Deepfake Phishing

When we receive a communication we suspect as fraudulent, the logical approach is to speak with the sender through a medium where their identity can be verified – either a phone or video call. However, scammers have a new tool in their arsenal to undermine the integrity of these methods: Deepfakes.

In a deepfake phishing scam, a malicious actor leverages deep learning technology to impersonate the voice and/or appearance of at least one person a recipient would trust.

The goal of these scams is usually to get the victim to send money or reveal sensitive information. Most scammers have focused deepfake scam efforts on companies by targeting their employees. But as the tools to produce convincing deepfakes become more accessible, deepfake phishing scams have begun targeting individuals too.

Often, deepfake phishing campaigns find victims with phone calls. In one example outlined by the US Federal Trade Commission, a scammer uses a voice clone of a victim’s grandchild to convince them that the grandchild has landed in jail and urgently needs money for bail. A quick search reveals many variations on this scheme, including using voice clones to simulate hostage situations, car accidents, and other scenarios that require you to send them money ASAP.

It’s important to note that these scams are not limited to traditional voice calls. They can be carried out over apps like WhatsApp and even increasingly on video call apps like Zoom. If the scammer uses a video call, they usually create a real-time deepfake video of one or multiple of the family members they’re impersonating. As with the deepfake voice calls, the video calls serve to convince you of the requestor’s validity so you will comply with their demands.

How to Protect Yourself

One of the best ways to proactively protect yourself and your family is to agree on a “password” you can share if you are in danger. That way, you can be sure that communications without that password are illegitimate.

In a reactive situation, even though these scams can sound scary, the tools to spot a deepfake phishing scam remain surprisingly familiar. Like a “traditional” phishing scam, deepfake phishing scams have a few telltale signs. Be vigilant for any unexpected communications which:

  • Indicate urgency
  • Cause a rush of emotions
  • Seem too good, bad, or outlandish to be true

In every medium, malicious actors prey on eliciting an emotional response to get victims to act in ways they might not otherwise. In these situations, the follow these three steps:

  1. Close the communication immediately.
  2. Take a moment to breathe. It’s important to act rationally in these situations.
  3. Reach out to the person you think you heard from via a medium you know to be legitimate. This can mean calling the family member back with the number saved in your contacts, or contacting a company via the information on their website.

Because deepfakes are only getting more convincing, they can be hard to spot without considering the content as described above. To test your ability to tell the difference between deepfakes and real videos, check out Microsoft’s Spot the Deepfake.