On February 8, 2024, the Federal Communications Commission outlawed AI-generated voices in robocalls and with the upcoming Presidential election in the United States, it is easy to see why. Imagine the implications if “leaked audio” from a presidential nominee started to reach voters directly with defamatory voice clips that sound like the candidate, but are artificially created. Beyond election interference, the age-old scam of a grandchild stuck in a foreign prison and needing money wired quickly is becoming more sophisticated, with scammers cloning voices of grandchildren and spoofing numbers to make the calls.
A recent Newsweek article highlighted several celebrity scams using deepfake technology: Taylor Swift and Oprah are giving out free cookware, Luke Combs is peddling weight loss products, and Tom Hanks is endorsing dental plans. The impersonation isn’t always geared toward theft or fraud, but rather for personal gain. NBC News reported on YouTube channels that created salacious, AI-generated fake news of black celebrities to drive traffic to their channels, and the results are staggering: “Some of the videos have millions of views, and the median number of combined views for each channel was 21 million.”
Imagine this scenario: A ransomware attack happens at your business, and along with a demand for money comes a threat to release a convincing deepfake video of your CEO taking a hardline stance on a divisive social issue. Would you know how to respond? Perhaps an employee at the firm finds a “news story” on YouTube about an executive’s criminal past with a video confession. Are policies in place for how to address this? What if the principal of an ultra-high-net-worth family office calls their accountant demanding an immediate transfer of funds to a new bank account; it sounds like the principal and is coming from the right number. Are you confident that a wire would not be sent out that very day?
Yet even with the grave concern facing emerging technology, it is important to never forget some “low tech” or “old school” vulnerabilities:
- Baby monitors, garage doors, smart home video cameras, and other IoT devices (like your wi-fi connected washing machine or oven) are susceptible to remote access, particularly since many utilize default passwords. Once an outsider is in your network, they can monitor and record traffic.
- Unvetted household staff and vendors present a perennial vulnerability. Laborers observe jewelry or other high-value items during their approved access during the day and leave windows open or exterior doors unlocked for a visit when the family is known to be out of town.
- Residential safes are rarely bolted to the ground. There is no need for James Bond gadgets when the bad guys can literally pick up and walk the safe out the front door to a controlled location. Fifteen minutes later with an angle grinder and they have access to all your valuables.
Knowledge is one of the primary ways to defend yourself and your business against these types of threats. Awareness of potential risks with artificial intelligence and deepfake technology is an important first step. Does your company have a known, official social media presence? Do your executives have established social media profiles? If the answer to any of these is no, have you looked to verify that such an account does not exist? Impostor or parody accounts can damage reputations by sharing deepfake photos or inflammatory posts from accounts that appear legitimate, and the problem is exacerbated if the accounts are not known about until after an embarrassing incident that requires a response. Additionally, family offices should consider employment of a code word or other key phrase for any phone transactions over a certain threshold. The codeword must be something that would not naturally come up in a financial conversation, such as “dinosaur” or “paraglider.” We also recommend changing this codeword at least every six months. There are four additional areas for high-net-worth clients and c-suite executives to consider:
Conduct a Digital Vulnerability Assessment
What would happen if you or your family was doxed? Understand the universe of information about you available on the internet and dark web such as: phone numbers, email addresses, vehicle information, names of children and their schools, photos from inside the home, political contributions, and copies of signatures. This assessment may be performed as part of a tax-deductible fringe benefit* for your business.
In-Residence Device Hardening and Training
Have a professional security firm visit your home or office to scan your physical devices for the presence of malware, outdated firmware, and more. In an age where our appliances require apps to run, ensure your network is protected. When was the last time you conducted a security update on your smart device? Do you know how?
Physical Security Assessment
A residential or commercial physical security assessment will help you understand gaps in your security and methods to mitigate or remove those gaps. More than just locks, cameras, and alarms, a physical security assessment will also consider areas such as exterior and interior lighting, proximity to emergency services, and even how landscaping all contribute to securing a property. In conjunction with a Digital Vulnerability Assessment, this is another piece of a possible tax-deductible fringe benefit* for your business.
Review or Create your Incident Response Plan
For many companies and family offices, the answer to “How would you handle a ransomware attack, compromising faked photos of an executive/principal, or impersonation attempts of the c-suite” is “I don’t know.” Employees and staff are both your best shield and your biggest risk. Make sure your employees know your expectations, responsibilities, and conduct regular training and testing to ensure compliance.
Businesses and individuals are advised to promptly assess their cybersecurity strategies to avoid artificial intelligence and deepfake technology that could lead to financial losses and reputational harm. Strongly consider engaging a security provider with experience in addressing multiple facets of cybersecurity risk management.
