Deepfake Phishing explained and how you can protect yourself

Gone are the days when a video or a voice message could help you guess whether a request was real or fraudulent. Nowadays, cybercriminals can create ultra-realistic phishing scams using deepfake techniques. But first... do you know what each of these terms means?

What is phishing, what is deepfake, and, most importantly, what is deepfake phishing?

Phishing basically involves fraudulent messages created by cybercriminals to trick people. Whether by email, SMS, or social media, phishing happens when a scammer makes a fraudulent request to a victim through misleading content: a request to transfer money, or a request to share credentials, among many other pretexts. 

Deepfakes, on the other hand, are manipulated content that presents people acting in ways they wouldn’t dream of in the real world. Nowadays, with artificial intelligence, practically anyone can create images, videos, or voice messages that are extremely close to the physiognomy and speech cadence of someone you may know. 

When a cybercriminal uses deepfake techniques to trick an Internet user, the scam is called deepfake phishing, basically fraud using ultra-realistic content created with artificial intelligence.

How does Deepfake Phishing work?

Deepfake phishing scams are executed as follows. Firstly, a fraudster creates content that looks extremely authentic, impersonating a person you know: your boss, a work colleague, a relative, or a friend. 

How is this done? The cybercriminal collects images and videos of the person they want to impersonate, material that is readily available on social media. They then feed this content into an artificial intelligence algorithm. That's it! Now the system provides a near-perfect imitation of that person, creating fake videos, images, and audio that can fool even the savviest eyes and ears.

Deepfake phishing has been used repeatedly by cybercriminals to target companies. One of the most common forms is the creation of fake videos of CEOs or senior executives asking an employee to make urgent financial transfers or share credentials to access systems. 

The most common triggers

As with other types of phishing scams, criminals employ different mental triggers to make deepfake phishing scams even more convincing. Some of them are:

• Authority: by impersonating authorities, such as CEOs and other C-level executives, or even bank or government employees, victims are quicker to comply with fraudulent requests from cybercriminals.

• Urgency: a fraudulent request will almost always have an urgent or threatening tone, warning of dire consequences if immediate action is not taken: loss of customers or suppliers if a financial transfer is not made, interruption of a system if a credential is not shared, etc.

• Scarcity: opportunities that cannot be missed and exclusive benefits are also on a cybercriminal's list of arguments to convince victims to act quickly.

Among the risks associated with falling for a deepfake scam are identity theft, financial fraud, and damage to one's own or a company's reputation. 

How do I identify a deepfake scam?

Deepfake scams are indeed almost perfect crimes. But it's almost always possible to notice certain inconsistencies that make spotting a scam easier:

• Unnatural eye and mouth movements: deepfakes often feature unnatural eye and mouth movements. Strange blinks and lips that are out of sync with speech are common flaws.

• Attention to the details of hands, hair, and other body parts: it is not uncommon to notice strange or cut-out shapes of hands, ears, and hair in deepfakes. 

• Artificial voice: be wary of unnaturally perfect speech cadences, with no hesitations, corrections, or background noises. They may have been created with artificial intelligence.

Ultimately, considering the ultra-realistic scams like those involving deepfakes, it's always best to be wary of suspicious requests. Always try to confirm the authenticity of the request in person with the person before taking any action.