Phishing emails and scam calls once seemed like the most imminent threat to the majority of companies. That time has passed. Nowadays, the story that will kill your brand isn’t a virus hiding behind the ‘Click HERE’ button, it’s a crystal clear video of your CEO making announcements which seem unreal. And they are, because they never occurred  in real life. 

DaaS-led by fakes

This year has seen a surge in Deepfake-as-a-Service (DaaS) incidents, where actors commission inexpensive synthetic identities to scam a victim, or ruin a company’s reputation. 

Incidents include a $25 million transfer from a finance worker to the self-proclaimed ‘CFO’ of a large multinational in Hong Kong, and investment scams involving fake celebrities, leading to billions of dollars stolen by fraudsters in the United States. 

Despite warnings, we are currently ill-equipped to effectively beat this threat. The recent Cloudflare Threat Report highlights human detection rates for high-quality video deepfakes have plummeted to just 24.5%. Three quarters of deep fakes pass us by. So how do we fix this?

Pre-crisis 

Issue: Abnormal behaviour has to be detected before it causes issues. 

PR Solution: Malware can be detected via cloud-native Network Detect and Response products such as ExtraHop’s ‘Reveal X’

Issue: Harmful content is undetected.

PR Solution: Tools such as Meltwater and Google Alerts and cyber newsletters give early warnings of the latest attacks.

Issue: Susceptible executives and employees.

PR Solution: Personnel must be media-trained to treat every unusual video call or voice memo with a healthy amount of skepticism. 

Issue: Unverified digital content.

PR Solution: Limit the use of unwatermarked, high-quality video and audio of executives available online, which could serve as the ‘training data’ used by bad actors to create deepfakes.

During a Crisis

Issue:: Controlling stakeholder reactions.

PR Solution: Contact key stakeholders with ‘technical proof’ of the fake. Submit immediate takedown requests, citing EU AI Act Article 50 or platform-specific deepfake policies. For internal communications, secure messaging channels like Element offer company-wide control. 

Issue: Controlling public reaction.

PR Solution #1: Inform the public that you are aware of the threat, and are dealing with it via a verified channel, discoverable and distinct from any fake news sources. 

Post Crisis Recovery

Issue: Gathering the lessons.

PR Solution: Preserve evidence, establish a digital forensic record for potential legal action. Ask yourself: How long was the ‘detection-to-response’ lag? Does the playbook need a new ‘decision tree’ if this is a zero-day threat?

Issue: Preparing for future threats.

PR Solution: Regular phishing tests with published results  help your team stay vigilant. Creating a risk register increases awareness of the scope of potential issues.

Crises can be planned for

Pre-planning develops specific response strategies against deepfakes – before they are an issue. Once a crisis occurs, reputation rests on how quickly an organisation can prove the facts, internally first and then externally, with immediate, evidence-based responses to combat digital defamation.

The increase in corporate espionage, often by nation states, may make offence the best defence. Companies should limit communication channels to authorised spokespeople and watermark official content. Internal teams need to be regularly trained and audited for cyber awareness, and a risk register should be implemented and updated regularly.

Being reactive in the face of a crisis is critical, but preventing them is the best case every company should strive for.