The Dangers of Deepfake

Deepfake technology can mean bad news for your practice

Inasmuch as we’d like to celebrate the advancement of ML and AI technologies, the US Federal Bureau of Investigation (FBI) encourages private organizations to be careful and vigilant of falling victim to entities who use the deepfake technology for malicious campaigns.

In a Private Industry Notification (PIN) issued by its Cyber Division in March 2021, the FBI anticipates that malicious actors “almost certainly will leverage synthetic content for cyber and foreign influence operations.”

This isn’t really anything new. Since 2019, several campaigns have been found to use ML-generated social media profile images. However, the recent advances in ML and AI give cybercriminals the opportunity to generate and manipulate content that serves their malicious plans. 

How does this affect you?

Healthcare practices, large and small, have long been prime targets for cybercrime. This is because you handle especially sensitive data that could be worth a lot of money for cybercriminals. 

If hackers are working hard to improve the quality and increase the impact of their campaigns, you can be sure that they’re doing this with healthcare practices like yours as their target. Whether it’s tricking your staff into letting them in your network or launching external attacks against your cybersecurity defenses, hackers will definitely use technological advancements to their advantage.

Here’s what the FBI anticipates

According to their PIN, the FBI anticipates that deepfake technology will be employed broadly across their cyber operations. The sophistication of the synthetic media will take their existing spearphishing and social engineering campaigns to a different, more potent, level.

Besides using the technology on existing campaigns, cybercriminals are also anticipated to employ deepfake tools in a newly defined cyber attack vector called Business Identity Compromise (BIC).

BIC is the creation of synthetic corporate personas or the imitation of existing employees, likely to gain access to your company’s bank account, line of credit, tax refund, or personnel information.

How do we identify deepfakes?

As you may have observed from the examples above, some deepfakes are so realistic that they’re almost impossible to detect. 

Here are a few tips from the FBI on how you can identify and mitigate synthetic media such as deepfakes:

Keep an eye out for visual indicators.

Visual indicators include distortions, warping, and inconsistencies. In photos, check if the spacing and placement of the person’s eyes are distinct and consistent among several images.

In videos, check for inconsistencies in the movement of the person’s head and torso. You can also check if the movement of their face and/or lips are consistent with the audio.

Contact a reputable third-party organization.

If identifying synthetic content is too difficult or too confusing for you, a third-party research and forensic organization can help evaluate the media. A trusted IT and cybersecurity company can also offer valuable insight and advice.

Be familiar with media resiliency frameworks.

An example would be SIFT methodology, which encourages us to carry out the following steps when taking in information online:

1. Stop. If you feel the urge to immediately believe or share something on the Internet, don’t. At least not until you’ve carried out the next steps.
2. Investigate the source. Ask yourself, “Is this source what I thought it was? Is this source credible enough to share without any further checking? Is there anything that might disqualify this as a source?”
3. Find trusted coverage. If you’re not sure you trust the source of your information, do a search and see who else is publishing or reporting it.
4. Trace claims, quotes, and media to the original content. See the full context of the information. Read the whole article, check the date the content was published, verify if the information is up to date.

How do you protect your practice from deepfakes?

Deepfakes may be getting more and more realistic, but you can still protect your practice from getting fooled by cybercriminals who use them. Good cyber hygiene can significantly lower your risks of falling victim to malicious actors.

Here are a few FBI-endorsed security measures that your practice can adopt:

Information and Education

Inform and educate your entire workforce about the risks of deepfakes, making sure to include those in upper management and senior executive positions. Because they have access to the most sensitive and most valuable information in your organization, they are prime targets for cybercrime.

Cybersecurity Awareness

Conduct cybersecurity awareness training among your staff so that they know how to spot, avoid, and report social engineering, phishing, and other cyberattack attempts. You can partner with trusted experts who specialize in healthcare technology and have them share their valuable insight and advice to your team.

Identity Verification

Do not assume an online persona is legitimate. Seek multiple independent sources of information to validate or verify it. If you receive attachments, links, or emails from senders you don’t recognize, do not open them.

Privacy Protection

Never provide personal information in response to unsolicited inquiries. This includes usernames, passwords, birth dates, social security numbers, financial data, and other sensitive information. 

If you receive requests for sensitive or corporate information, be cautious about sending them over electronically or over the phone. If you can, verify these requests via secondary channels of communication.

Multi-factor Authentication

Use multi-factor authentication (MFA) on all systems to add an extra layer of security to your network. According to Microsoft, MFA can block 99.9% of account compromise attacks.

| Read more about MFA and how it can help your practice here...

Continuity Plans

Establish and implement processes that allow your practice to continue operations in the event one of your accounts is compromised and used to spread synthetic content.

Partner With Reputable IT and Cybersecurity Experts

All these tips and advice from the FBI are extremely helpful to healthcare practices everywhere. Unfortunately, dealing with threats involving synthetic media can be highly technical and you may not be able to handle everything yourself.

For maximum protection and round-the-clock support, partner with a trusted IT company that specializes in protecting and optimizing healthcare practices.