in-transit rules, and the ability to purge backups. Additionally, adopting a backup provider shouldn’t impact on your organisation’s ability to do business.

Preventing and limiting damage

Just as deepfakes may soon be able to do widespread damage to the reputations of high-profile people, so a phishing attack can do serious financial and reputational damage to your organisation. It’s therefore pivotal that organisations do everything both to prevent breaches as a result of phishing and to mitigate their damage when they do happen.