Tom Cruise is not on TikTok. And yet he has amassed 3.3m followers on the popular social media platform.
He has had well over 10m likes without moving a muscle, from people who enjoy watching video clips of him playing golf, playing the guitar and even eating cereal with Paris Hilton.
It’s not the real person, of course. It’s @deeptomcruise, not the real Hollywood actor, but another actor called Miles Fisher. Every single short clip is a computer-generated version of Tom, transplanting his face, voice and general likeness onto Miles.
It’s uncanny, but it’s just a deepfake: an audio or video recording that uses artificial intelligence to impersonate faces and voices. An art project by a US company, Metaphysics, @deeptomcruise is clearly labelled as manipulated media and was created to raise awareness of the phenomenon – and how it could be abused.
The most worrying aspect of deepfakes is how they can be used to spread political propaganda or incite violence. The technology is so convincing people could very easily be tricked into thinking they were watching the real thing. The FBI has already asserted its concerns around deepfake and the risks of actors leveraging synthetic content, posing as journalists.1
From a business point of view, what does it mean to you? Are your cyber risk management systems ready for this tech?
Cybercriminals are so sophisticated, and the results of deepfakes so believable, it was only a matter of time before they were used for illegal financial gain. They are now being used to create detailed and highly plausible phishing messages, with voice impersonations being used to extort and trick - £35m was taken in one scam which saw a bank manager in Hong Kong duped by a deepfake impersonation into transferring the funds.2
We’ve all received recorded calls in which a polite sounding person asks us questions as part of a pre-recorded message. They’ve been around a while and are usually easy to spot. But what if the person’s voice was someone you knew? You, or your employees, could easily be tricked into passing over business information or clicking on a link and giving away private business access. An audio deepfake is easy to create if you are working with good artificial intelligence.
Social media platforms can exacerbate the problem as entire accounts can be created with a name, photo, video content and links, leading recipients to click links or open documents, believing that they are communicating with someone they trust.
Communication is key
The best advice to prevent deepfake technology from infiltrating your business is to ensure you communicate thoroughly with your employees and have a good risk management approach to cyber security.
Ensure that they know it is not company procedure to drive them to click on links without secondary verification or request payment on the phone. Regularly train your team on the technology that exists and teach them how to recognise requests that could lead to them giving away access to sensitive or confidential information. Provide clear social media guidelines and regularly communicate these to avoid errors. Ensure they know to type out web addresses into their browsers. Confirm they should not provide personal information, including usernames, passwords, birth dates, social security numbers, financial data, or other information in response to unsolicited inquiries, instead to always seek verification when approached.
By adopting good cyber hygiene, staying alert, and maintaining strict training and communication, businesses can protect themselves against the use of deepfake technology. This type of technology will likely only improve, so the best form of attack has to be defence.
Even with these measures, precautions, and robust cyber risk management in place, it’s essential to arrange cyber insurance to protect your business and help get back on track should it be a victim of any cyber-related crimes.
Managing these incidents may require detailed technical knowledge that comes at a cost, so as well as minimising disruption to your business and offering financial protection during an incident, cyber insurance can help with any legal and regulatory actions after an incident.