Phishing is used by bad actors to send a communication, e.g., an email or IM, pretending to be a trustworthy source in order to get people to divulge sensitive information such as usernames, passwords, credit card information, date of birth/SSN, etc. An example is where you receive an email that appears to be from your bank saying your account has been suspended, providing a (malicious) URL you can use to verify your credentials or credit card information to unlock your account. General phishing attacks are sent in waves to large groups of recipients, hoping some will think it’s real and divulge their information.
Bad actors also use targeted phishing, where a phishing communication is targeted to one or a small group of recipients, often where the actor has some basic information about the recipients. Two examples of targeted phishing are spear phishing, which is a phishing attack targeted at a single company, organization, or individual, and whaling, which is a spear phishing attack targeted directly at company executives, finance personnel, and other high-value targets within an organization. Targeted phishing communications, especially whaling, usually include credibility-enhancing details designed to entice someone to transfer company funds, provide sensitive company information, or obtain credentials that can be used to attack a company’s network. A well-known example of whaling is an email purportedly from a CEO to a controller containing some information designed to trick the recipient into thinking the communication is legit, directing the controller to pay a fake vendor invoice right away in an attempt to trigger a wire transfer to the bad actor’s own account.
Anti-phishing tools and strategies employed by many companies, as well as anti-phishing training which is becoming more prevalent, have helped minimize the success of phishing attacks. Unfortunately, a dark revolution in phishing is on the horizon. “Deepfakes” (derived from “deep learning” and “fakes”) use artificial intelligence to create video or sound of a human that is virtually indistinguishable from an authentic recording. A well-known early example is a deepfake created by Jordan Peele of Barack Obama giving a public service announcement warning the public of the dangers of deepfakes (you can view it by clicking here). While deepfakes’ first broad application was in the realm of pornography and deepfakes often have telltale signs that they are not authentic, technology continues to improve by leaps and bounds. People have begun to create sophisticated, difficult-to-spot deepfakes and edited videos for nefarious purposes, such as political attacks. Imagine the well-timed online release of a video that appears to be a prominent politician admitting he took a bribe; even if it’s fake and the politician vehemently denies the veracity of the original video, the bad publicity may be enough to sway an election.
It is only a matter of time before deepfakes are used regularly in targeted phishing attacks against companies and individuals. Imagine the whaling emails of the 2010s replaced with a deepfake voicemail sounding exactly like your CEO, a deepfake video message that appears to be from your CEO, or even a deepfake audio or video call with your “CEO,” asking you by name to expedite a large wire transfer to a vendor. I call the use of deepfakes for enhanced phishing attacks “deep phishing.” Where in the past sophisticated makeup and sets would be needed to fool someone into thinking they were talking to someone else, deepfakes will make doing so disturbingly easy and relatively inexpensive with the right technology. It’s only a matter of time.
Strategies to Combat Deep Phishing
It’s impossible to predict when deep phishing attacks will become prevalent. While security companies will likely develop and offer solutions in the future designed to help companies detect deepfakes, such solutions do not exist today, and even if they are available in the future not all companies will be able to afford or implement such tools. Companies should consider proactively employing less-costly, easier-to-implement strategies today to protect against deep phishing attacks. These strategies that may help protect your company against today’s targeted phishing attacks as well. Here are some suggested approaches:
Manual Verification of Targeted Communications
The simplest way to combat deep phishing is to manually verify any communication typically used in targeted phishing attacks, such as a request to transfer funds over a certain threshold to a third party, a request to send your login credentials to someone, or a request to send sensitive customer or business information to someone. We’ll call these types of communications “targeted communications.” By designating two people that must sign off, and by ensuring that one verification must be provided via contact initiated from the recipient (using the company’s phone book – beware spoofed phone numbers in phishing emails), companies can help reduce the risk of falling prey to a phishing or deep phishing attack.
Another strategy to combat deep phishing is to use an authenticated communication. Authenticated communications use an auditory, written, visual, or action key or watermark, changed periodically, which must be included in targeted communication. If a communication includes the key, the communication can be considered authentic. For example, depending on the level of security required, a key could be a spoken phrase (e.g., “seventeen bravo charlie”) or keyword (e.g., “tangerine”) in audio; a specific pin worn on a lapel, or specific background item or hand signal, in a video; or a specific image file or special signature inserted into a written communication. A key could also be an action such as a 5-second pause in a recording. Companies could also use multiple keys, or rotate among different key types. Unless the bad actor knew the authentication key(s), a company would have a greater chance of catching a deep phishing attempt before it was successful.
For enhanced security, consider using an algorithmic key (e.g., a 6-digit code generated by an RSA token or Google Authenticator that changes every 60 seconds). Use of an algorithmic key will make it extremely difficult for a bad actor to successfully conduct a deep phishing attack.
Multiple Vector Communications
Another strategy to combat deep phishing is the use of a multiple vector communication. Just as multi-factor security authentication requires you to provide two or more things you know, have or are in order to authenticate your identity, a multiple vector authorization would require a targeted communication be sent through two or more communications methods, or “vectors,” at or close to the same time. For example, in order to be considered genuine, an email or voicemail communication must be accompanied by a text message from the requestor verifying the request within 10 minutes. Without the verifying communication, the original request would be rejected.
Multiple Vector Authentication
For extremely sensitive requests, companies could consider combining both authenticated communications and multiple vector communications into a multiple vector authentication. In order for someone to take action on a target communication, the requestor must provide a key broken into two or more parts, each sent via a separate communications vector. Once all communications are received, the key can be assembled and verified by the recipient. The key would need to be changed regularly. If any of the communication vectors is missing the key or has an old key component, there’s a good chance it’s a phishing or deep phishing attack.
Make Phishing and Deep Phishing Training Your Cornerstone
Finally, it’s worth reiterating that the most important thing a company can do to combat phishing or deep phishing attacks is to continually educate your employees on the dangers of phishing and deep phishing. Make this a cornerstone of your anti-phishing strategy. Ensure all employees know what to look for when it comes to phishing, and train them on the dangers of deep phishing. Training should apply to anyone who has access to sensitive information or system access. Ensure your vendors (especially those with integrations to your systems) are contractually obligated to perform anti-phishing training for their personnel at least semi-annually and to have reasonable administrative, procedural and technical security measures in place. If you use a strategy to combat deep phishing, ensure the right personnel are trained on it, and that the details are kept strictly confidential. Otherwise, ensure targeted communications are verified manually before they are acted upon. The best anti-phishing strategy in the world won’t stop a phishing or deep phishing attack if it’s not applied in practice.
Eric Lambert is commercial counsel with Trimble Inc., a geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He serves as division counsel for the Trimble Transportation business units, leading providers of software and SaaS fleet mobility, communications, and transportation management solutions for the transportation and logistics industry. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and an avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.