Digital Deception: The Rise of deepfakes and how to spot them

By Justin Brose, Information Security Analyst, TraceSecurity

In today’s world, there are many conversations being had about artificial intelligence (AI). People are using AI to create new and productive things like polished lines of code, short stories, hip-hop music sung by country artists, and so much more. However, other individuals utilize AI for nefarious reasons.

One of the most egregious creations is deepfaking. In this article, we will define what a deepfake is, who is using them, and what they can be used for. Additionally, we will discuss some ways you can identify deepfakes and how to avoid being scammed by them.

What Are Deepfakes?

Before we can truly understand how a deepfake is leveraged we must define what a deepfake is. A deepfake is the use of AI to replicate some form of media. Some examples include deepfaked audio (AI generated sounds that could replicate human voice, dial tones, automated banking messages, etc.), deepfaked images (AI generated pictures that typically aim to replicate the likeness of an individual, confirmation emails, etc.), deepfaked text/chatbots (AI generated bots whose purpose is to conversate with a target in the hopes of building rapport and convincing the target to provide sensitive information), and deepfaked video (AI generated videos that replicate a personal video taken by an individual to again instill trust with the target).

In its early stages, deepfakes were utilized to create silly videos on the internet of celebrities doing outrageous acts. However, this silly feature of AI has been twisted to create difficult-to-detect scams for the untrained eye.

Who Is Using Deepfakes?

Who really is using deepfakes? In short, the answer is anyone. As mentioned before, deepfakes have been used for comedic purposes in the past, but the power lies in the deceptive nature of these AI-generated pieces of media. Malicious actors are using these new powerful AI tools any chance they get, and the technology for AI is only getting better, so detecting potential deepfakes could become nearly impossible in the future.

What Are Deepfakes Used For?

This now begs the question: What are these malicious actors using deepfakes for? One way cyber criminals are utilizing deepfakes is for social engineering (the use of innate social weaknesses that humans have to enumerate information or gain access to non-public resources). Attackers will generate video or audio of an employee’s boss and give them a phone call/video call to convince the target to provide sensitive information over the phone.

Attackers have also utilized this same method of deepfaking to scam individuals out of money by convincing them that they are paying for a service, or entering money into a savings account, bank account, investment account, etc. Deepfakes utilized in this manner are extremely powerful for attackers when targeting untrained individuals. Providing visual/auditory reference of a person that this individual may know on a professional or personal level can immediately lower the defenses of a target.

In a related manner, individuals utilized deepfakes during the 2024 election to create videos of presidential candidates providing speeches that were never given in reality. The ability to provide misinformation with the likeness of a political figure is powerful and, quite frankly, dangerous. That is why everyone must be trained on how to spot a deepfake…

How to Detect and Defend Against Deepfakes

Since this technology is not perfect, there are some items to look out for to determine if a piece of media has been deepfaked. A few of those items are as follows: visual cues, audio cues, and behavioral irregularities. To start, visual cues can be a dead giveaway. Some examples might include irregular blinking (in the case of visual media), inconsistent lighting or odd reflections, Lip sync mismatch, smoothed graphics, blurry or inconsistent backgrounds, additional appendages, odd movement from the deepfaked subject, etc.

All of these visual cues can sometimes be hard to identify at first glance, but rewatching the visual media or looking around an image can clue you in to some new oddities that weren’t caught the first time. Next, audio cues, some examples of auditory give aways are a robotic tone or cadence mismatch, background noise inconsistency, and odd breathing or audio break up. These cues are a bit easier to identify; however, AI is quickly advancing, and with so much auditory media being on the internet, the training for these AI bots will only become more difficult to detect.

Finally, behavioral irregularities, some things to look out for are unexpected requests, contextual inconsistencies, and/or a sense of urgency. All these items prey on the innate nature of humans to help one another. Oftentimes, attackers/scammers will utilize a family member or a coworker as bait. Attackers will feed the target a story that requires immediate action to try and trigger a “act now, think later” response.

Deepfakes have made trusting digital media difficult. With the ease of access to this technology and the ability to express one’s thoughts/opinions/knowledge at such a large scale, it is essential that everyone takes a “trust but verify” approach.

This is a call to you or your organization to be informed about what possible scams or social engineering attacks are out there. Ensure that you are trusting that the consumed media is telling you the truth, but also use multiple sources to verify that the information is accurate. Remember: you are always one click away from falling victim to a cyber attack.

Connect with TraceSecurity to learn more.