Blog

How Deepfakes Change Everything You Know About Security in Banking & FinTech

security testing

Ensuring Trust in the Era of AI-Driven Deception

You receive an urgent message from your company’s Chief Financial Officer. He asks you to join an emergency all-hands-on-deck meeting. As soon as you join, you see the worried familiar faces of your colleagues. There’s a been a problem, your CFO, explains. He needs all employees to transfer an amount of money to a few different bank accounts. You aren’t sure about this, but this is your CFO talking and everyone else agrees to his request so you comply as well. You make the transfer. The next day when you try to find out more about it, nobody seems to have a clue about any transfers. In fact, nobody seems to have joined any meeting at all. And that’s how you learn you’re the latest victim of a deepfake scam. That’s what happened to a Hong Kong based company earlier in February (Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica), in the first recorded use of deepfake technology to simulate an online meeting. The scammers walked off with USD 25 million, and left law enforcement scrambling to catch up.

Utilizing artificial intelligence to create hyper-realistic manipulated audio, video, and photos, deepfakes are a growing threat – particularly to banking & fintech sectors worldwide. As these institutions increasingly rely on digital platforms and automated processes, the potential for malicious actors to exploit deepfakes for fraud and theft explodes.

Trust at Risk

Money moves based on trust. Trust is the true currency of the banking & fintech industry as customers and institutions mutually trust each other to manage funds & wealth. Deepfakes introduce doubt into this relationship unlike anything we’ve seen before. Images can be faked. Video can be faked. Even audio can be faked. (https://www.nytimes.com/2023/08/30/business/voice-deepfakes-bank-scams.html) According to Datos Insights (ex Aite Group) by 2023 more than half of financial executives already believed deepfakes could be used for fraud in their industry.

Social Engineering Sophistication

At their core, deepfakes often rely on social engineering tactics. They depend on our implicit trust in authority figures, or our unwillingness to question requests from those we consider well-known to ourselves. It doesn’t help that source material for deepfakes is readily available online: as little as a 3-second audio sample – for example, from a social media video or a keynote speech posted to YouTube – can be used to generate a deepfaked audio sample.

According to KPMG 80% of business leaders consider deepfakes a threat, but only 29% organizations have taken concrete steps to mitigate the risk. (How to Overcome Hyper-realistic Deepfakes – Spiceworks) Compare this to the finding that 83% of US consumers report they stop buying from a business for several months after it suffers a cybersecurity breach. (Businesses Can Lose Half of Customers after a Data Breach, Research Shows (bitdefender.com).

What You Can Do

Invest in Detection Technologies

Fight technology with technology. Financial institutions must invest in advanced detection technologies to identify and mitigate deepfake threats in real-time. Machine learning algorithms and biometric authentication systems can help verify the authenticity of digital interactions, reducing the likelihood of fraudulent activities. Even simple strategies such as checking for breath sounds or asking a secret question or asking a video caller to move their head might be enough to some deepfakes.

Prioritize Cybersecurity

Banks & FinTech must prioritize cybersecurity as an integral part of doing business. While employee training and awareness programs are a basic first step to prepare staff against social engineering attacks and deepfakes, they must go over and above to ensure they have the tools and information security frameworks in place to address gaps. An added advantage of information security frameworks is that they empower employees to adhere to security best practices even when faced by contradictory requests seemingly coming from top leadership – a potent safeguard against attacks such as the one used in Hong Kong.

Takeaways

Deepfakes pose a threat to the fundamental principles of digital banking & finance, by calling into question the authenticity of even audio & video interactions. While regulatory measures struggle to catch up, financial institutions have a responsibility towards their customers and a business imperative to counter this threat. If unmitigated, this threat not only has the demonstrated potential to cost the industry & consumers millions of dollars but can also rollback – and possibly irreversibly damage – consumer faith in digital banking and fintech offerings.

Take the guesswork out of cybersecurity. Kualitatem has been involved in several Compromise Assessment assignments with BFSI. Reach out to Kualitatem today to discuss our Security And Risk Assessment | Testing Services | Kualitatem services and discover why 500+ clients trust us to ensure the safety of their most valuable technological assets.