Risk Management: Do lawyers need to be concerned about falling victim to deepfakes?
By Mark Bassingthwaighte
The short answer is yes, everyone does; but the reason lawyers need to be concerned requires a longer explanation.
What is a deepfake?
The word “deepfake” comes from combining the words “deep learning” with the word “fake.” A deepfake is digital content that can be created using powerful techniques from machine learning and artificial intelligence to manipulate existing or generate new visual and audio content that can easily deceive others who view or hear it. Deepfakes aren’t by definition all bad. For example deepfake technology is used by the film industry. It’s only when a bad actor creates a deepfake for use in furtherance of a cyberattack, fraud, extortion attempt, or other scam that they become a serious concern.
Isn’t making a deepfake crazy hard?
Not anymore. Jai Vijayan, Contributing Writer at Dark Reading recently stated: “It’s time to dispel notions of deepfakes as an emergent threat. All the pieces for widespread attacks are in place and readily available to cybercriminals, even unsophisticated ones.”
Researchers with the security company Trend Micro expressed similar concerns in an online post this past September with this opening statement: “The growing appearance of deepfake attacks is significantly reshaping the threat landscape. These fakes bring attacks such as business email compromise (BEC) and identity verification bypassing to new levels.” They went on to say that more serious attacks will be forthcoming because of the following issues:
“There is enough content exposed on social media to create deepfake models for millions of people. People in every country, city, village, or particular social group have their social media exposed to the world.
“All the technological pillars are in place. Attack implementation does not require significant investment and attacks can be launched not just by national states and corporations but also by individuals and small criminal groups.
“Actors can already impersonate and steal the identities of politicians, C-level executives, and celebrities. This could significantly increase the success rate of certain attacks such as financial schemes, short-lived disinformation campaigns, public opinion manipulation, and extortion.
“The identities of ordinary people are available to be stolen or recreated from publicly exposed media. Cybercriminals can steal from the impersonated victims or use their identities for malicious activities.
“The modification of deepfake models can lead to a mass appearance of identities of people who never existed. These identities can be used in different fraud schemes. Indicators of such appearances have already been spotted in the wild.”
Why must lawyers be concerned?
I would hope it would be self-evident. Due to the amount of other people’s money law firms are responsible for coupled with the amount and variety of sensitive and confidential information lawyers maintain, law firms have been and will continue to be an attractive target for cybercriminals and scammers. The only thing that is changing is the sophistication of the attacks.
As a lawyer, you need to know that a tool that enables someone to create a deepfake of you exists. That deepfake could be used to hack your Amazon Alexa; manipulate a colleague, family member, friend, or employee into moving money; used to hijack your bank account, bypass an identity verification process, or even to plant fake evidence in an attempt to blackmail you. All that person needs is a good photo or a short voice recording. How many people do you know, including yourself, who have already posted all kinds of audio, video, and photos in the social media space? You and I both know it’s practically all of us.
My purpose in sharing all of this is not to instill fear. Rather, it is to create awareness and an appropriate level of concern. We all need to continue to stay abreast as to how the attack vectors continue to change in order to have an opportunity to be proactive in our efforts to avoid falling prey to these ever evolving cyberattacks and scams.
What should law firms do about the deepfake threat?
As with so many cyber and scam threats, there is no one step you can take and there are going to be no guarantees that any combination of steps will successfully block this threat. All you can do is try your best. That said, the following are becoming more important than ever.
Use multifactor authentication on every critical or sensitive account or service. Think bank and other financial accounts, cloud-based services such as practice management programs, email accounts, remote access, and the list goes on.
Mandate the use of an out-of-band communication process to verify the legitimacy of every request to transfer funds, regardless of the communication channel the person making the request uses. And if you are not already aware, an out-of-band communication is a method of challenge and response to the requestor of a transfer, payment, or delivery of money using a communication method that is separate and distinct from the communication method the requestor originally used.
Conduct periodic mandatory training that over time covers all the various tactics utilized in social engineering attacks. Include current examples in order to demonstrate how these attacks “look and feel.” Note that mandatory means no exceptions; all lawyers and staff must participate.
Encourage social media users to limit their presence on social media and to minimize the posting of high-quality personal images online.
Consider using biometric verification processes for access to critical accounts such as banking or other financial accounts. The reason why is biometric data typically has minimal public exposure.
Make all conference calls, video calls, etc. private and/or password protected. The goal is to ensure that only trusted known individuals have the ability to participate.
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1,200 law firm risk management assessment visits, presented over 400 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. He is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School