Podcast: Play in new window | Download
Episode 15: Is This Real? Deep Fakes & Impersonations
You may have heard the news surrounding the cryptocurrency FTX. It’s not a good situation financially for a lot of people, and there may even be some criminal behavior around it. A few days ago, the founder went on Twitter with a video he recorded saying there would be compensation for anyone who lost money due to the problems at FTX. All they had to do was submit their info on a website set up for this purpose. They could potentially receive double their losses in return.
Sounds great, right?
But it wasn’t real!
Deep fakes will increasingly become a bigger problem for the world but we already have impersonation emails and phone calls happening today. In this episode, we discuss how they happen, and what you can do to protect yourself and your business.
FTX Founder Deepfake Offers Refund to Victims in Verified Twitter Account Scam
email, impersonation, people, client, fake, domain, claiming, deep, email account, account, purchase, mitigate, block, banner, verified, business, trick, microsoft, cryptocurrency, create
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data, the human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.
Gonna date myself a little bit here. But when I was a kid, we would prank call people and pretend to be someone else. So, kid in school, I would call, you know, another kid in school and say, Hey, this is Tony. And I would tricked him into doing something or saying something usually was to say something. And it would be other my other friends would be on the lines, you know, you have three way calling in party lines were popular back then. So somebody would be listening on the line to the whole conversation. And we would trick the other kid into doing something or saying something on the premise that we were somebody else. This was back, when there were no cordless phones, we had to use 25 foot phone cords so that we can go to another room and talk. We didn’t have cell phones. Obviously, we didn’t have smartphones. It was not really caller ID was just starting to come out. And you had to pay extra for that. All of these things were not there yet. But we were impersonating someone pretending to be someone else. To trick them into doing something. And more often than not, it was just to get them to admit that they had a crush on Debbie from period six, or something like that. Wasn’t anything serious? It was just pretty harmless kid fun, Kid pranks. We’ve come a long way since then. Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. Hello, everyone, and welcome to episode 15 of the human element Podcast. Today we’re going to talk about keep it sort of a broad umbrella of impersonation. So I’m going to go on a couple of different directions for that in the first direction is going to be deep fakes. And we haven’t really talked about deep fakes on this podcast yet. But today, we will a little bit because there was an incident involving deep fake on Twitter. And so there was kind of a you know, the last podcast we mentioned, multiple forms of phishing combined will have a higher success rate will this also will have a higher success rate because multiple forms of we’ll call it authentication, were combined or maybe not authentication, maybe verification would be the best way to put it. So this is on motherboard by vise tech by vise. So it’s on their website. And of course, there’ll be a link in the show notes. This is probably been reported in many different places now and I’m sure you’ve heard about the scandal with FTX. Which is a cryptocurrency or maybe you haven’t because you’re not into crypto, but so FTX is going through some troubles. And a video was posted on Twitter. You know, Twitter had I think it’s disabled at the moment, I’m not really sure I’m not really keeping up with it. But if for a while Twitter was offering to have your account verified for $8 a month you get the blue checkmark. So now it looks like you are a verified person on Twitter. And I don’t know what the verification process was at that point. But I do know that there were a significant amount of accounts that were that had the blue checkmark, but were not who they claimed to be. So there were reports of, you know, sports stories that weren’t true and deaths that weren’t true and things like that. So this is just another example of that. So they paid the $8 a month to get their Twitter account verified. They got the blue checkmark so now it looks like it’s a real account like a verified account through Twitter. So this account came appeared to be Sam Venkman fried, who was the founder? I think of FTX, which is a cryptocurrency or was I think it’s now defunct, or going to be defunct. I don’t know the status of it. But I know there’s a lot of celebrities involved with this. And so there’s a lot of things going on with him. But so a fake Twitter account, claiming to be Sam Venkman freed and verified because they paid $8 a month, had a video posted of Sam bank been freed, saying that he was going to compensate for losses because of the FTX. While in his words going bankrupt, saw a deep fake of FTX founder Sam Beckman freed circulated on Twitter on Friday where the founder of the collapse cryptocurrency exchange appeared to claim he could make users whole again by doubling their cryptocurrency in a typical giveaway scam. Making matters worse, the account was verified and mimicked SPF stats Beekman fried, real account and said Hello everyone. This is a video. Hello everyone. As you know, our FTX exchange is going bankrupt. The deep fake of brakeman fried said in the video, but I hasten to inform all users that you should not panic. As compensation for the loss we have prepared to give away for you, in which you can double your cryptocurrency to do this, just go to the site FTX compensation.com. I have not gone over that to that site. So I don’t know what that site looks like right now.
At the time of the article, which was five days ago, as of this recording, so November 21, this will probably not get uploaded for a few days, but November 21. The website was up. I don’t know if it’s been taken down. But it was up. And you know, Sam being the Fried’s face was featured on the website and said biggest giveaway crypto of $100 million, send a desired number of coins to the special address below, there was a moment, I would assume some type of crypto address. And the we’re scrolling, there was a scrolling list of people that have already claimed prizes. Obviously, that was fake. And this is a deep fake. And again, we have not talked about deep fakes. But essentially deep fakes are fake images, and videos, or voice recordings of people, usually celebrities or people that would would get some attention. And the attempt is to scam people or trick people into doing something or believing something. So it’s not this isn’t new. It’s it’s been around for a few years now. But it is getting better and better at doing what it’s intended purposes to do. And that is to pretend to be someone they’re not in a video or photo. So video obviously being the hardest, hardest to create. However, it’s getting easier. And we’ve seen this in the adult industry. So people that you know, there’s lots of deep fakes in the adult industry, where images are put over somebody else’s face to make it look like it’s somebody it’s not. So the concern is obvious here that’s concerned now is well we can create these videos, we can do this for political figures, we could do this for very influential people around the world. And it’s been a concern for a few years now. Where I want to go with this though is impersonation attacks. Because I’ve had some clients. They weren’t victimized because they check with me before doing anything or they’re aware that it is an impersonation attempt. But I have clients that have received impersonation emails claiming to be someone who would be an authority figure within their, their business or within their life and asking for something so how does it work? And I also so it kind of slips into business email compromised in some scenarios. In another scenarios, it doesn’t. So we have business email compromised, which is someone No, compromising one or two email accounts. And the end goal being to steal money. And often they succeed to get one person to send the money to a different account did one not so it’s not a pain, it’s not the account of the other person on the other end. So as an example, this happens quite a bit when with municipalities, where somebody in the municipality will get a phone call or an email saying, Hey, can you, we need to change how we receive payment, and they’ll give them a new account to send money to. So normally, if I’m a contractor with a mishap municipality, I would normally say, you know, pay me through this method send the money to this account. And it’s usually some kind of wire transaction or something along those lines. So now you send that money, you normally send that money to my account, somebody gets in the conversation via email, usually, sometimes through phone call, and says, Hey, can we need to update payment information? Can you send future payments to this account instead, and the person at the municipality doesn’t really double check anything except status as as fact, and next payment gets sent to the wrong account. And sometimes it’s significant amount of money in the hundreds of 1000s of dollars this does happen happens a lot with real estate transactions as well. And I did have a client experienced that. Earlier this month, a real estate attorney whose client didn’t listen to instructions, and almost got tricked into sending a significant amount of money, it was a $2 million transaction, a significant amount of money to scammers, because she didn’t listen to the real estate attorneys instructions, and was told not to send certain information via email she did anyway. And that email conversation was hijacked. And a fake email and impersonation email was created to continue the conversation without the real estate attorney realizing it. Initially, fortunately, the company that was handling the actual financial transaction was able to prevent the money from going to the wrong account. But it does happen quite a bit in real estate. And it does happen in other ways. So here’s the what I’m really going for her. Tis the season is the holiday season, we’re going to be bombarded with scams for the next couple of months. And then it’s going to carry over into the IRS season and we’re going to see IRS scams all over the place. So another client of mine is was receiving we’ve we’ve mitigated it as much as possible, because it’s very difficult to mitigate. And I’ll explain why in a moment. was receiving impersonation emails? Fortunately, I’ve, I’ve made them aware of this in the past, so they know to look out for these things. And the impersonation emails purported to be the owner of the business. And so the emails, one of them said, Oh, I don’t remember what one one was. I think it was a link to schedule an appointment. But that doesn’t. So the link, my guess is it wasn’t clicked on. But I’m guessing that the link would would look like a Microsoft login page, and then they will log in, and their credentials would be stolen. We talked about that a little bit last week and the last podcast as well. The other email was can you purchase Apple gift cards and send them somewhere, I don’t remember where they wanted those Apple gift cards to go. That’s a big, big, big, big red flag, right there is big red flags. Nobody’s going to send emails asking you to purchase Apple gift cards within your business, a big red flag. Again, fortunately, the employees at this business smart enough to realize that what was going on they forwarded me the email so I could do what I needed to do to take care of it. And there were some mitigation steps we took and one of the mitigation steps is to have a banner across the email to indicate that the email did not come from within the organization. Or and you can and then you could also add domains to the approved list so that that banner does not appear. So for example, my domain that I email from would be on the approved list, and the banner wouldn’t show up when I email them. Otherwise a banner comes up and says this is not from from a known My email address, and I’m paraphrasing here, and don’t click on any links, don’t download any attachments and so forth. That’s one mitigation step. I’ve also seen the impersonation attacks at another client. And I think this is probably an angry customer. of his, and the emails are forwarded to the business owner. Because he’s, they’re not going to him, they’re going to other clients of his or other people that he knows where they claim to be him and make, you know, these erroneous statements. And sometimes they’re a little bit they make them they make they shed them, they make them look bad. And some of these emails again, fortunately, those that have reported it to him recognize that these what they are, that they are not coming from him, they’re coming from somebody pretending to be him. So one of the one of the ways that the attackers do this is they create a Gmail account or a free email account, Gmail, AOL, Yahoo, any of those accounts that are free. And in almost always randomized. So there’s not even I won’t even say, the person’s name, I won’t say if you know, in this case, let’s say Scott Gombar, it won’t say it’s Scott Gombar at gmail, or calm or anything like that, not even close, it’ll be random letters, firstname.lastname@example.org. And I’m not sure why that they do that. But they do do that. It’s just very random. We don’t always pay attention to the email address when we receive emails. And I think everybody’s guilty of that we
are bombarded with emails at this point. I know people that have taken all their communications away from email, they don’t, they don’t read their emails anymore. They take you know, if you want to communicate with me communicate with me, at whatever other Methodists, whether it’s texting, whether it’s on social media platform, whatever it is, they don’t do it on email anymore. And that’s not to say those things can’t happen in those other formats. They do happen, but not at the high level that to do an email. So it’s always coming from a free email account, it’s not coming from the domain that it should be coming from. And that’s a big red flag. And that’s the first indicator that somebody is trying to impersonate you. But it also makes it difficult to block to prevent, because you’ve blocked one email address. So I go and create another one is, there’s very little to stop me from creating an email address on another platform, even if Gmail does. And I think they do some type of limitation. So creating email accounts. There are other resources, there are other ways to create emails, AOL, Yahoo, not a strict. There’s other email services you could use. That will definitely allow you to create an email address. But it is always a free email account. Very rarely, do the attackers pay to have an email account to do this, they almost always ask you to do something seems a little bit abnormal. So purchase gift certificates, or make claims that aren’t real. I’m going to go so far as to say that impersonation attacks via email, or almost deep fakes. If I purchase a domain, it’s very similar to the real domain of the business. It’s going to be it’s not going to be hard to trick people. So if I purchased microsoft.com, but instead of an eye, it’s a one. And I don’t know if it’s available, I don’t know, you know, I’m open, Microsoft is smart enough to have already purchased that. But I put a one or an L instead of an eye. Or zero instead of the O. It would be easier to trick people to thinking that it is Microsoft. And I’ve seen similar with lesser known companies. So you know, they don’t think about these things. They don’t purchase those domains, or they maybe they can’t afford it purchasing domains. If you purchase all the domains to protect your own. That could get very expensive, you know, or you purchase a domain that’s not.com or dotnet, you purchase a.ca or.it You know, different country code. Again, this happens.us is sometimes available even when the other ones are not a.org. And there’s some other domain extensions dot pro dot whatever. You could purchase these domains it’d be easier to trick people but most attackers aren’t going to spend the time to register a domain you have to tell people who you are when you register a domain and so they’re not really going to do this if the goal All is to really make an impression. You know, maybe they do it through a proxy. Now the way to prevent that is number one, education. Number two, you, you set up rules, you set up rules, the banner that I mentioned earlier, you set up other rules to, you could if you don’t want your employees to get email from outside the company, depending on the size of your company, that might be a good decision, you could set up rules that only internal emails are allowed. You could block free domains, you could set up spam rules to make it a little more difficult to get through. There are a few ways you can mitigate the risk, but the most, I think the best way not, not the most relevant, but the best way to do this is through education. And so that’s the purpose of this podcast. But you should have a plan in your business, where you, you teach everybody and I mean, from CEO and president all the way down board members, to the person sitting at the front desk, in your office. Everybody needs to be trained on what to look for, for phishing and impersonation emails. If they’re know what to look for, if they know how to identify if they know okay, here’s the banner, because let’s let’s be honest, if you’re getting dozens or hundreds of emails every day, and you see this banner dozens or hundreds of times, it’s at some point, you’re going to ignore it, psychologically, you just block it out. It’s just nature, human nature, it’s going to happen. So if you’re getting these, these emails in, the Red Banner comes up and you get dozens, maybe even hundreds of these throughout the day. And I’m talking about one day, because it will happen, then you’re probably at some point going to kind of block it out. It’s kind of like, I don’t know what they call it. There’s a term for it, where you drive home from work every day, you do this for years. And now you drive home and you don’t even remember driving home, like how did I do that? I don’t remember doing it. And there are people that do this. And it actually is a condition where they block out driving home, it’s just become second nature and they just drive home. So you see this red banner or yellow banner, whatever color you choose with the verbiage. And it doesn’t stick out anymore, because you’ve seen it so many times, it’s just not you just block it out, you just ignore it. So it’s kind of like signature lines and emails, you just start to ignore them. And over time. You could tell your your clients. And so we include this same same idea. But in an email signature, we include this when we onboard clients. Just explain to them, we would never do XYZ without some kind of verification process. So in other words, you get an email that says, send money to this account, instead of this account. There should be some secondary form of verification, okay, pick up the phone and call. So and so at the office to confirm that this is accurate. Or I’ve seen signature lines now that say we would never change wiring instructions via email. And our email signature says we would never call you and ask you for a password or ask you to log into your computer while you’re working. Proactively we would not call you to ask you to do that. We don’t need to do that. So if somebody else is calling you to ask for your password, or asking you to remote into your computer, claiming to be us, it’s not us. We don’t do that. And so that’s in your email signature. It’s in our during our onboarding process, we tell our clients that make people aware of these rules that you have in place to protect their interests, if they’re interested is No, it’s my client. It’s in my client’s best interests to know that. I’m educated all your employees, set up the rules in whatever you’re using Google, hopefully you’re using either Microsoft or Google workspace, one of those two for your emails. Because the other services do not have as many ways to mitigate these risks. Put another service on top of your email. So you have Microsoft, you know, even if you have one of the higher licenses, ie three, five, you have all these extra features for fishing, you could put another service on top of that to help mitigate it and there are several out there that are very highly rated. Put another service on top of that do phishing simulation, so that your people know what to look for. It does help. And it’s become sort of a it’s gamification. So it’s a way for them to learn through gaming, because it does become somewhat of a challenge to people I look for these emails and say all this is faked Apple gift cards come on, you can do better than that. And that’s what happened here this day forwarded emails to me right away and said, This is what we got. And so then I take mitigation steps. And by the way, those mitigation steps, including all the things I just said, there’s going to be training, there’s going to be the banners across the email, anything to help mitigate that risk, we’re blocked any emails, we do see, we block, if it’s not, you know, unfortunately, most of our clients do occasionally get emails from Gmail, Yahoo, and so forth. So we can block out the domain, we can block out high risk emails. And Microsoft identifies those using patterns. These are all mitigation steps for a problem that that’s going to continue to evolve. And that’s impersonation, it’s going to happen through deep fakes. And we’re not quite there yet, where important political figures or high powered individuals, influential individuals are being deep faked in video yet, but we’re not that far off easier, either. So it’s important to take everything with a grain of salt, consider the source, look where it came from. Look to see if you see any indications that it’s a deep fake within the video or the picture more often than not, it’ll be a picture at this point. Don’t we all get these robo calls where they asked to verify who you are, do not verify who you are, don’t even say anything they want to record you’re saying yes or no. There’s a lot of things that you can do
as we head towards the really troublesome times of these deep fakes that are look really super authentic, and it’s going to happen. And, you know, there’s going to have to be a technology that is able to scan and find deep fakes and, you know, destroy them as they need to be done. But it’s going to happen but in the meantime, understand that this impersonation attacks are out there, that there are ways to mitigate them. But the biggest most important step to mitigating that risk is to identify that it is a deep that it is an impersonation email or an impersonation phone call. Or you know social media posts and say this is fake. You have to learn how to recognize them. So until the next episode, stay safe, stay secure.