Deepfake Attacks: The Growing Threat to Enterprise Security

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode we're talking about.

Deep fake attacks.

Trust me, it's way scarier than you think.

Prasanna and I break down how attackers are using ai, uh, to clone voices and

create fake videos of CEOs and CFOs.

They only need 30 seconds by the way of a, of a voice to impersonate someone.

We cover the different types of attacks from wire fraud to credential theft, and

also give you practical steps that you can take right now to defend against this.

We talk about also how to set up procedures that won't get overridden.

When someone says they're having an emergency, nearly half of

all businesses have already been hit by deep fake phone calls.

Listen in before you become the next victim.

By the way, if you don't know who I am, I'm w Curtis Preston,

AKA, Mr. Backup, and I've been passionate about backup and recovery.

Ever since I had to tell my boss that we had no backups of the production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up pop.

Welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have a guy with me who

continues to allow me to change the design of a project that I have going on.

And so it's all his fault.

Prasanna Malaiyandi, How's it going, Prasanna

I am good, but I just, just to make sure everyone

Uhhuh.

I had initially suggested this design to you.

And you poo-pooed on the idea and now you're walking back after you've

done additional investigation.

well, you know,

like your first design was solid

yeah,

because there's sort of the difference between like a

design and what is practical.

And what, and what doesn't cost a million dollars.

$1 billion.

uh, and I, I don't want to go into detail right now because it may

be, it may just be insanity, and I may, you know, this, this idea, um.

You know, and

We'll see how it

we'll see how it goes and, um, you know, but, uh, but yeah, I just keep,

I keep, I haven't pulled the trigger on the design and I keep changing the gun.

But, but at least it's not like you're swapping out a car for

a boat or an airplane, right.

No.

like, oh, do I want a car versus do I want four door

Do I?

a coupe?

Yeah.

That's sort of the thing.

You're at

Or do.

it down.

Or do I want a pick up or do I want, or

I don't know if it's quite at the pickup level.

I think you're beyond the, like, is it an SUV?

Is it a car,

Yeah.

Okay.

Yeah.

you're beyond that.

I think you're now

But I'm like, do I want 19 inch wheels?

Do I want plastic wheels?

Do we want

Yeah.

run flats?

Yeah.

Yeah.

Yeah.

Nice analogy.

I like that.

See, you're not as, it's not as, uh, bad as

It's just that every time I think I've got it sorted out, I come up

with a problem with my current design.

Yes, and so all you have to do is just stop talking to me.

Honestly, if you just stop talking to me, I bet you can

like quickly narrow down your

Yeah.

should talk to me after it's done, after it's

No, I can't do that.

You're on my everything advisor, you know, that.

Um, I just wanna say, I just wanna say to the audience, we've often mentioned

that Prasanna has this like, uh, this ridiculous level of random knowledge.

Today.

I'm talking to Prasanna and he's like, so yeah.

So I think the, the flow rate of a garden hose is like one to one

and a half gallons an hour, and.

And I was just like, like, why do you know that?

Also, I was significantly

Oh, were you, were you?

So it depends on the size of a pipe, they say it could be between five and eight.

Yeah.

Okay.

So, okay, so in this case you thought you knew something,

Yes.

right?

But I did clarify and say I think that might be low just given that

bathroom faucets are like one to one and a half gallon per minute.

Yeah.

Yeah.

All right.

Well, uh, we're not gonna talk about that stuff at all.

We're gonna talk about

deep fake attacks.

Um, and this is a real problem.

You sent me a great article that started this whole thing.

Uh, yeah, from the register and the title, we'll put, we'll put the link in here.

Uh, and the, the saying from Gartner, they're saying nearly

half of businesses suffered deep fake phone calls against the staff.

Um, so do you want to, you wanna just give an overview of

what we're talking about here?

Yeah, sure.

So with the prevalence of AI and all these models being amazing and being

able to generate video and photos, aspect is being able to generate audio.

so now these AI models are really good at taking someone's voice.

And being able to mimic it such that an attacker can make it sound

like you are talking the same way as the person that they're trying to

Right, right.

imitate.

And the quality has gotten so good that it's pretty difficult to differentiate

between the real person and the deep fake.

Especially if you don't know the real person.

Right?

So like if you, if you don't know them personally, I, I think I would

like with you, I think I would pretty readily notice a deep fake, right.

Well, first off, I would ask the deep fake, some random piece of information.

I'd be like,

probably may not

you know.

a deepfake probably has that

Oh, that's true.

I, I'd be like, I'd be like the, the classic line and, um, what, what's

the, what's the ignition timing on a four barrel carburetor on a 1968?

Yeah, my cousin, my cousin Vinny.

Um, it's a trick question.

Um,

um, the, um,

So, so there is so DeepFakes, right?

We talked about use it also as pranks, right?

And kids use it to be like, Hey, I am imitating someone else.

Or, you call in sick from school and the school calls your parents

and is like, where are you?

And you can imitate your parents and be like, Hey, so-and-so's sick.

He's not coming in today.

Right, right,

So there are sort of not so like critical reasons people use

it, like for the fun aspects of

right.

but then there's also the malicious uses of this technology, which is

kind of what this episode is about.

And, and also there, so there's audio deep fakes and there's video deep fakes, right?

Um, and it was interesting, again, that same article said that 36% of people, uh,

had, had, had video deep fakes, and that 5%, uh, had, had caused a serious problem.

So

Yeah,

go ahead.

so, and just the point about that.

Audio deep fakes are less costly today versus video

Right.

I think in one of the articles I read, I can't remember if it was the

registrar article, but like a video Deep deepfake, a really convincing

one might cost millions of dollars.

Hmm.

Um, that number has probably significantly gone down with a lot of the new AI

models that have been announced, but doing it real time is a little

bit more difficult than doing sort of a pre-process, but doing audio

is significantly easier than video.

Right.

Right.

And so and so it's, it's probably less, that makes it less likely to be there.

Right.

Uh, but, but it, we will talk about one particular type of attack that

uses video deep fakes, where I think that it addresses that, the issue

that you talked about right there.

Right.

Yeah.

Um, and, uh.

And, and why would they do this?

Why, why would somebody, you know, what, what are they attempting to do here?

So they are basically trying to trick the company employee, right, specifically

the employee, to do something.

It might be to gain access to the corporate network by doing password

resets, which is what we see a lot of, uh, scattered Spider currently

doing for their attacks, where they're calling in pretending to be someone.

Mm-hmm.

and being like, Hey, wire the money over to this

Right,

rather than the one

right.

you.

And now they just siphoned all your money and it's really hard to get it back

I'd say that, that, that's sort of two broad categories.

So I mean, the one giant category is basically get the employee to do something

that they wouldn't have otherwise done.

Right.

And that the, the two big categories would be at one grant, somebody

access to something, and two, grant them access to some money.

Right?

Send some money over.

And by the way, wire fraud is very real.

Wire fraud is very real.

And once it's done, it's kind of done right.

Um, and, uh, you know, once it's discovered, if the

money's gone, the money's gone.

Right.

Yep.

And there was a huge issue, and I think it's still a huge issue, where

people would basically get so-called signing instructions or last minute

wiring instructions from the broker and be like, wire it to this account.

They'd wire it, and then it turns out the broker had been compromised,

Right,

had imitated them, sent out all these emails, and now had a bunch

of money that people thought.

Was like their down payment going to the person and turned out it

was going to a criminal actor.

right, right.

Not good.

Not good.

Yeah.

Um, so.

Uh, first off,

on business.

yeah, focusing on businesses.

But first off, I think the number one goal of this call is to just,

if you don't know how big of a deal this is, this is a big deal.

It's a big deal.

Literally today, uh, there was one statistic that suggested

that they thought that 30%.

Um, you know, of enterprise fraud will be deep fake based by next year.

Okay.

Um, and also realize that they only need 30 seconds of clear audio to

be able to clone somebody's voice.

Um, which is kind of a

we're

Yeah, we're screwed.

Yeah, we're screwed.

I guess one question is these people, they're cloning,

Yeah.

usually the people in power, right?

Meaning the CFO, right?

The CEO, trying to get the employees, say the person in accounting to

sign a check or to send money

Right,

And so these people.

Usually have like public spotlights.

They're the ones who you find on LinkedIn with the social

right.

the videos the company.

Right.

Trying to promote the company.

Or they're giving talks at conferences, so it's not like, oh, they're just

locked away and someone somehow goes and like, records their audio.

Right.

right,

uh, downloads their phone messages.

Or their phone calls, right?

It is, this data's already out there.

It's not like it's hard to find.

right, right.

Let's talk about a couple of the different types of attacks.

The, the, the worst one, I think and, and, and it's worst in terms of

like the potential ramifications, but also in terms of, uh, it's so devious

and that is that they create a very short video of the person in power.

So this is like A-C-E-O-C-F-O, that type of person, someone with authority to.

Authorize a wire transfer, and then they, uh, create a very short video

that, that basically, um, mimics the thing that they want them to do.

Then the video, as part of this video, it drops.

Right?

So they, they, so what that does is that, that addresses the problem that

you were talking about, is it addresses the cost of making that video fake.

It also completely removes the need to do real time video fake,

which would be the thing that would be super, super expensive.

So if they can get a video of the person and then, um, do that.

And then, um, and then what they do is they're like, they drop the call

and then they immediately switch to a alternate communication method,

such as the easiest would be text.

It's like, Hey, I was trying to call you and my internet dropped.

And text now is the only thing.

And because of, again, human nature, you felt you were just

talking to the CEO and now you think you're still talking to the CEO.

And here, here's a question.

How easy is it to clone a phone number?

Oh, super simple.

Super simple.

spoof.

You can spoof a phone number and show, or it could, it

doesn't even have to be the ceo.

As an example.

Say you were on a video

Yeah.

you claim that, oh, my video's poor.

You drop back off, you hide your

Yeah,

You could still be doing the audio,

you could.

Yeah.

Yeah.

even have to go to text messages

Right,

voice call or other

right.

You just leverage the same

Yeah, so you could use the same channel, but just drop the, drop the video, right?

Um, yeah, go ahead.

And I think that's what happened in the first time I heard about this attack

was I think a company, the CEO joined and said, send out, uh, this vendor.

I think it was like $25 million or something.

it was, I think on a video call they were on where they got deep

faked and then they basically sent it to these fraudulent people.

Right, right.

Yeah.

I, and, and, and again, you know, go back to once that happens,

you're kind of screwed, right?

Yep.

and it's not like, uh, it's not like with a credit card where

you can, uh, do a chargeback.

Yeah, and the other thing to also mention here is.

It's not like they're just going and saying, oh, I'm just

gonna randomly target you.

They might have already gained access into your systems.

They might have already wandered around looking at, okay,

who's the important people?

Who's in accounting?

What meetings are there?

So they are already snooping, listening in on your conversations,

looking at your emails, and so they know exactly where to attack, who

to attack, and who to imPrasannate.

Right.

So, uh, that, so that's the one, that's one type.

That's where they're trying to get, like, to authorize like some sort

of invoice, some sort of payment.

Uh, the other is the, basically trying to gain access to an account.

So this is either reset a password or um, um, you know, resetting A MFA tokens.

Yeah.

Um, can you think of anything else that they would try there?

I think those are the main

Yeah.

But even there, I do wonder how much is really around the

voice aspects and the deep

Mm-hmm.

versus just the social engineering.

Because I think in those scenarios, social engineering

becomes more critical ex right?

Uh, in terms of understanding all the things needed in order

to be able to reset an account.

It's not necessarily that the help desk person or the person on the other

side knows your voice in particular.

Well, yeah, again, again, you're not necessarily, that's why I was saying

earlier in the call, it's not necessarily a voice that's known to the person,

but they're calling into a help desk.

But what you are doing is you're using a deep fake, uh, thing to you're, you're

trying to sound generally like somebody.

Yeah.

But, uh, again, it kind of relies on you not knowing that person really

well, because I think the, the, the nuances of how that person talks

is they're going to be, I think, relatively obvious to someone.

The point there again, is to reset something to reset

MFA so that then you could.

You know, do the MFA with with some other channel.

Yeah.

The other thing to also think about is there are still companies that

use voice as an authentication,

Yes.

right?

And so now becomes a question, okay, if my voice is my password,

Passport.

Passport.

If you're gonna quote the line, my voice is my passport.

Verify me.

Yep.

so now that becomes an attack vector,

Yeah.

It's now someone can mimic you and unlock the other person doesn't know

what you are supposed to sound like, but you've unlocked the account

because you've made a deep fake.

That quote of course is from sneakers, one of my favorite movies ever.

I need to go watch that again.

I do wanna talk just a little bit about personal stuff and then jump

into the company stuff, right?

There are a couple things that you could do that, and they're,

they're actually kind of similar.

One is to, to create some sort of code word within the family.

Right.

Some sort of shared secret that only you and the other person knows and say,

Hey, if I ever actually do call you and I say I'm on the roadside and I need you

to wire me 500 bucks for a tow truck or whatever, I'm gonna say this code word.

Right?

Um, and you can also, if you don't have a shared code word, you can, you can

reference like in you and I I, if, if this was happening right now, I would say, Hey.

You know that thing that we were talking about earlier today, you know, and you

can reference something that both, that only you and that person would know.

But, but yes, and I think that becomes the key, is something that only you

and that other person knows that hasn't been shared over a video, over text,

over some other communication method

It needs to be.

Yeah, very much.

Uh, that, and then also, and we're gonna get this to the company as well, is verify

through an alternate channel, right?

Um, is, is something other than, um, you know, call them back on

the number that you know them on.

Now, there are ways to get around that too, but in general, they're

gonna be faking the number.

And when you call the other person's actual number back, uh, it's not gonna,

it's not gonna be the scam, right.

And, and it's interesting that we are talking about this episode today.

So this morning I sent an article to my

Mm-hmm.

and, uh, for some reason the link was broken.

It didn't show up properly in text, and it just showed up as an empty bubble.

And she immediately calls me, she's like, did someone hack your phone?

Because normally I don't send things like that.

Right.

looked very weird.

She was.

Wanted to verify using a different channel to be like,

Hey, is that really you or not?

Yeah.

Yeah.

So let's talk, let's talk about, uh, to go to the companies now, right?

And because the first suggestion.

Is the same as the, as The suggestion that we just made, right, is, uh, is

to have multi-channel verification.

So the, the, the real key here is they're calling you in over one channel, or

they're contacting you via one channel.

In this case, what we're talking about is audio deep fake.

So they are calling you and they've called you over this one channel, and

then they want you to do the thing.

So the question is, you need to contact them back over another channel.

Um, now I can think of like an attack against that.

Do you know what that might be?

Well, it's basically they've compromised all your channels,

Well, that wa that wasn't the, yeah, that wasn't the attack I was thinking

about, although I, I do know, you know,

Yeah.

am aware of a situation where there was a company that.

Had had that happen, right?

They had, they had compromised all of the things.

That's not gonna fix that.

But in general, that's not the case.

But, uh, what I was thinking was the usual case or the usual hacker, what

they're gonna do is they're gonna try to create a sense of urgency.

They're gonna say, oh, you, you know, I, I need to call you back on

your, your phone number of record.

Oh, well I had my phone's dead, whatever.

You know, I can't, you know, I'm, I'm calling in on my friend's phone.

Uh, I'm trying to, you know, I'm trying to do the thing.

They, they come up, I'm sure that they're well trained on how to, um,

create that sense of urgency and, and that sense of exception of, here's why

I'm doing it in this really weird way.

So, a hundred percent agree and I have a story around this.

I actually have a story for

Okay.

so,

The way you say that, it's like you think that's all I am is just a

bunch of stories, but that's okay.

you always have

so many amazing

stories from all your

experience of being in the field.

But I do have a

Yep.

Mm-hmm.

other day I was looking to switch my, uh.

Internet plan and, uh, my contract was expiring, so I called in and

placed an order online and I get a call back like a couple hours later.

recognize the number.

The person leaves a message and is like, Hey, this is Xfinity calling,

uh, we're calling about your plan.

We had an issue.

Can you please call us back?

We can't do this right now.

You have to call in.

They leave a number.

Then they call like three or four other times, like in the next couple days.

And then, uh, three days later they call in and I pick up the

phone and I talk to the person.

They're like, hi, this is Xfinity.

Uh, we had an issue with your order and they had my name

Mm-hmm.

I'm like, oh, that's great.

And I was like, uh, and then it dawned on me, I'm like, I don't

even know if this is Xfinity.

'cause there's a

Right.

Garbage calls out

Yeah.

right?

So I was like, can you please give me your number so I can call back and verify?

And they've gotten really professional.

They're like, oh yeah, we totally understand.

This happens to a lot of people.

Here's our one 800 number.

Call us

Uh,

And then I looked at the number, I Google searched it, I couldn't find it.

And Xfinity's normal list.

And Xfinity has a customer security assurance

Uhhuh.

So I called 'em and I gave them the number, and they're like,

yeah, that's not an Xfinity number.

Yeah.

Right, but the person had a, the exact same script that Xfinity

would say whenever they call

Yeah.

They had the exact same accent, everything else, calling from a local number.

Yeah.

Right?

But it's

You did the right thing.

You, you did the, basically what we're talking about here, the multi-channel

verification, calling back to a, I mean, in that case it's technically

the same channel, but you're, you're calling back on a different phone number.

Right?

Um, and that's what you're doing here is the whole point of the, uh, the different

ways that log in and secure those login.

The whole point of that is to maintain that security.

If they're then trying to circumvent that security, there could be a real reason.

There could be a. Real person with a real scenario that's really down.

If, if that, you know, and they're, and they're, and so they can't use

the normal methods, that's where you really need to slow things down.

That person on the other end, they may be, they may be having the worst day of their

lives, but you need to slow things down and verify in every way that is possible.

Uh, and that may indeed be very inconvenient for the

person in question, right.

Yeah.

The other thing too is hopefully this is part of your processes.

Yes.

You have a process in place when something like this has to happen

and someone's asking for this, right?

There is, Hey, I need this approval.

We have these alternate mechanisms that we do to verify so everyone's on the same

Right.

rather than it being like, oh, I don't know what to do,

and everyone's frank, frantic.

right.

And, uh, so speaking of multi-channel, uh, the other thing is to ban personal

messaging apps for official business.

You, you're never gonna ban, you know, let's say signal forever.

I, I, I don't know if you can ban signal, like, like technologically you think you

can and like, like using a firewall rules.

It's

Yeah.

Yeah.

I don't think you can.

Well, also it's, especially if it's going out over cell phone signals.

Right.

Yeah.

Um, but you can ban them for business use.

And again, this goes back to a lot of this, you mentioned it just a minute ago.

This is about policy and procedure.

Mm-hmm.

there's, there's a certain amount that you can do.

Technologically, but in the end, what you need is regular training and policy

and procedure that says we don't use personal messaging apps for business.

And then when suddenly somebody is somehow contacting you via, you

know, let, let's say, let's say they found out that you use signal.

Like on your phone or something, and so suddenly someone is contacting

you via signal on your phone.

Well, that's a giant red flag right there.

It's like, Hey, this is not, we don't use it for official business.

Right, right.

Exactly.

Yeah.

Um,

And so establishing these mechanisms is good.

Now, you probably also need to have sort of a break class scenario,

you do.

Yeah.

right?

Uh, I could imagine the case, remember the derecho and how everything went down,

Mm-hmm.

Mm-hmm.

right?

Scenarios like that, that you couldn't have think, thought about, right?

There needs to be, okay, this is a documented procedure when we have

to go outside the normal scope.

Yes.

And that person should be well.

You, you should regularly train on that procedure.

And, uh, and that procedure, the more remote a person is,

the more that procedure needs to be kind of ironclad, right?

And, and you need to have.

Scenarios for those scenarios, right?

Yeah.

Right.

Of like, okay, you know, a derecho hit.

You know, if you get hurricanes all the time, you need to have a syn.

You need to have a. A procedure that says, here's what we do in this scenario,

and then whoever that is, that, that, that what, 'cause you don't know, you

don't know if it's a, a deep fake or not.

Yep.

Whoever it is.

Well, you need to follow our special procedure and maybe that special

procedure is we have this other phone number that you should have in your

phone or you should have in your, you know, like you said, your break

glass, you got your special, uh, thing that we gave you that you're

supposed to store in your right front.

Breast pocket.

I don't know.

I'm just making stuff up, but

like embedded into your

it's not,

it.

you need to, you need to embed the little chip on your arm.

Yeah.

Uh, but yeah, you have that break glass procedure.

Uh, I remember, um, when I was, when I ran it for a small organization,

the volunteer, it was a volunteer position and, uh, the, the.

Main person there really did not like the fact that they did not have root.

And I was like, I will not do this if you have root.

Like I will.

I'm, I'm not here.

Like, I'm just not interested in that.

But what they did was we created a break glass procedure for that, which

was, we had it in a special envelope that was sealed, that was in the safe.

And if I was ever incapacitated, they could break that.

But, uh, if that was ever the case, then obviously I had to change

the root password and everything.

Right?

Yep.

Yeah.

Yeah.

Going back to sort of the multi-channel verification, right?

One thing is that you should also think about.

For some sensitive procedures or processes, right?

Sort of having a callback protocol that says, okay, when this happens, this

is the mechanism we're going to do.

As an example, if someone's like, Hey, I need to wire a hundred

thousand dollars to someone, it's like, okay, that is a special case.

Right,

Right.

Kind of like how we talked about break

right.

right?

This is a special case.

Here are the exact steps that are required, and here are the people you need

to contact using this type of protocol to make sure that yes, this is legitimate.

Right.

And, and one of the big ones would be a big payment to a new vendor, right?

That should set all sorts of, uh, set off all sorts of red flags, right?

You're sending a hundred thousand dollars to a vendor that you've

never done any business with before.

Uh, and then, and for some reason the, the CFO is calling you about this payment.

That should be like, that should, you know, even if it sounds so much like a

CFO, that should set off, uh, you know.

Or, or it should be like, Hey, you should talk to procurement to figure

out, okay, when did the vendor get added?

Yeah.

Right?

And are they even aware of them?

Yeah.

And, and I just wanna speak to something here.

You need to have a conversation with these people who are, uh, you know,

your, in your management chain, and you need to have a conversation in advance.

Say, Hey, if you ever have a situation where it's triggering my,

you know, um, what do you call it?

Um.

Uh, red flag.

It's, yeah.

Yeah.

It's triggering off my spidey sense, whatever you want to call it.

And I then put the kibosh on the thing you're asking for.

You need to not like yell at me.

Right.

We need to agree in advance that if I put a stop to a large transaction or

something like that, or I don't reset your MFA because you're trying to log

in and then you, you know, you cannot.

Then just use your position to say, just do it.

Right.

Um, because that, that's exactly what a, a threat actor would do, you know?

Yeah.

And you've established these processes ahead

Right, right,

and so you should be following it as a company.

right.

Yeah.

And kind of along that line of sort of the processes, procedures, callback protocol,

It's really important that employees get

Yeah.

Right and periodic training because this landscape is changing.

How people are attacking with DeepFakes is constantly evolving.

What are the new attacks is also changing on literally a day by day basis.

And it's interesting 'cause Curtis, I don't, I know in the past, like we both

have done sort of security training.

I don't think I've ever run across deep fake training in those lessons.

Right.

No.

Yeah, and

Well, I mean, if you think about it was the last time, well, at least for me,

the last time I was working for a company that was doing that kind of training.

It was before Deepak was a thing, but yeah,

but hopefully companies are now updating their trainings to include

DeepFakes, maybe you should just periodically do a deepfake training or

just have someone pretend to be a deep fake, join a video conferencing call

yeah, yeah.

I like that.

see how people react.

wonder, uh, like, no.

Before, I wonder if, uh, if they've updated their stuff to a clay,

they've got to at this point.

yeah.

And along with those employee trainings is also, include this

in your tabletop exercises,

Mm-hmm.

right?

Just like we've talked about ransomware preparation.

I think that you must include deep, fake exercises to figure out, and

especially with people from finance and accounting who maybe normally

are not part of your tabletop

Mm-hmm.

It's important that they now have this focus training to

make sure they understand the scenarios and the situations.

Um, and there are, so I think policy and procedure is the big tool here, right?

Having said that, there is also starting to be detection tools right now.

This will be for the rest of our lives.

This will be an arms race, right, where we will have tools that detect ai.

Right now, it's relatively easy if you know what to look for to

detect an AI video or an AI audio.

If you know what to look for

ai?

you.

I don't think anybody could really do you as ai, but um.

But there are tools right there, there is software that could do real

time AI detection, and they look at things like how the voice sounds,

they look at the cadence of the voice.

They look at, uh, if it's video, they're looking at eye movement and you know, and

also like, uh, biometric watermarking.

There, there's all sorts of things, especially for high risk

people or high risk industries.

Um, and uh, and then also there, there's enhanced.

Things, you know, enhanced security measures like liveness detection

on multifactor authentication.

Right?

Voice, voice biometric systems.

Right?

That, that can actually detect that the, the voice that they're

listening to is synthetic.

Right.

Yeah,

Um.

also along those lines, there are now regulations coming out trying to

target sort of AI generated content.

So if you look at things like Facebook videos, if they are generated using

ai, I believe it now has to be tagged.

Mm-hmm.

And so there is sort of that awareness that AI is getting so good that

it's hard to differentiate, so it requires this additional tagging and

information to be able to help users discern AI versus a real person.

So there is technology.

So just, just search and, and keep yourself up to date on

deepfake detection technology.

It's going to be an arms race.

This is gonna be fun, right?

Um, so let, let's talk about some things not to rely on.

Caller id.

Yep.

Caller Id don't mean jack squat, right?

Yep.

Um, and also, uh, if you have voice recognition systems, if you don't

have additional authentication on top of that voice recognition.

Um, same thing with video calls.

And again, this, this urgent when, when it's like super urgent.

This is why you've got to, you've got to agree upfront.

Even when it's urgent, you know, um, you, you, you follow the

policy and procedure, right?

but I do wonder if people are of away from urgent.

As an example, if they start to understand, because like you said, it's

Mm-hmm.

If bad actors start to realize, hey, people are not well to the urgency

and we don't necessarily need to be urgent in order to be able to.

Do this sort of attacks, maybe that starts to drop away.

So I just wanna caution people to not rely on urgent as the only flag.

It is one of the

Yeah.

but it should not be the signal

Agreed.

Yeah.

It's, it's not the only flag, but it's definitely a big flag.

Right.

Yeah.

Uh, and of course, you know, I mean, this should go without saying, but things like,

oh, I know, I know this person's voice.

And, and also they knew, just like you mentioned earlier, they

knew details about me, dude.

They, they got all kinds of stuff, right.

And, and how real the video looks, uh, because it's, it's

pretty amazing, uh, especially if the video is very short, right.

Yeah.

Um, so I, I, I guess the, the summary is that, you know, the human element

is still, it's both our strongest defense and our weakest link, right?

Um, we, we can't, we can't, we can't solve our way out of this with technology alone.

It's got to be a combination of, uh, people, process and technology.

Yeah.

Yep, a hundred percent agree.

Yeah.

All right.

Well, it's been fun.

Prasanna.

Deep fake Prasanna.

Who knows?

Who knows?

All right, well, uh, thanks for listening folks, and, um, you know, um, be sure

to subscribe wherever you see us.

And, um, um, that's a wrap.