On March 10, 2021, the Federal Bureau of Investigation (FBI or Bureau) issued a Private Industry Notification (PIN) advising companies that “[m]alicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.”

The FBI’s stark warning—a first related to what are commonly referred to as deepfakes (synthetic media that is either wholly created or altered by artificial intelligence or machine learning)—comes amid rising awareness of the prevalence and potential dangers of disinformation in general and highly realistic phony media, in particular. For example, in February, believable deepfake videos of Tom Cruise appearing to play golf, walk through a store and do a magic trick went viral online, suggesting that the era of nearly “flawless forgeries” has arrived.

The FBI wrote in its notification that foreign actors are already using synthetic content in influence campaigns. The Bureau anticipates that artificial intelligence–enabled phony media will be used increasingly by “foreign and criminal cyber actors for spearphishing and social engineering” crimes. (Spearphishing refers to when a fraudster sends emails ostensibly from a known or trusted sender to induce a target to reveal confidential information or gain access to an otherwise closed network.) Specifically, the Bureau notes that Russian, Chinese and Chinese-language actors are already using synthetic profile images to make fake online accounts, known as sockpuppets, appear authentic and to push foreign propaganda campaigns. The FBI also advises that actors of unknown origin have posed as “journalists” using manufactured profile images and have pushed fake articles that legitimate media outlets have picked up and amplified.

The FBI warns that malicious cyber actors will not just push propaganda on behalf of foreign actors but also leverage synthetic media and deepfakes to attack the private sector. In particular, the FBI warns that synthetic content may be used in a “newly defined cyber-attack vector” called Business Identity Compromise (BIC), where deepfake tools will be employed to create “synthetic corporate personas” or imitate existing employees and will likely cause “very significant financial and reputational impacts to victim businesses and organizations.” 

These threats represent an evolution in Business Email Compromise (BEC) schemes, which occur when a hacker compromises a corporate email account to facilitate fraudulent financial transactions.

To guard against the evolving dangers of deepfakes, the FBI provides several tips for individuals and organizations. These include the following: 

• Establish good information hygiene: multifactor authentication, training to identify attempts at social engineering and spearphishing, and caution when providing sensitive personal or corporate information digitally, among others. 
• Train employees to use the SIFT media resiliency framework, which encourages individuals to Stop, Investigate information’s source, Find trusted coverage, and Trace the original content. 
• Review profile photos of online accounts closely for visual clues of falsity, including visual distortions around pupils and earlobes, indistinct and blurry backgrounds, and random distortions or visual artifacts.
• Establish and practice a communications continuity plan in the event social media accounts are compromised.

The FBI encourages the public to report information concerning suspicious or criminal cyber activity or malign foreign actors to their local FBI field office or the FBI’s 24/7 Cyber Watch ([email protected]).

Because of the threats posed by BEC intrusions, many organizations over the past several years have taken steps to protect their treasury functions and their accounts payable from manipulation that can occur when hackers take control of a trusted company email account. The potential for deepfake technology to create a new category of BIC activities threatens to complicate company authentication protocols. Companies may want to revisit their security practices in the face of these intensifying challenges to information security. Unfortunately, this is just one of the many new risks facing businesses from the growing believability and accessibility of deepfakes and the spread of disinformation and conspiracy theories more generally. These risks range from reputational harm to fraud, market manipulation and credential theft, among others.

WilmerHale has been at the forefront of the evolving issues related to disinformation and deepfakes and their impacts on business and society. In 2019, we hosted a webinar, Hard Truth: Disinformation Threatens Business, on how sophisticated disinformation campaigns can harm brands, move markets and drive opinions. We have closely tracked the development of legislation in this area, including a recent groundbreaking law in New York and several laws passed by Congress. And last year, we published the comprehensive analysis Identifying the Legal and Business Risks of Disinformation and Deepfakes: What Every Business Needs to Know, which discusses many of the issues raised by the FBI notification, among others, and provides several best practices to prepare for and mitigate these growing risks. WilmerHale will continue to monitor the development of these issues and provide strategic advice to affected businesses.