What if the video you received from your CEO wasn’t actually from your CEO?

It may sound like a scene from a sci-fi movie, but thanks to artificial intelligence (AI), this scenario is very real. Deepfakes — realistic reproductions that can replicate a person’s appearance, voice, or actions through the manipulation of video, audio, or images — are quickly becoming a dangerous tool in a cyber criminal’s toolbox.

According to the Canadian Centre for Cyber Security, today’s cyber threat actors are well-resourced, persistent, and capable of running multiple operations in Canada. That includes using deepfakes to commit fraud, spread disinformation, and compromise trust.

As these tools become more accessible and convincing, small and medium-sized businesses from across Canada need to act. And it starts with awareness.

A deepfake is a piece of audio, video, or visual content that has been generated or altered using AI to appear convincingly real. That means someone could fake a voicemail from your boss, a video of a public official, or even an image of someone holding a protest sign they never actually touched — all without their knowledge.

Unlike the clunky video manipulations of yesteryear, today’s deepfakes are often indistinguishable from the real thing. Particularly at first glance. Not only have the tools used to create them improved, but they can be easily accessed online.

Deepfakes are created using AI-powered tools like generative adversarial networks (GANs) and variational auto-encoders (VAE). These kinds of tools analyze existing audio or video clips and use them to create impersonations. Some voice-cloning tools can mimic someone’s speech with just a few seconds of recorded audio.   

And the more realistic and accessible this technology becomes, the easier it is for cyber criminals to use it against your business or team.

So, how exactly are scammers using deepfakes against small or medium-sized businesses? In more ways than you think.

Here are some examples of how deepfakes could be leveraged:

Executive fraud: A finance employee receives a fake video or voicemail from an executive requesting a wire transfer to a specific vendor. It sounds and looks real. And the damage could be done before anyone realizes the truth.

Phishing: Threat actors reach out using AI-generated voices to impersonate someone familiar, tricking your staff into sharing sensitive information or login credentials.

Disinformation campaigns: Deepfakes of public officials or community leaders saying things they never said could stir controversy or sway public opinion.

Social engineering: Cyber criminals may fake calls from IT support or HR, using voice cloning to gain trust and access.

These threats aren’t only targeting large organizations or federal governments. Your small or medium-sized business is just as vulnerable.

For instance, the owner of an art gallery in the United Kingdom lost her gallery after falling for an AI deepfake of Pierce Brosnan. She believed she was in negotiation with the real actor for an exhibition, but the scammers had created a likeness of Brosnan for video calls and voice messages. The scam led to her losing her £30,000 gallery and damaging her reputation.

And it doesn’t need to be elaborate. Fake receipts can now also be generated using ChatGPT and they’re realistic enough to potentially defraud businesses through fraudulent receipts for expenses.

Even a local game and coffee shop in Montana was targeted by criminals using voice replication. The scammer cloned the store owner’s voice to deceive an employee over the phone and even spoofed both individual’s personal phone numbers. Fortunately, in this instance, while the store suffered financial losses, they’ll likely recover.

So, the question is: would you or your team be able to spot deepfake scam?

While these threats are growing in sophistication and the technology is advancing fast, there are still some red flags to watch for:

Visual glitches: Keep your eyes peeled for mismatched lighting, unnatural blinking, or any awkward movements in videos.

Audio imperfections: Pay attention to voices that sound stilted and robotic, watch out for pauses in odd places within conversation, and look for speech that doesn’t match the speaker’s usual tone or phrasing.

Strange timing or requests: Be cautious of urgent messages received outside of regular working hours, or requests for money, access, or sensitive information — particularly if it seems out of character for the requester.

If your current cyber security awareness training focuses primarily on phishing emails and best password practices, you’re not alone. However, as threats shift, so too should training programs.

Understanding what deepfakes are and how to recognize them need to be a standard part of a modern cyber training toolbox. And while your workforce doesn’t need to become technology experts, it’ll serve both them and your organization if they can recognize the signs and know how to respond.

Here are some ideas you may want to include when updating your training program:

• How to recognize the signs of manipulated audio, video, or images
• The importance of verifying requests involving money, access, or sensitive information
• A clear process for reporting suspicious messages or media

Please note, training isn’t about scaring your team. It equips them with the awareness and confidence they need to respond. And it helps to protect them and your organization in the process.

Deepfake scams are becoming harder and harder to detect and easier and easier to execute. That’s a dangerous combination. Particularly for organizations that aren’t prepared.

The good news is: you don’t have to do it alone. Our advisors are here to help you integrate deepfake awareness into your training program and to support your overall cyber security readiness. With practical guidance and expertise, our professionals can help your business stay ahead of tomorrow’s threats.