No illusion: Deepfakes are an emerging crisis that require planning, preparation
"Attack him where he is unprepared, appear where you are not expected."
- Sun Tzu, The Art of War
In early February, a potentially major story might have been lost among the flurry of activity surrounding a presidential transition, stacks of executive orders, and rising egg prices.
A finance worker in Hong Kong was duped into paying more than $25 million to someone who used deepfake technology to pose as the company’s British-based CFO in a video conference call.
Although Sun Tzu couldn’t have predicted the exact nature of the conflicts humanity would face more than two thousand years after his death, let’s be clear: Bad actors using deepfakes and other emerging AI to sow political unrest and create economic upheaval is a developing war. And everyone will soon be under attack.
Unfortunately, we are unprepared to fight battles against these new enemies who appear where they are not expected. Amid the increasingly chaotic economic landscape, many companies – especially small or middle-market businesses – could choose to cut costs in a variety of areas, including cybersecurity, information security, and human resources.
These critical risk mitigation guardrails could be drastically cut soon (if they haven’t been already), leaving many businesses at a much higher risk of being compromised. Crisis expert and Forbes contributor Edward Segal recently wrote an article highlighting the results of a timely survey of marketing executives by Forrester. According to the results:
- 68% expressed worries about the impersonation of company staff and executives, as well as the potential for false public statements;
- 20% said their organizations stay up to date on deepfake technology;
- 17% have implemented social listening and a content verification/distribution process.
Many admitted that implementing a plan to address deepfakes hasn’t been a priority.
“The most important shift will be in how brands establish credibility. It will no longer be enough to deliver a message effectively. They will need to prove that the message is real,” Kaveh Vahdat, founder and president of RiseOpp, told Segal via email.
As part of the program for the World Economic Forum in January, Nathaniel Hamiel, the senior director of research of Kudelski Security, labeled the type of “social engineering” attack used in Hong Kong as one of the most prominent and troubling uses of deepfake technology.
He and countless other experts are on top of strategies to combat the threats.
Booz Allen Hamilton is one of the largest providers of AI, cybersecurity, and technology solutions to the federal government. Solutions they’ve highlighted can detect deepfakes at a 90-100% accuracy rate, including “deep learning” techniques that distinguish between real and fake content, “artifact detection” that identifies abnormal characteristics in the eyes, mouths, and other aspects of a video, and a “pairwise analysis” that directly compares real and fake content to provide a ranked rating for authenticity.
Stanford University’s response to the news out of Hong Kong warned its students and staff members to be skeptical about trusted colleagues or university executives making unusual requests or demands, regardless of how realistic the phone call or video might appear.
Be skeptical of “urgent” requests to set up vendors, make purchases, transfer funds, or update banking information and make sure you independently verify these types of requests through a communication channel you initiate to confirm their legitimacy.
All these strategies should be byproducts of a customized crisis plan, complete with identification of the most likely scenarios related to a deepfake or cyber attack, quarterly tabletop exercises, and an annual review and refresh of the plan.
What these strategies won’t do is solve your problems after the threat has occurred and the damage is done.
At WordWrite, our deep experience with crisis management and crisis training extends across more than two decades. We handle an average of a dozen crises per year. Among other best practices, WordWrite relies heavily on a “3P” approach: plan, process, and people. To elaborate:
- Create a clear plan. Identify the most likely crisis scenarios your organization will face. Outline them, complete with a roadmap for success, templates and ready to use tools. These resources should include holding statements, website and social media posts, FAQs, templated letters or emails to key stakeholders, along with checklists and policy documents.
- Establish and follow a process collaboratively agreed upon by senior leadership and the CEO. Create and diagram the reporting structure and roles of your crisis response team. What do you do when you receive requests for information from the media, your employees and other important audiences? Who responds and what is the messaging?
- Make sure you have the most qualified people in place to handle the crisis response. The highest-ranking people in the organization might not be best suited to handle the roles on your crisis response team. With very few exceptions, the CEO should not be in charge or in a position to comment to the media. Like your queen in chess, you want to protect him or her. Once you allow the CEO to weigh in on a crisis, there’s nowhere else to escalate it – you’ve played your last ace.
As Segal concluded in his article, “There’s no doubt that deepfakes are a growing threat to corporate America. The crisis management hall of fame is filled with examples of corporate executives who knew about potential threats, but did nothing to address or mitigate them.”
As you develop your own crisis management strategies to prepare for deepfakes and other emerging threats, don’t forget another famous Sun Tzu quote from the same treatise:
“The supreme art of war is to subdue the enemy without fighting.”
For more information, please visit our crisis page, where you can watch videos and download helpful resources like our crisis communications guide.
You can also watch our recent webinar on how to share your story during a crisis.