Scammers Go Phishing With Deepfakes

PC Magazine
Published in
5 min readSep 13, 2019

Deepfakes, or doctored videos, have mostly been used to harm the reputations of celebrities and politicians. Now the AI-assisted technology is being used to trick companies out of big money.

By Max Eddy

I don’t get a lot of questions about my job from my family. They are, understandably, far more interested in the hijinks of my rats and my dog. But when I do get asked about security, people invariably want to know why the bad stuff happens. There are a lot of answers to that question, but the one that I always come back to is simple: money.

Ransomware? Easy cash for attackers. Phishing? Nothing but cash. Spam? All kinds of ways to monetize people clicking links. Data breaches? That stuff gets used for fraud and the rest gets sold off (to be used for more fraud). Nation state attacks? Sure there’s ideology, but when you consider that US sanctions no doubt played a part in Russia’s motivation for attacking the 2016 election, money is in the equation. And that’s not to mention nation state hackers moonlighting for extra cash.

Not on that list is deepfakes, videos that have been tampered with, generally using AI-driven technology. We’ve seen celebrities’ faces swapped onto pornstars’ bodies and politicians’ faces and voices manipulated to make them appear to say things they didn’t actually say. Sometimes they’re made to promote wildly inflammatory conspiracies; more insidious are the times they’re manipulated to say things suggestible viewers can have trouble distinguishing from the truth.

Deepfakes have been much talked about in recent months out of fear that they could be used in misinformation campaigns to confuse voters. That hasn’t happened on a large scale (yet), but pornographic deepfakes have already damaged many individuals. So why do we call this an emerging threat? Probably because there wasn’t an obvious way to directly monetize them. That changed this week, as it’s being reported that deepfakes have been used to fleece corporations for hundreds of thousands of dollars.

New Tools, Same Old Con

In hindsight, I should have seen it coming. Social engineering-a fancy way of saying “tricking people”-is a time-honored tool for breaching digital security or simply making money fast. The addition of deepfakes in the trickery is a perfect fit.

The Wall Street Journal reported that some clever attackers built a deepfake voice model that they used to convince another employee they were speaking to the company’s CEO. The employee then authorized a wire transfer of some $243,000. In its own reporting, the Washington Post wrote, “Researchers at the cybersecurity firm Symantec said they have found at least three cases of executives’ voices being mimicked to swindle companies.” The estimated haul is measured in millions of dollars.

For my own edification, I sat down and tried to trace the history of deepfakes. It truly is a concept for the fake news era and began in late 2017 in a Vice article about face-swapped pornography posted on Reddit. The first use of “deepfakes” was actually the username of the individual posting the pornographic videos that featured the face, but not the body, of Gal Gadot, Scarlett Johansson, and others.

In just a few months, the concern over deepfakes moved to politics. Videos appeared lampooning political figures, and this is where I (and most of the rest of the security community) got stuck. In the wake of the misinformation from Russia during the 2016 US election, the idea of near-indistinguishable fake videos flooding the 2020 election cycle was (and still is) a dire one. It also grabs headlines and is one of those projects for the public good that security companies really like.

I would be remiss if I didn’t point out the limitations of deepfakes. For one thing, you need audio clips of the person you’re trying to impersonate. This is why celebrities and politicians in the national spotlight are obvious targets for deepfakery. Researchers, however, have already demonstrated that only about a minute of audio is required for creating a convincing audio deepfake. Listening in on a public investor call, news interview, or (God help you) a TED talk would probably be more than enough.

Also, I wonder how well your deepfake model even needs to operate in order to be effective. A low-level employee, for instance, might not have any idea what the CEO sounds like (or even looks like), which makes me wonder if any reasonable plausible and authoritative voice is enough to get the job done.

Why the Money Matters

Criminals are smart. They want to make as much money as they can, quickly, easily, and with the least amount of risk. When someone figures out a new way to do those things, others follow. Ransomware is a great example. Encryption has been around for decades, but once criminals began to weaponize it for easy cash, it led to an explosion of ransomware.

Deepfakes being used successfully as a tool in what amounts to a specialized spearfishing attack is proof of a new concept. Maybe it won’t pan out in the same way as ransomware-it still requires considerable effort, and simpler scams work. But criminals have proved that deepfakes can work in this novel way, so we should at least expect some more criminal experiments.

Instead of targeting CEOs, scammers could target regular folks for smaller payouts. It’s not hard to imagine a scammer using videos posted to Facebook or Instagram to create deepfake voice models to convince people their family members need a lot of money sent by wire transfer. Or perhaps the thriving robocall industry will get a deepfake layer for added confusion. You might hear a friend’s voice in addition to seeing a familiar-ish phone number. There’s also no reason why these processes couldn’t become automated to a certain extent, churning out voice models and running through prearranged scripts.

None of this is to discount the potential damage of deepfakes in elections, or the money tied up in those operations. As criminals become more adept with deepfake tools, and those tools become better, it’s possible that a marketplace of deepfakes-for-hire could emerge. Just as bad guys can lease time on botnets for nefarious purposes, criminal corporations dedicated to creating deepfakes on contract may appear.

Fortunately, a monetary incentive for the bad guys creates one for the good guys. The rise of ransomware led to better antimalware for detecting malicious encryption and preventing it from taking over systems. There’s already work being done to detect deepfakes, and hopefully, those efforts will only be supercharged by the arrival of deepfake phishing. That’s little comfort for the people who have already been scammed, but it’s good news for the rest of us.

Originally published at on September 13, 2019.

